[pfSense Support] ICMP not Replying on Virtual IPs
I have setup a rule to allow all ICMP types from any source any port to any destination on any port via any gateway. If I ping my WAN IP it responds correctly. My WAN link also has 6 Virtual Ips of type other configured. I can access the resources via NAT that are on these virtual Ips but when I ping one of them I never get a response. What else do I need to do to get the virtual Ips to respond to ICMP requests. Thanks Ron.
RE: [pfSense Support] ICMP not Replying on Virtual IPs
What kind of NAT are you using? If it is port forward you'll have to forward the packets as well as adding the rule to your Wan ruleset If it is 1:1 it should work for you as long as then respond correctly within your network -tim From: Ron Lemon [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 12:06 PM To: support@pfsense.com Subject: [pfSense Support] ICMP not Replying on Virtual IPs I have setup a rule to allow all ICMP types from any source any port to any destination on any port via any gateway. If I ping my WAN IP it responds correctly. My WAN link also has 6 Virtual Ips of type other configured. I can access the resources via NAT that are on these virtual Ips but when I ping one of them I never get a response. What else do I need to do to get the virtual Ips to respond to ICMP requests. Thanks Ron.
Re: [pfSense Support] ICMP not Replying on Virtual IPs
Ron Lemon wrote: I have setup a rule to allow all ICMP types from any source any port to any destination on any port via any gateway. If I ping my WAN IP it responds correctly. My WAN link also has 6 Virtual Ips of type other configured. I can access the resources via NAT that are on these virtual Ips but when I ping one of them I never get a response. What else do I need to do to get the virtual Ips to respond to ICMP requests. Thanks Ron. ProxyARP virtual IPs don't respond to ping. CARP virtual IPS do, if ping is necessary, convert your virtual IPs over to CARP. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ICMP not Replying on Virtual IPs
I too am struggling with this for last several weeks Yesterday, I noticed an interesting observation which may have some clue to solving To map the Virtual IP using NAT, we need a static IP on the LAN or DMZ side. When I used the Mac address based DHCP (in LAN as well as DMZ) to give my server a fix IP address and NAT this fixed IP to Virtual IP. I noticed that all my pings magically started to work. I also had a ICMP rule set on each interface which was any/any/anyany/any/anyany/any/anyany/any/anyany/any/any 7 ways to sunday Stupid but hey this is test... I broke this rule down to similar rule for each zone... Like one for LAN ==> DMZ then for DMZ ===>LAN Then for WAN > LAN and for LAN ===> WAN I think the static IP or Fixed IP obtained for DHCP is likely a suspect area.. I will tighten my ICMP rule to allow only echo and destination not reachable once it is fully debugged... Another suggestion will be to use LOG and make it like the log for even those driven by policy.. BTW, is there a place we can find the defualt rule /default policy .. Status >> System Logs >> Settings Tab =>> Log packets blocked by the default rule Tim Dickson <[EMAIL PROTECTED]> wrote: ICMP not Replying on Virtual IPs What kind of NAT are you using? If it is port forward youll have to forward the packets as well as adding the rule to your Wan ruleset If it is 1:1 it should work for you as long as then respond correctly within your network -tim From: Ron Lemon [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 12:06 PM To: support@pfsense.com Subject: [pfSense Support] ICMP not Replying on Virtual IPs I have setup a rule to allow all ICMP types from any source any port to any destination on any port via any gateway. If I ping my WAN IP it responds correctly. My WAN link also has 6 Virtual Ips of type other configured. I can access the resources via NAT that are on these virtual Ips but when I ping one of them I never get a response. What else do I need to do to get the virtual Ips to respond to ICMP requests. Thanks Ron.
