LAN host can't ping pfSense or beyond



  • HI all.
    Excuse long message but wanted to give detail. I am stumped. It might be I've made some embarrassing mistake here but here goes…

    I'm testing pfSense on my home network, trying to simulate multiple LANS accessing WAN through pfSense.

    Scroll down if you want to see the problem before the config. Basically can't ping from the laptop 1 hop away from pfsense.

    Config:

    All subnets are /24s.

    I'm using the below hardware. Borris is a laptop connected directly to the cisco router fa0/1 interfaces.

    Phobos is my sniffing machine.

    borris = Linux Ubuntu laptop. 192.168.3.37
    phobos Windows Seven laptop. 192.168.2.32
    pfsense = PC Engines Alix board pfsense embedded. Hostname pfsense.test. 192.168.2.1
    cisco = Cisco 2621. 192.168.2.2
    adsl = draytek vigor. 192.168.0.1. My edge router here.

    Topology:
    For the purposes of sniffing, phobos is connected to a layer 1 hub with cisco and pfsense on the 192.168.2.0/24 network.
    adsl - (pfsense, phobos, cisco) - borris

    Full interface IP addresses.

    adsl LAN: 192.168.0.1
    pfsense wan: 192.168.0.2
    pfsense lan: 192.168.2.1
    cisco fa0/0: 192.168.2.2
    cisco fa0/1. 192.168.3.1
    phobos 192.168.2.32
    borris lan: 192.168.3.37

    pfsense setup:
    Automatic NAT.
    No firewall rules set other than one allowing management access from wan.

    WAN interface:
    Enabled.
    Bogons are not blocked.
    1918 addresses are not blocked.
    The wan interface has a gateway configured. This is the lan address of the adsl router. 192.168.0.1.

    LAN interface:
    Enabled.
    Bogons are not blocked.
    1918 addresses are not blocked.
    No gateway is set.

    Routing:
    A gateway to the wan is set. adsl 192.168.0.1. As above.
    A Gateway on the LAN interfaces is set, the IP address of the cisco router. 192.168.2.2.
    There's a route for 192.168.3.0/24 pointing to the LAN gateway above.

    Tests:

    phobos can ping pfsense cisco and internet.
    After adding route from phobos to borris via cisco:
    route add 192.168.3.0 mask 255.255.255.0 192.168.2.2
    Pings between phobos and borris work.
    cisco can ping borris, pfsense and internet.
    borris can ping both interfaces of cisco
    borris can't ping pfsense or beyond.

    Captures:

    borris.
    ping 192.168.2.1

    Listening from phobos on the layer 1 hub.
    windump -i 3 -f "icmp"

    13:22:23.794568 IP 192.168.3.37 > pfsense.test: ICMP echo request, id 10764, seq 3010, length 64
    13:22:24.802621 IP 192.168.3.37 > pfsense.test: ICMP echo request, id 10764, seq 3011, length 64
    13:22:25.810595 IP 192.168.3.37 > pfsense.test: ICMP echo request, id 10764, seq 3012, length 64
    13:22:26.819189 IP 192.168.3.37 > pfsense.test: ICMP echo request, id 10764, seq 3013, length 64
    13:22:27.829165 IP 192.168.3.37 > pfsense.test: ICMP echo request, id 10764, seq 3014, length 64
    13:22:28.834699 IP 192.168.3.37 > pfsense.test: ICMP echo request, id 10764, seq 3015, length 64
    ...

    From the diagnostics page in pfsense. Capture on LAN:

    Packets Captured:
    13:22:33.560150 IP 192.168.3.37 > 192.168.2.1: ICMP echo request, id 10764, seq 3021, length 64
    13:22:34.568176 IP 192.168.3.37 > 192.168.2.1: ICMP echo request, id 10764, seq 3022, length 64
    13:22:35.576142 IP 192.168.3.37 > 192.168.2.1: ICMP echo request, id 10764, seq 3023, length 64
    13:22:36.584163 IP 192.168.3.37 > 192.168.2.1: ICMP echo request, id 10764, seq 3024, length 64
    13:22:37.592130 IP 192.168.3.37 > 192.168.2.1: ICMP echo request, id 10764, seq 3025, length 64
    13:22:38.600171 IP 192.168.3.37 > 192.168.2.1: ICMP echo request, id 10764, seq 3026, length 64
    ...

    *** Here's what's going wrong I think but why. ***
    A little while later, ping is still running on borris, capture on pfsense wan:

    Packets Captured:
    13:26:56.222915 IP 192.168.0.2 > 192.168.0.1: ICMP echo request, id 41015, seq 10524, length 44
    13:26:56.223146 IP 192.168.0.1 > 192.168.0.2: ICMP echo reply, id 41015, seq 10524, length 44
    13:26:57.233103 IP 192.168.0.2 > 192.168.0.1: ICMP echo request, id 41015, seq 10780, length 44
    13:26:57.233334 IP 192.168.0.1 > 192.168.0.2: ICMP echo reply, id 41015, seq 10780, length 44
    13:26:58.243268 IP 192.168.0.2 > 192.168.0.1: ICMP echo request, id 41015, seq 11036, length 44
    ...

    *** Why is pfsense forwarding the ping to the adsl ruter when it's destination is it's LAN interface. I assume the adsl router is replying with a network unreachable and it's not getting babk to borris. ***

    Another ping test from pfsense default interface:
    PING 192.168.3.37 (192.168.3.37): 56 data bytes
    64 bytes from 192.168.3.37: icmp_seq=0 ttl=63 time=1.724 ms
    64 bytes from 192.168.3.37: icmp_seq=1 ttl=63 time=0.515 ms
    64 bytes from 192.168.3.37: icmp_seq=2 ttl=63 time=0.483 ms

    Another example. Capture of a rerun of the ping from pfsens' lan interface to borris. This capture taken from phobos on the hub again:

    13:34:50.415783 IP pfsense.test > 192.168.3.37: ICMP echo request, id 58587, seq 0, length 64
    13:34:50.416671 IP 192.168.3.37 > pfsense.test: ICMP echo reply, id 58587, seq 0, length 64
    13:34:51.424552 IP pfsense.test > 192.168.3.37: ICMP echo request, id 58587, seq 1, length 64
    13:34:51.425441 IP 192.168.3.37 > pfsense.test: ICMP echo reply, id 58587, seq 1, length 64
    13:34:52.434747 IP pfsense.test > 192.168.3.37: ICMP echo request, id 58587, seq 2, length 64
    13:34:52.435618 IP 192.168.3.37 > pfsense.test: ICMP echo reply, id 58587, seq 2, length 64

    Grateful for any suggestions though might not get to try for a little while.


  • Netgate Administrator

    The pings you see on the WAN are just pfSense monitoring its default gateway once a second.

    The default LAN firewall rule is set to allow traffic only from the LAN subnet so it will dump traffic that's been routed from 192.168.3.X. Have you changed that?

    Steve



  • Ah what a div.  :-[ Shoulda checked that.

    Thanks for the hint, that's exactly what it was.

    I'm more used to iptables I suppose with it's default policy of accept. I've added a rule now letting my test subnets through and all is workink. Can get on to the internet from the host on 192.168.3.0/24 subnet.
    :)


Log in to reply