Can't ping OPT2 gateway from OPT2 interface
-
I'm setting up a dual wan system, but I'm not sure this is relevant at this point.
I'm trying to add the 2nd interface (OPT2), and I'm able to ping the gateway (my ISP's device) and the pfsense box on the OPT2 IP from outside the network.
Data from ISP:
LAN: x.y.38.0/28
Default Gateway: x.y.38.1
Subnet Mask: 255.255.255.240
Customer First IP: x.y.38.2OPT2 Interface:
x.y.38.2/28OPT2_GW:
x.y.38.1OPT2 Firewall Rule (Should pass all traffic for testing):
Proto: TCP *
Source: *
Port: *
Dest: *
Port: *
Gateway: OPT2_GW
Queue: NoneI'm able to ping x.y.38.1 AND x.y.38.2 from outside the network, so that tells me traffic is getting through the gateway to the pfsense box.
I'm able to ping x.y.38.2 from any interface on the pfsense box (WAN or LAN)
I'm unable to ping x.y.38.1 from the LAN or OPT2 interface, but I can ping it from the WAN interface.If I try to ping a hostname from the OPT2 interface, it resolves it, but doesn't ping.
[2.2.2-RELEASE][root@xxx.xxx.xxx]/root: ping -S x.y.38.2 xmission.com PING xmission.com (198.60.22.4) from x.y.38.2: 56 data bytes ^C --- xmission.com ping statistics --- 7 packets transmitted, 0 packets received, 100.0% packet loss[2.2.2-RELEASE][root@xxx.xxx.xxx]/root: ping xmission.com PING xmission.com (198.60.22.4): 56 data bytes 64 bytes from 198.60.22.4: icmp_seq=0 ttl=54 time=44.526 ms 64 bytes from 198.60.22.4: icmp_seq=1 ttl=54 time=38.236 ms 64 bytes from 198.60.22.4: icmp_seq=2 ttl=54 time=31.032 ms ^C --- xmission.com ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet lossIt appears I have a routing problem, but I can't seem to find it. I have other pfSense boxes at other locations with the same setup that work fine. So the only thing I can think is maybe I set up my OPT2 interface incorrectly.
Any help would be appreciated.
-
OPT2 Firewall Rule (Should pass all traffic for testing):
Proto: TCP *No, "Proto: TCP" does NOT pass ping. Never did, never will. You need ICMP. For DNS, you need UDP as well.
-
Sorry about that. That was a typo on my part.
The firewall rule is IPV4 *
Once I get it working I will tighten down the firewall rules.
-
And
OPT2_GW:
x.y.38.1is a typo as well? Because it overlaps your first WAN (which you ingeniously call LAN - with x.y.38.0/28; that ends with x.y.38.14; x.y.38.0 being network and x.y.38.15 being broadcast).
-
No that is what my settings are. I was thinking that might be the issue, but I wasn't sure what netmask to give my interface.
My ISP gave me a block of 16 static IP's.
Typically I'll get a gateway IP outside of my IP block, but this time I didn't so I'm a little unsure what to do.
-
I honestly fail to see what you are trying to do there. Why are you setting dual WAN when you have one line from your ISP?
-
I have 1 line from this ISP (Integra), and one line through a 2nd ISP (Comcast).
My Comcast line is my primary WAN and is working as expected.
I'm adding this 2nd WAN for redundancy.
-
Well you cannot have LAN and WAN on the same subnet. You can
- either use 1:1 NAT
- or bridge OPT2 to your second WAN if you want public IPs directly on hosts that are on OPT2 (and let them use x.y.38.1 as gateway.) Note that in this kind of setup, hosts on OPT2 won't be able to reach your other local interfaces.
-
Sorry for the confusion.
The LAN in the earlier post was called LAN because that's what the ISP listed on their sheet. That's not the LAN interface on my pfSense box.
Here is my setup:
WAN1 (Comcast): a.b.182.152/29 (5 usable static IP's)
WAN2 (Integra): x.y.38.0/28 (13 usable static IP's)
LAN: 10.7.0.0/24Each of those interfaces carry their own distinct subnet.
I'm trying to get the Integra WAN set up, and you were saying that my gateway IP (x.y.38.1) was inside my interface subnet (x.y.38.0/28) and that would cause problems. So that is most likely the issue (though I have other locations with a setup like this).
The setup I got from my ISP is in the attached image. So I'm assuming I have set up the interface/gateway incorrectly for my Integra WAN.
-
But you still cannot have OPT2 on the same subnet like WAN2. OPT2 just cannot be x.y.38.2/28 when that's already your WAN2! Read my previous post. Describe the desired setup here, like how should the WANs be used (failover, load balancing) and what you intend to do with those IPs remaining from your /28. Also, that /28 could be used much more easily if you managed to get additional /30 to be used for your WAN2 only.
-
OPT2 is WAN2 is Integra. There is only one interface with x.y.38.2/28.
WAN1 (Comcast) is the primary WAN. This is working and is what is typically used for internet access.
WAN2 (Integra) is the backup WAN. This is what I am attempting to set up now. They will use this if WAN1 goes down.
LAN is the local network. I'm using 10.7.0.0/24.I will set up gateway groups with failover later, but right now I just want to get WAN2 so that I can access the internet. At this point I can't even ping the WAN2 GW (x.y.38.1) from the WAN2 interface, so obviously I've set something up wrong.
At this point, the only WAN2 IP I will be using is the Interface IP assigned to the pfSense box (currently x.y.38.2). So right now I only need the WAN2 GW and the WAN2 interface IP working.
Sorry for all the confusion and I appreciate any help.
Phil
-
Enough of this mess… Why on earth is your WAN configured with allow any rule?! And why the heck are you assigning some gateway there in the firewall rules?! It's WAN, not LAN!!!
-
I will figure it out.
Sorry for ruining your day.
-
Please, start with this: https://doc.pfsense.org/index.php/Multi-WAN
What you are doing there makes no sense. You need a gateway group set up for failover and use that GW group on your LAN(s). NOT WAN(s)!!! Remove the INT_GW from INTEGRA and nuke the allow any rule, your firewall is nonexistant at the moment!