Re: [pfSense Support] ICMP not Replying on Virtual IPs
Hi Gary - Is there a place that I can read which shows how to do CARP in place of Virtual IP when we are doing NAT... I am also searching into Google and my head spins!! Gary Buckmaster <[EMAIL PROTECTED]> wrote: Ron Lemon wrote: > > I have setup a rule to allow all ICMP types from any source any port > to any destination on any port via any gateway. > > If I ping my WAN IP it responds correctly. > > > My WAN link also has 6 Virtual Ips of type other configured. I can > access the resources via NAT that are on these virtual Ips but when I > ping one of them I never get a response. What else do I need to do to > get the virtual Ips to respond to ICMP requests. > > > Thanks > > Ron. > ProxyARP virtual IPs don't respond to ping. CARP virtual IPS do, if ping is necessary, convert your virtual IPs over to CARP. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ICMP not Replying on Virtual IPs
CARP is a virtual IP type. If you already have Virtual IPs defined as ProxyARP, simply change them to CARP, and make sure you have CARP enabled. Anil Garg wrote: Hi Gary - Is there a place that I can read which shows how to do CARP in place of Virtual IP when we are doing NAT... I am also searching into Google and my head spins!! */Gary Buckmaster <[EMAIL PROTECTED]>/* wrote: Ron Lemon wrote: > > I have setup a rule to allow all ICMP types from any source any port > to any destination on any port via any gateway. > > If I ping my WAN IP it responds correctly. > > > My WAN link also has 6 Virtual Ips of type other configured. I can > access the resources via NAT that are on these virtual Ips but when I > ping one of them I never get a response. What else do I need to do to > get the virtual Ips to respond to ICMP requests. > > > Thanks > > Ron. > ProxyARP virtual IPs don't respond to ping. CARP virtual IPS do, if ping is necessary, convert your virtual IPs over to CARP. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] ICMP not Replying on Virtual IPs
Hi Gary - I could but : 1. There is a page long list of CARP settings issue 2. Then there are number of new settings like password and VHID and ad freq etc.. Thanks for taking moment to respond. Anil Gary Buckmaster <[EMAIL PROTECTED]> wrote: CARP is a virtual IP type. If you already have Virtual IPs defined as ProxyARP, simply change them to CARP, and make sure you have CARP enabled. Anil Garg wrote: > Hi Gary - Is there a place that I can read which shows how to do CARP > in place of Virtual IP when we are doing NAT... > > I am also searching into Google and my head spins!! > > */Gary Buckmaster /* wrote: > > Ron Lemon wrote: > > > > I have setup a rule to allow all ICMP types from any source any > port > > to any destination on any port via any gateway. > > > > If I ping my WAN IP it responds correctly. > > > > > > My WAN link also has 6 Virtual Ips of type other configured. I can > > access the resources via NAT that are on these virtual Ips but > when I > > ping one of them I never get a response. What else do I need to > do to > > get the virtual Ips to respond to ICMP requests. > > > > > > Thanks > > > > Ron. > > > ProxyARP virtual IPs don't respond to ping. CARP virtual IPS do, if > ping is necessary, convert your virtual IPs over to CARP. > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] ICMP not Replying on Virtual IPs
Hi Tim, I am using port forward. Right now I am forwarding a TCP port (lets say 3389 for RDP) to the internal server and I have a rule setup for that and it works perfect. What packets are you suggesting I am to forward? There is no forward rule for ICMP. Thanks. From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 3:26 PM To: support@pfsense.com Subject: RE: [pfSense Support] ICMP not Replying on Virtual IPs What kind of NAT are you using? If it is port forward you'll have to forward the packets as well as adding the rule to your Wan ruleset If it is 1:1 it should work for you as long as then respond correctly within your network -tim From: Ron Lemon [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 12:06 PM To: support@pfsense.com Subject: [pfSense Support] ICMP not Replying on Virtual IPs I have setup a rule to allow all ICMP types from any source any port to any destination on any port via any gateway. If I ping my WAN IP it responds correctly. My WAN link also has 6 Virtual Ips of type other configured. I can access the resources via NAT that are on these virtual Ips but when I ping one of them I never get a response. What else do I need to do to get the virtual Ips to respond to ICMP requests. Thanks Ron.
RE: [pfSense Support] ICMP not Replying on Virtual IPs
Hi Gary, My virtual Ips are of type Other not ProxyARP (unless other is another type of ProxyARP). When I try and convert one of them to Carp it tells me I have to put in a password so I do. Then it tells me that it can not locate an interface with a matching subnet for IP/32. It says I have to setup an IP in this subnet on a real interface. Since I want this IP to appear on my WAN interface how do I add this ip in addition to the one currently on it? Thanks. -Original Message- From: Gary Buckmaster [mailto:[EMAIL PROTECTED] Sent: Monday, March 31, 2008 3:33 PM To: support@pfsense.com Subject: Re: [pfSense Support] ICMP not Replying on Virtual IPs Ron Lemon wrote: > > I have setup a rule to allow all ICMP types from any source any port > to any destination on any port via any gateway. > > If I ping my WAN IP it responds correctly. > > > My WAN link also has 6 Virtual Ips of type other configured. I can > access the resources via NAT that are on these virtual Ips but when I > ping one of them I never get a response. What else do I need to do to > get the virtual Ips to respond to ICMP requests. > > > Thanks > > Ron. > ProxyARP virtual IPs don't respond to ping. CARP virtual IPS do, if ping is necessary, convert your virtual IPs over to CARP. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
