Can't ping OPT2 gateway from OPT2 interface

  • I'm setting up a dual wan system, but I'm not sure this is relevant at this point.

    I'm trying to add the 2nd interface (OPT2), and I'm able to ping the gateway (my ISP's device) and the pfsense box on the OPT2 IP from outside the network.

    Data from ISP:
    LAN: x.y.38.0/28
    Default Gateway: x.y.38.1
    Subnet Mask:
    Customer First IP: x.y.38.2

    OPT2 Interface:


    OPT2 Firewall Rule (Should pass all traffic for testing):
    Proto: TCP *
    Source: *
    Port: *
    Dest: *
    Port: *
    Gateway: OPT2_GW
    Queue: None

    I'm able to ping x.y.38.1 AND x.y.38.2 from outside the network, so that tells me traffic is getting through the gateway to the pfsense box.
    I'm able to ping x.y.38.2 from any interface on the pfsense box (WAN or LAN)
    I'm unable to ping x.y.38.1 from the LAN or OPT2 interface, but I can ping it from the WAN interface.

    If I try to ping a hostname from the OPT2 interface, it resolves it, but doesn't ping.

    [2.2.2-RELEASE][]/root: ping -S x.y.38.2
    PING ( from x.y.38.2: 56 data bytes
    --- ping statistics ---
    7 packets transmitted, 0 packets received, 100.0% packet loss
    [2.2.2-RELEASE][]/root: ping
    PING ( 56 data bytes
    64 bytes from icmp_seq=0 ttl=54 time=44.526 ms
    64 bytes from icmp_seq=1 ttl=54 time=38.236 ms
    64 bytes from icmp_seq=2 ttl=54 time=31.032 ms
    --- ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss

    It appears I have a routing problem, but I can't seem to find it.  I have other pfSense boxes at other locations with the same setup that work fine.  So the only thing I can think is maybe I set up my OPT2 interface incorrectly.

    Any help would be appreciated.

  • Banned


    OPT2 Firewall Rule (Should pass all traffic for testing):
    Proto: TCP *

    No, "Proto: TCP" does NOT pass ping. Never did, never will. You need ICMP. For DNS, you need UDP as well.

  • Sorry about that.  That was a typo on my part.

    The firewall rule is IPV4 *

    Once I get it working I will tighten down the firewall rules.

  • Banned



    is a typo as well? Because it overlaps your first WAN (which you ingeniously call LAN - with x.y.38.0/28; that ends with x.y.38.14; x.y.38.0 being network and  x.y.38.15 being broadcast).

  • No that is what my settings are.  I was thinking that might be the issue, but I wasn't sure what netmask to give my interface.

    My ISP gave me a block of 16 static IP's.

    Typically I'll get a gateway IP outside of my IP block, but this time I didn't so I'm a little unsure what to do.

  • Banned

    I honestly fail to see what you are trying to do there. Why are you setting dual WAN when you have one line from your ISP?

  • I have 1 line from this ISP (Integra), and one line through a 2nd ISP (Comcast).

    My Comcast line is my primary WAN and is working as expected.

    I'm adding this 2nd WAN for redundancy.

  • Banned

    Well you cannot have LAN and WAN on the same subnet. You can

    • either use 1:1 NAT
    • or bridge OPT2 to your second WAN if you want public IPs directly on hosts that are on OPT2 (and let them use x.y.38.1 as gateway.) Note that in this kind of setup, hosts on OPT2 won't be able to reach your other local interfaces.

  • Sorry for the confusion.

    The LAN in the earlier post was called LAN because that's what the ISP listed on their sheet.  That's not the LAN interface on my pfSense box.

    Here is my setup:

    WAN1 (Comcast): a.b.182.152/29 (5 usable static IP's)
    WAN2 (Integra): x.y.38.0/28 (13 usable static IP's)

    Each of those interfaces carry their own distinct subnet.

    I'm trying to get the Integra WAN set up, and you were saying that my gateway IP (x.y.38.1) was inside my interface subnet (x.y.38.0/28) and that would cause problems.  So that is most likely the issue (though I have other locations with a setup like this).

    The setup I got from my ISP is in the attached image.  So I'm assuming I have set up the interface/gateway incorrectly for my Integra WAN.

  • Banned

    But you still cannot have OPT2 on the same subnet like WAN2. OPT2 just cannot be x.y.38.2/28 when that's already your WAN2! Read my previous post. Describe the desired setup here, like how should the WANs be used (failover, load balancing) and what you intend to do with those IPs remaining from your /28. Also, that /28 could be used much more easily if you managed to get additional /30 to be used for your WAN2 only.

  • OPT2 is WAN2 is Integra.  There is only one interface with x.y.38.2/28.

    WAN1 (Comcast) is the primary WAN.  This is working and is what is typically used for internet access.
    WAN2 (Integra) is the backup WAN.  This is what I am attempting to set up now.  They will use this if WAN1 goes down.
    LAN is the local network.  I'm using

    I will set up gateway groups with failover later, but right now I just want to get WAN2 so that I can access the internet.  At this point I can't even ping the WAN2 GW (x.y.38.1) from the WAN2 interface, so obviously I've set something up wrong.

    At this point, the only WAN2 IP I will be using is the Interface IP assigned to the pfSense box (currently x.y.38.2).  So right now I only need the WAN2 GW and the WAN2 interface IP working.

    Sorry for all the confusion and I appreciate any help.


  • Banned

    Enough of this mess… Why on earth is your WAN configured with allow any rule?! And why the heck are you assigning some gateway there in the firewall rules?! It's WAN, not LAN!!!

  • I will figure it out.

    Sorry for ruining your day.

  • Banned

    Please, start with this:

    What you are doing there makes no sense. You need a gateway group set up for failover and use that GW group on your LAN(s). NOT WAN(s)!!! Remove the INT_GW from INTEGRA and nuke the allow any rule, your firewall is nonexistant at the moment!

Log in to reply