A Ping-ing issue that shouldn't be an issue. Help!

ntba

I legit will go insane over something so trivial, I'm not new to networking but pfsense is new to me and I really need help before I go insane

I have my base pfsense set up with WAN <–-> LAN interface done, working fine out to the net, all normal.

WAN is outside, physical port 1, LAN is inside,physical port 2, 192.168.1.0/24 Network. The usual.

I have 6 interfaces total, 4 more available to use. I go to use my third interface for another subnet, just for testing. OPT1, assign it to a physical port, enable it. Good to go.

I assign a static ip of 192.168.5.1 /24

I plug in laptop assign it static 192.168.5.2 /24 default gateway 192.168.5.1, done. all is well Dashboard shows interface is up with set up, windows is good with the IP. I go to ping it just to make sure the
interface is up as I usually do on my Cisco gear out of habit, and this is where it all goes wrong. The pings time out.

Same subnet,directly connected, check over ip's, make sure firewall is off, no issues.

I ping from the diagnostic page in pfsense to laptop 192.168.5.2, works no problem. WTF.

I reset state tables, restart pfsense, restart conputer, clear arp cache, and try another machine. Again,  Ping from laptop to pfsense interface, time out. Ping the other way, just fine.

Is it physical, I try a different cable, is it an interface type issue, do I need a crossover cable, pull one out, nothing. Pull out a switch and put it in between, still nothing.

Is it the firewall rules not set for that interface? Should that even matter for a direct connection? I match the LAN firewall rules to OPT1 and nothing.

Is it the physical port, I create OPT2 on another physical port, try again, nothing.

Please pfsense gods, tell me what on earth could be the issue that is preventing me from pinging two interfaces in the same subnet that are directly connected. I am at wits end here  :'(

johnpoz

So when lan is created on install it puts in a default any any rule, this allows all connectivity outbound from the lan to anything, even the interface on pfsense for icmp for example.  But when you create a new opt interface there are no rules created.  You have to create the rules you want - they could be as simple as the default any any on the lan.

Or as complex as you want.  If you want devices on your new segment to be able to ping pfsense IP on that interface - then you have to create a rule for it.

edit:
"I match the LAN firewall rules to OPT1 and nothing."

Lets see these rules.. You know the source would have to be your new segment name, if you just picked tcp that would not allow ping, etc.  Can you post up the rules of your opt network.

Also your saying laptop gets dhcp?  So have to assume it has arp entry for pfsense interface..  So since you get dhcp doesn't seem like a physical layer 1 sort of issue - and would just be firewall settings.  Post up your opt and opt2 rules and can take a look see.

ntba

I went to Firewall –-> rules

selected OPT1 interface, as you say no rules out of the box. Yup none there.

I go to create a new rule, enabled,

IPv4 * * * * * * none Rule1, the "any" rule

Nothing still.

ntba

It's all static, I cleared ARP out of desperation. I chose the "any" protocol and didnt leave it at TCP, I copied all the LAN rules to OPT1 and tried various combinations, applying, then waiting while doing a ping 192.168.5.1 -t.

ntba

Ohh sweet cheesus in heaven.

I found the issue, it really blows.

ID Proto Source Port Destination Port Gateway Queue Schedule Description

IPv4 * * * LAN2 address * * none

Destination was set to "LAN address" and not to "LAN2 address", there goes 2 hours of my life.

Please tell me this is documented somewhere, and if so, where? .I've been stumbling over this for way too long and I will be really really upset if there was one small line dedicated to this in the documentation somewhere.

Why doesn't the wildcard work for destination, why must it be so specific?

doktornotor

Wildcard works just fine. Wildcard is useless when you set protocol to TCP and are testing with ping (ICMP). Finally, after testing multiple screwed rules you either go to Diagnostic - States - Reset states or you can keep scratching your head for a couple more hours.

ntba

Ohh you are right, I flipped it around.

IPv4 * LAN2 net * * * * none

I specifically went back and set the protocol from any to just TCP and it stopped. I did have it set any one of the many times before, but it looks like I may have not applied it or waited long enough in my frustration to get something so simple working.

Thank you sir.

johnpoz

Yeah wild card of dest any would include the pfsense interface..  So my guess is there was something else in the rule, but it tcp or dest or source of lan net vs opt net or opt address, etc.

Change it back to any for dest and you will see..  A rule of opt address is kind of useless if you want anything on that vlan to go anywhere other than that segment.