Cannot ping opt1 interface or router connected to opt1 (wan2) interface from lan

hoba · Mar 29, 2008, 8:32 PM

Disable the manual advanced outbound nat and set it to automatic again. Retest. Does it work now?

glanc · Mar 29, 2008, 8:56 PM

tried… :-\ but no ping.... is aon worse than using automatic?

If tracerouting opt1 pfsense int from lan, give me back wan gateway as this:

C:>tracert -d 10.0.0.9

Rilevazione instradamento verso 10.0.0.9 su un massimo di 30 punti di passaggio

1 <1 ms <1 ms <1 ms 85.35.156.x -----> this is default gateway on pfsense wan int
2 85.35.141.x rapporti: Rete di destinazione non raggiungibile. (Network unreachable)
|
|--> This is next op router

Rilevazione completata.

does it mean that it is trying to find a reply from opt1 going out to internet, instead of just replying from its internal int?

.... ???

hoba · Mar 29, 2008, 8:58 PM

It means that for some reason it skips your first new created firewallrule. Don't know why though. Maybe reboot.

glanc · Mar 29, 2008, 9:04 PM

already rebooted….what other factor can lead to such a problem? only loadbalancing or i've to check also other configurations such trafficshaping (but i don't think so) anyway just to be sure!

do you think that if i remove loadbalancing and failover conf i'll solve the issue? Thanks.

hoba · Mar 29, 2008, 9:14 PM

Only firewallrules and outbound nat can cause problems here. You don't have any static routes configured, right?

glanc · Mar 29, 2008, 9:28 PM

no static routes. do you need more info on my conf? i can provide you with all the settings? I have the same problem on another pfsense 1.2 box also with dual wan. Everything works fine, but i cannot ping opt1 int from lan nor router attached to that interface. What can be the problem :-\

hoba · Mar 29, 2008, 9:59 PM

Try to rebuild the config step by step and see where it breaks. I guess that'S the easiest way to find the issue atm.

glanc · Mar 29, 2008, 10:03 PM

ok thanks a lot, I'll post the result if i succeed!

hoba · Mar 29, 2008, 10:05 PM

Yes, I'm interested to see where the problem is as well :)

Perry · Mar 29, 2008, 10:18 PM

You could try with my setup.

glanc · Mar 29, 2008, 10:30 PM

you mean the localnet entry?

Perry · Mar 29, 2008, 10:39 PM

No. What ip address i you trying from?

glanc · Mar 29, 2008, 11:03 PM

i'm trying to ping from internal server 192.168.100.10/24 to pfsense op1 (wan2) interface 10.0.0.10 or router behind it 10.0.0.9 but do not ping. Those rules you mention, was there to let both internal server not being restricted by the last rule "blockall". Do you mean that those rules are blocking pings?

Perry · Mar 29, 2008, 11:37 PM

Yes if you first 192.168.100.10 rules has the gateway * or 10.0.0.9 it should work imo.

glanc · Mar 29, 2008, 11:41 PM

!!SOLVED!! Perry found the problem! ;) The rules under LAN that i put to let 192.168.100.10 go out without being filtered by the last rule, had the gateway not to default one but specified to use opt1 default gateway, so when pinging from lan from that ip, it didn't look at the defaut routing tables causing the problem! Thanks a lot Perry. I suppose that the other rule to let the same internal host go out via opt1 using opt1 default gw is ok. Because i so not want to filter that host when going out from opt1.

Perry · Mar 29, 2008, 11:51 PM

;)

Rules:
Rules are processed from top to down.
If a rule catches the rest of the rules is no longer considered.
Per default a "block all" rule is always in place (invisible below your own rules).

Traffic is filtered on the Interface on which traffic comes in.
So traffic comming in on the LAN-Interface will only be processed from the rules you define on the LAN tab.

If you have a private subnet on your WAN: uncheck the "Block private networks" checkbox on your WAN-config page.

http://forum.pfsense.org/index.php/topic,7001.0.html

glanc · Mar 30, 2008, 12:01 AM

Ok, But putting a rule on top with default gw * using an alias with all local net, as hoba suggested, didn't work. Why? Now i'm trying to connect from internet to lan servers using opt2(wan2) interface and i've some problem. I've an openssh server on a host, and i can connect from internet using wan, but it fails using opt1. i can see in the log that the connections arrive at pfsense, that is portforwarded correctly and that the rule on opt1 with logging turned on, is activated but the connectio faild. Probably the connection fails to come back!

glanc · Mar 30, 2008, 12:18 AM

This are the relevant part of my config:

I'm tryng to connecto via ssh to the firewall itself (not an internal host as stated in the previous post) using opt1 from internet. Via wan it already works. Maybe it is not possible since pfsense use the default gateway of wan as its gateway? ::)

eri-- · Mar 31, 2008, 9:09 AM

Actually you need reply-to kind of rules for that!
Not, sure if they are generated on pfSense.

Can you please go to Disagnostics->Edit file; load /tmp/rules.debug; ebven post here or check if there is any reply-to keyword in that ruleset?

Ermal

glanc · Mar 31, 2008, 10:42 AM

The problem was that I specified the default gateway of opt1 interface in the rules, and not just the default option in the gateway tab. I mean that the gateway option was set like: 10.0.0.9 (default gateway used in the interface config) and not "default". I supposed that in configuring rules on opt1 interface one should specify the same gateway used in the opt1 interface config and not just default! But i was wrong! Why?

But now I've got another customer with the same problem and I've corrected the rules config and they are ok (same gateway problem), but here i cannot ping the opt1 int anyway! What could it be?