Netgate SG-1000 microFirewall

Author Topic: Can ping other machines on subnet, but not the gateway  (Read 271 times)

0 Members and 1 Guest are viewing this topic.

Offline AvKARE IT

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Can ping other machines on subnet, but not the gateway
« on: November 06, 2017, 02:38:18 pm »
I have two firewalls setup in High Availability. I have WAN, LAN, VPL (connecting two data centers), High Availability port and OPT3.

LAN works just fine. From anything on the LAN, I can ping anything else on the LAN subnet, as well as the OPT3 subnet. However from a two different servers on the OPT3 subnet, I cannot ping the OPT3 gateway or anything on the LAN subnet. However, I CAN ping each server on the OPT3 subnet...and I can ping anything on the internet. What gives??

Offline KOM

  • Hero Member
  • *****
  • Posts: 5370
  • Karma: +668/-19
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #1 on: November 06, 2017, 02:52:22 pm »
There are no rules on any of your OPT interfaces.  Only LAN gets a default Allow any rule.  All other LAN interfaces (OPT1, OPT2, etc) must have at least one rule added to enable access.

Offline AvKARE IT

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #2 on: November 06, 2017, 03:25:04 pm »
But there ARE rules. I added them manually. Like I mentioned..I can ping google.com or any other server on the OPT3 subnet. I'm getting out. I even have a rule on LAN to allow the OPT3 subnet.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5370
  • Karma: +668/-19
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #3 on: November 06, 2017, 03:30:03 pm »
AH sorry, I missed that.  People complaining about missing default rules on OPT interfaces happens almost every day.

Post a screen of your rules and that will remove the guesswork.

Offline AvKARE IT

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #4 on: November 06, 2017, 03:34:51 pm »
Screenshots of my rules. The "RSS_LAN" is the OPT3 subnet.

Offline AvKARE IT

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #5 on: November 06, 2017, 03:36:34 pm »
Oh, and let me add....this was working fine on Friday. Just stopped over the weekend.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5370
  • Karma: +668/-19
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #6 on: November 06, 2017, 03:43:00 pm »
Quote
Oh, and let me add....this was working fine on Friday. Just stopped over the weekend.

That's kind of a critical piece to forget  ;D

Your rules look fine.  They aren't perfect but you should not be having these problems.  When your traffic is being blocked, what does the firewall log say about it?  What is really being blocked?

Offline AvKARE IT

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #7 on: November 06, 2017, 04:00:41 pm »
So here's what happens when I try to ping the OPT3 gateway from one of my KV servers on the OPT3 subnet. It says it is passing the traffic....however the server doesn't receive any reply and reports 100% packet loss. Although, I can ping freakin' google.com from that box without any problem.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5370
  • Karma: +668/-19
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #8 on: November 06, 2017, 06:43:09 pm »
Have you tried the universal fix, rebooting it?

What about local client firewalls?  Some OSes will automagically block traffic from outside the local subnet.  You said it was working before the weekend.  Did you apply any OS patches?  Did anything change between when it was last working and now?  Anything weird in the System log?

Offline AvKARE IT

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #9 on: November 06, 2017, 07:04:45 pm »
Nothing changed. No patches applied. This is all being setup from scratch. New firewalls, new supermicro servers. I was able to mount a virtual disk hosted on an SMB share on 192.168.100.20 onto a supermicro using IPMI on Friday. I did this from two physical supermicro servers on the OPT3 subnet. On each, I installed Debian Stretch and KVM. From Debian, I cannot ping the gateway from either box, and I can no longer mount that SMB share in IPMI. I see nothing strange in the logs.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5370
  • Karma: +668/-19
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #10 on: November 06, 2017, 07:22:01 pm »
Any other network equipment in between anything?  I'm starting to run out of ideas.  If you know Wireshark, you could try packet-capturing from each end and see what's going on.  That might help isolate the prob;em.

If you're desperate, you could try backing up your configurations, reinstalling from scratch and then restoring and see if it just fixes itself.  Normally I wouldn't suggest random actions like that with hopes & prayers, but like you said it used to work.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9098
  • Karma: +1037/-307
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #11 on: November 06, 2017, 07:32:04 pm »
What other rules are on those interfaces? Please provide a complete picture instead of cropping everything out.

It makes no sense to have rules sourcing from LAN network on the RSS_NET interface. That will never happen.

Please also provide captures of the interfaces in question from Status > Interfaces.

Any IPsec? Any policy routing?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline AvKARE IT

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #12 on: November 07, 2017, 11:08:35 am »
What other rules are on those interfaces? Please provide a complete picture instead of cropping everything out.

It makes no sense to have rules sourcing from LAN network on the RSS_NET interface. That will never happen.

Please also provide captures of the interfaces in question from Status > Interfaces.

Any IPsec? Any policy routing?

The only rules on the LAN subnet are the default anti-lockout rule and the default any protocol on LAN to any. On the RSS_LAN subnet, the only rule is any protocol on RSS_LAN to any (changed since yesterday).

Yes, there are IPSec VPN tunnels, but I'm not sure why you're asking. Absolutely no policy routing in place.


Offline AvKARE IT

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #13 on: November 07, 2017, 01:07:48 pm »
It seems I found the issue. I had a misconfiguration in IPSec, which was apparently affecting the routing. I fixed that, and all seems well. Thanks to Derelict for mentioning IPSec...I probably wouldn't have looked.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5370
  • Karma: +668/-19
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #14 on: November 07, 2017, 01:46:28 pm »
Quote
I had a misconfiguration in IPSec

This misconfiguration had been there all along and just decided to act up now/  Or was this something you manually did between when it was last working and now?

Offline AvKARE IT

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #15 on: November 07, 2017, 01:50:13 pm »
I'm pretty sure that misconfiguration happened over the weekend when I was trying to work on it from home. My IPSec tunnel was connected to LAN, but I needed a Phase 2 to the RSS_LAN...I just set it up ass backwards and that screwed me. I guess that's what I get for trying to work at home when my wife and kids are present.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5370
  • Karma: +668/-19
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #16 on: November 07, 2017, 02:24:59 pm »
I did specifically ask you if you changed anything between when it was working and when it stopped...

Offline AvKARE IT

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #17 on: November 07, 2017, 02:28:35 pm »
Yes, and I failed to remember that I had messed with the VPN tunnel from home. I thought I had added the Phase 2 earlier in the week when I was installing the servers at the datacenter.

Offline KOM

  • Hero Member
  • *****
  • Posts: 5370
  • Karma: +668/-19
    • View Profile
Re: Can ping other machines on subnet, but not the gateway
« Reply #18 on: November 07, 2017, 02:44:56 pm »
OK I'm done breaking your balls  ;D

Glad it's working.