0

Here's my network topology:

  • ISP: 192.168.0.1
  • pfSense: (ip dhcp) <-> 192.168.1.1
  • pfSense does outbound NAT such that all traffic passing out of interface (ip dhcp) is NAT to map all "internal" addresses to a single IP
  • This is to prevent problems where the ISP router sees traffic destined for (eg) 192.168.2.X and it doesn't know what 192.168.2.X is. (I can't set static routes.)
  • Raspberry-Pi: (ip dhcp from pfSense) <-> 192.168.2.254
  • Other devices receive IP addresses from Raspberry-Pi via dnsmasq.
ISP [192.168.0.1] <-> [DHCP IP] pfSense [192.168.1.1] <->
    [192.168.1.220 DHCP reserved] R-Pi [192.168.2.254] <->
    devs on my network incl 192.168.2.101

Here is an example of such a device:

  • 192.168.2.101
  • Ping to 192.168.2.254 = ok
  • Ping to 192.168.1.1 = fail

In reverse:

  • 192.168.1.1 (pfSense) can ping 192.168.2.101 successfully

On pfSense I have set a gateway (LAN interface) up with IP 192.168.1.220 (value given by pfSense DHCP, although this is a reserved IP for obvious reasons)

I have also set a static route to net 192.168.2.0/24 via 192.168.1.220.

Raspberry Pi iptables is flushed.

Here is a packet capture of ping requests made using machine 192.168.2.101 to the pfSense box (192.168.1.1).

14:43:41.042222 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 1, length 64
14:43:42.050051 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 2, length 64
14:43:43.074070 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 3, length 64
14:43:44.098041 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 4, length 64
14:43:45.122050 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 5, length 64
14:43:46.146034 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 6, length 64
14:43:47.169980 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 7, length 64
14:43:48.193955 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 8, length 64
14:43:49.218050 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 9, length 64
14:43:50.241974 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 10, length 64
14:43:51.265982 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 11, length 64
14:43:52.290022 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 12, length 64
14:43:53.313970 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 13, length 64
14:43:54.337960 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 14, length 64
14:43:55.361926 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 15, length 64
14:43:56.385927 IP 192.168.2.101 > 192.168.1.1: ICMP echo request, id 2215, seq 16, length 64

It looks like the pfSense router simply does not bother trying to reply. Which seems really strange, because I can ssh into 192.168.2.101 using machines on the 192.168.1.0 network, so the pfSense box clearly knows where to send traffic destined for a 192.168.2.0 address.

I'm not sure what else to test to diagnose this?

Raspberry-Pi dnsmasq.conf

dhcp-lease-max=11
server=192.168.2.1
server=192.168.1.1

interface=eth0
dhcp-range=192.168.2.128,192.168.2.199,255.255.255.0,24h

dhcp-host=... some stuff here...

ip route

default via 192.168.1.1 dev eth1 proto dhcp src 192.168.1.220 metric 204 
192.168.1.0/24 dev eth1 proto dhcp scope link src 192.168.1.220 metric 204 
192.168.2.0/24 dev eth0 proto dhcp scope link src 192.168.2.254 metric 202
Improve this question
9
  • Try checking the firewall logs. I do not think pfSense allows ICMP by default. Commented Sep 27, 2020 at 14:46
  • I believe this could be either a firewall or a routing problem. You said that the raspi iptables are flushed, but, in order to properly diagnose this problem, we probably need to know the firewall configuration of the other machines involved as well as their routing tables. I could also be useful to know the dnsmasq configuration on the raspi and the netmasks of the interfaces. Most of the times I've seen this behaviour, it's a routing problem: I suspect some routing issue is preventing 192.168.1.1's ICMP response from reaching back at 192.168.2.101. Commented Sep 27, 2020 at 15:51
  • Now, with respect to your comments about SSH, you have to remember that routing decisions can be affected by the source address of the packets and that SSH uses TCP, which is a Layer 4 (transport) connection protocol, so it is sufficient that the connecting machine can ping the remote, and you said there is no problem there. Commented Sep 27, 2020 at 15:57
  • @Bungicasse Presumably you refer to the firewall logs on the pfSense system. I checked these and indeed there are many block actions. But why would this be the case? Commented Sep 27, 2020 at 16:15
  • @HermógenesOliveira I have added some information regarding dnsmasq config. I will also add the routing tables in a moment. Commented Sep 27, 2020 at 16:19

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.