Subnet config question

Joschide

Hello.  New to pfSense and I'm trying to set up a lab on an existing network to evaluate.  I can ping all the way to WAN gateway including other boxes just outside of the pfSense firewall, but no further like the commonly used IP 8.8.8.8.

Here's the set up:
1.)  Internet
2.)  Firewall 1 (192.168.0.1/24) (pfSense gateway)
3.)  vmWare vm pfSense (3 Interfaces)
      WAN - (192.168.0.222/24)
      LAN - (Not used in this example)
      LANSandbox - (192.168.12.1/24)

I've tried everything on this link:
https://doc.pfsense.org/index.php/Connectivity_Troubleshooting

I can't get further than trying to ping 8.8.8.8.

Any help will be appreciated.

Thanks,
Joschi

KOM

How are you pinging, from some LANSandbox client or from pfSense's Diagnostics - Ping?  If you can ping past the pfSense box then the problem is likely upstream with your other firewall.

Joschide

@KOM:

How are you pinging, from some LANSandbox client or from pfSense's Diagnostics - Ping?  If you can ping past the pfSense box then the problem is likely upstream with your other firewall.

From Diagnostics.  I've also tried from the client.

I monitored the ping requests from Firewall 1 and they were allowed.

KOM

OK, so are the responses being received by your pfSense WAN interface?

Joschide

I have a question on that.  I don't see the diagnostic pings in the firewall logs.  I do however, see the ping requests from client.  Is that by design?

The ping requests from the client are allowed or passed.  If I filter for WAN interface and ICMP protocol, I do not see any log entries.  Is there a better way to see if WAN is receiving the ICMP responses?

Thanks,
Joschi

johnpoz

If you ping from pfsense diag, and your saying its allowed on firewall in front of pfsense.  Simple sniff tells you if pings actually left pfsense, and if you see a response.  If you see them leave, and you don't get a response then your problem is in front of pfsense.

KOM

I have a question on that.  I don't see the diagnostic pings in the firewall logs.

You will only see a block msg if the rule that does the blocking is set to log.  Also, if the ping is successful then there is no blocking and therefore no logging.

I do however, see the ping requests from client.

Unless you have added a firewall rule to allow traffic on your LANSandbox interface (OPT1?) out, all traffic from that network should be blocked and logged.

Just do a Diagnostics - Packet Capture on the WAN and see if you ping replies are even hitting pfSense.

Joschide

It turns out I was missing a static route on Firewall 1.  I checked this yesterday, but must have made a mistake somewhere.  Anyways, problem solved.

Thank you for your responses,
Joschi