Is the VIP CARP or IP Alias? ... according to the VIP capabilities chart, they're the only VIP kinds that can do ICMP: https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses?
Since we don't allow ping-response, I thought I'd test this theory. All 3 of the following worked (LAN routing to internal system was previously setup): - I first created a Port Forward rule to allow pfSense to respond to WAN pings: WAN ICMP * * WAN address * 127.0.0.1 * WAN pings to pfSense - Then I created a Port Forward rule to allow pfSense to respond to pings on one of the static VIP IPs: WAN ICMP * * x.12 * 127.0.0.1 * static VIP pings to pfSense - Then I created a Port Forward rule to allow an internal system (which has a system-level firewall that's configured to respond to pings) to respond to the ping: WAN ICMP * * x.13 * x.206 * static VIP pings to internal system If that's not it, then someone else needs to chime in as you've exhausted my knowledge in this area. On 2014-Mar-03, at 7:59 AM, Ryan Coleman <ryanjc...@me.com> wrote: > I’ve done this, but I won't route traffic out (NAT) until I have verifiable > traffic coming in. > > The x.2 IP simply will not ICMP ping from outside the network (and, yes, I > have it allowed). _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list