Solved No ping response across subnets

K

kshots

Hello, I have an odd problem... I have a DMZ box that appears to be unable to communicate with a server on my LAN (no TCP, no ICMP). Oddly enough, the ping requests are getting all the way through, but the LAN server appears to be ignoring the requests - here's a TCP dump from the LAN server:
Code: 
root@jailer:~ # tcpdump -i xn0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xn0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:28:20.177115 IP jailerdmz.mydomain.com > jailer.mydomain.com: ICMP echo reques
t, id 30978, seq 0, length 64
05:28:21.240546 IP jailerdmz.mydomain.com > jailer.mydomain.com: ICMP echo reques
t, id 30978, seq 1, length 64
05:28:22.275346 IP jailerdmz.mydomain.com > jailer.mydomain.com: ICMP echo reques
t, id 30978, seq 2, length 64
05:28:23.338841 IP jailerdmz.mydomain.com > jailer.mydomain.com: ICMP echo reques
t, id 30978, seq 3, length 64
Further details as follows: The LAN is defined as 10.4.12.0/24, and the DMZ is defined as 10.4.14.0/28. There is a pfsense firewall between the machines which appears to be passing the traffic successfully (it would have to for the LAN host to see the ping requests). Other than the pfsense firewall, no machine is aware of both subnets. In fact, both networks are on separate VLANs. Oddly enough, other machines have no issues at all communicating back and forth - it is only the one FreeBSD LAN machine which is refusing to communicate. What could cause it to ignore ICMP echo requests? It doesn't have a firewall... not sure what else could possibly cause this behavior. I figure if I can determine what's preventing my pings from working, I can probably get my other services (like DNS) to start working.
 
Run tcpdump(1) on the FreeBSD LAN host and see if you actually see the ICMP come in and if it responds. If it does respond but the responses aren't getting to the original host you need to check the return route. Check if the pfSense isn't blocking the return traffic. Check if the routes are correct. Also verify if the LAN host has the correct subnet mask (a bad mask can cause all sorts of strange results).
 
The above tcpdump was from the LAN host. It is receiving the ICMP echo request, but is not generating an echo reply. Here's an ifconfig from the LAN host (it's ugly because it is running quite a few jails):
Code: 
root@jailer:~ # ifconfig 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 
       options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> 
       inet6 ::1 prefixlen 128  
       inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1  
       inet 127.0.0.1 netmask 0xff000000  
       nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> 
xn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 
       options=503<RXCSUM,TXCSUM,TSO4,LRO> 
       ether 00:16:3e:fe:ce:af 
       inet 10.4.12.21 netmask 0xffffff00 broadcast 10.4.12.255  
       inet6 fe80::216:3eff:fefe:ceaf%xn0 prefixlen 64 scopeid 0x2  
       inet6 2001:470:5:745::5 prefixlen 64  
       inet 10.4.12.22 netmask 0xffffffff broadcast 10.4.12.22  
       inet6 2001:470:5:745::7 prefixlen 128  
       inet6 2001:470:5:745::6 prefixlen 128  
       inet 10.4.12.24 netmask 0xffffffff broadcast 10.4.12.24  
       inet6 2001:470:5:745::9 prefixlen 128  
       inet6 2001:470:5:745::b prefixlen 128  
       inet 10.4.12.23 netmask 0xffffffff broadcast 10.4.12.23  
       inet6 2001:470:5:745::8 prefixlen 128  
       inet 10.4.12.20 netmask 0xffffffff broadcast 10.4.12.20  
       inet6 2001:470:5:745::a prefixlen 128  
       inet 10.4.12.26 netmask 0xffffffff broadcast 10.4.12.26  
       inet6 2001:470:5:745::c prefixlen 128  
       nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> 
       media: Ethernet manual 
       status: active 
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 
       options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> 
       inet 127.0.0.2 netmask 0xffffffff  
       nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> 
lo2: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 
       options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> 
       inet 127.0.0.3 netmask 0xffffffff  
       nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> 
lo3: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384 
       options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> 
       nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> 
lo4: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 
       options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> 
       inet 127.0.0.5 netmask 0xffffffff  
       nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> 
lo5: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 
       options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> 
       inet 127.0.0.6 netmask 0xffffffff  
       nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> 
lo6: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 
       options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> 
       inet 127.0.0.7 netmask 0xffffffff  
       nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> 
lo7: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 
       options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> 
       inet 127.0.0.8 netmask 0xffffffff  
       nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
And from the DMZ host:
Code: 
root@jailerdmz:~ # ifconfig 
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 
       options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> 
       inet6 ::1 prefixlen 128  
       inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1  
       inet 127.0.0.1 netmask 0xff000000  
       nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> 
       groups: lo  
xn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 
       options=503<RXCSUM,TXCSUM,TSO4,LRO> 
       ether 00:16:3e:8f:df:ca 
       inet 10.4.14.8 netmask 0xfffffff0 broadcast 10.4.14.15  
       nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> 
       media: Ethernet manual 
       status: active
 
Check the firewall on the LAN host, there must be one running because you're using local interfaces for your jails.
 
Resolved it. The LAN host failed to set its default gateway for some reason. I can't explain why not... it was configured correctly in /etc/rc.conf, it was able to be setup manually, and it came up properly when rebooted. As sure as I am that it was set before the last boot, the evidence says I failed to set it after enabling it in the config file.
 
You must log in or register to reply here.
Back
Top