Cannot ping opt1 interface or router connected to opt1 (wan2) interface from lan
-
Hi. My pfsense 1.3 is configured this way:
lan wan op1(wan2) opt2(dmz)
lan=192.168.100.20/24
wan=public ip from my isp pool, default gw adsl router with public ip from my isp pool
opt1=10.0.0.10/29, default gw adsl router 10.0.0.9/29 and nat configured on router with a dynamic assigned public ip from my second isp
opt2=192.168.200.20/24 DMZloadbalancing and failover both work and tested.
aon is configured to let lan subnet go via both wans
two servers on lan have 1:1 nat
rules are configured on all pfsense interface and i am capable of coming from internet on servers on lan via both wans
I can ping both routers and lan subnet from pfsense. I can ping and reach both wan interface and router attached on the wan interface of pfsense from my lan, but i cannot ping or reach from lan both opt1 interface and router attached to opt1 interface!
From lan:
ping 192.168.100.20 (pfsense lan) work.
ping wan int on pfsense and adsl router attached to wan int work.
ping dmz int on pfsense work.
ping op1 int and router attached to opt1 do not workI've used tcpdump on pfsense during pings, and i can see echo request coming on lan int but no reply!
Any suggestions?
Thanks a lot.
-
Policybased firewallrules are always evaluated before the traffic hits the internal routingtable. Therefore it can happen that you send the traffic to the wrong gateway with policybased rules. To prevent this from happening create a network alias with all locally attached networks (subnets at wan, opt1, opt2,…, as well as vpn subnets, in case you use those as well). Then create a firewallrule on top of your balancing rules like:
pass, protocol any, source any, destination <that network="" alias="">, gateway default. This way you will make sure that policybased rules won't interfere with these subnets.</that> -
…..just wans, vpns and dmz i suppose, not lan subnet?
I'll try to create an alias with those subnet and add a lan rule on the top, using default gw and not loadbalancer and see....
-
you can add the lan as well, it won't hurt. this way you can use the same rule for other internal subnets as well (dmz probably is different as you don't want to allow access to lan from there or at least only restricted access). You can tighten the rules much more of course if needed. The rule that I wrote in my previous post is just an example. Oh, btw, add 127.0.0.1/32 to that networkalias too. Will make the ftp-helper work and maybe other installed packages that redirect traffic to the loopbackadress :)
-
I've created the rule, but still cannot ping opt1 interface nor adsl router behind it!! :-\
When i ping from lan to op1 pfsense int, i get this on pfsense:
tcpdump -i rl0 -vv -t icmp
tcpdump: listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
IP (tos 0x0, ttl 128, id 12744, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.100.10 > 10.0.0.10: ICMP echo request, id 768, seq 13572, length 40
IP (tos 0x0, ttl 128, id 13031, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.100.10 > 10.0.0.10: ICMP echo request, id 768, seq 13828, length 40
IP (tos 0x0, ttl 128, id 13051, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.100.10 > 10.0.0.10: ICMP echo request, id 768, seq 14084, length 40
IP (tos 0x0, ttl 128, id 13064, offset 0, flags [none], proto: ICMP (1), length: 60) 192.168.100.10 > 10.0.0.10: ICMP echo request, id 768, seq 14340, length 40if i do a tracert -d from the lan to the opt1 int of pfsense i get a strange response (look at the attached pic)!
This is my ifconfig:
ifconfig
xl0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
options=8 <vlan_mtu>inet 85.35.156.x netmask 0xfffffff8 broadcast 85.35.156.x
inet6 fe80::260:8ff:fe95:627d%xl0 prefixlen 64 scopeid 0x1
ether 00:60:08:95:62:7d
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
xl1: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
options=8 <vlan_mtu>inet 10.0.0.10 netmask 0xfffffff8 broadcast 10.0.0.15
inet6 fe80::260:8ff:fe95:6289%xl1 prefixlen 64 scopeid 0x2
ether 00:60:08:95:62:89
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>mtu 1500
options=8 <vlan_mtu>inet 192.168.100.20 netmask 0xffffff00 broadcast 192.168.100.255
inet6 fe80::2e0:4cff:fe49:230%rl0 prefixlen 64 scopeid 0x3
ether 00:e0:4c:49:02:30
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vr0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
inet 192.168.200.20 netmask 0xffffff00 broadcast 192.168.200.255
inet6 fe80::216:ecff:febd:ee94%vr0 prefixlen 64 scopeid 0x4
ether 00:16:ec:bd:ee:94
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
pflog0: flags=100 <promisc>mtu 33208
enc0: flags=0<> mtu 1536
lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
pfsync0: flags=41 <up,running>mtu 2020
pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128i've attached my lan rules and alias created and if config.
see if i'm missing something. Thanks a lot for paying attention….
</up,running></up,loopback,running,multicast></promisc></full-duplex></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,promisc,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>
-
Probably a state-issue. Go to diagnostics>states, reset states. Then retest. Rules look valid to me.
-
I've done a state reset but cannot ping. I'll attach other pics, in case something is wrong with the config.
-
This happens when i tracert from lan: opt1(wan2) - wan - opt2(DMZ)
It seems that when i ping the opt1(wan2) pfsense int from lan, it tries to reach it going out to internet instead to just replying from the firewall itself!
Strange!
-
This is my loadbalancer config:
-
::)…. any suggestions?? Or do i better reset to defaults: rules, nat and loadbalancer and see if i resolve and start over the config step by step?
Thanks.
-
Disable the manual advanced outbound nat and set it to automatic again. Retest. Does it work now?
-
tried… :-\ but no ping.... is aon worse than using automatic?
If tracerouting opt1 pfsense int from lan, give me back wan gateway as this:
C:>tracert -d 10.0.0.9
Rilevazione instradamento verso 10.0.0.9 su un massimo di 30 punti di passaggio
1 <1 ms <1 ms <1 ms 85.35.156.x -----> this is default gateway on pfsense wan int
2 85.35.141.x rapporti: Rete di destinazione non raggiungibile. (Network unreachable)
|
|--> This is next op routerRilevazione completata.
does it mean that it is trying to find a reply from opt1 going out to internet, instead of just replying from its internal int?
.... ???
-
It means that for some reason it skips your first new created firewallrule. Don't know why though. Maybe reboot.
-
already rebooted….what other factor can lead to such a problem? only loadbalancing or i've to check also other configurations such trafficshaping (but i don't think so) anyway just to be sure!
do you think that if i remove loadbalancing and failover conf i'll solve the issue? Thanks.
-
Only firewallrules and outbound nat can cause problems here. You don't have any static routes configured, right?
-
no static routes. do you need more info on my conf? i can provide you with all the settings? I have the same problem on another pfsense 1.2 box also with dual wan. Everything works fine, but i cannot ping opt1 int from lan nor router attached to that interface. What can be the problem :-\
-
Try to rebuild the config step by step and see where it breaks. I guess that'S the easiest way to find the issue atm.
-
ok thanks a lot, I'll post the result if i succeed!
-
Yes, I'm interested to see where the problem is as well :)
-
You could try with my setup.
