Solved Ping from/to FreeBSD machine does not work

[mefizto]

Greetings all,

a FreeBSD machine with basic installation of RELEASE 14.3 is connected to a port of a router with an address 192.168.10.1, and is assigned an address 192.168.10.4. Since the FreeBSD machine is behind a firewall, no firewall is enabled on the FreeBSD machine.

When trying to ping from the FreeBSD machine the gateway 192.168.10.1, all packets are reported as lost, though I can ping 127.0.0.0.

Pinging from the router, the response is

ping: sendmsg: Permission denied

Pinging from a machine on a different sub-net 192.168.1.0/24, connected to the router, the response is

Reply from 192.168.1.1: Destination port unreachable

From this one I conclude that the FreeBSD machine is reachable, but no socket is opened on the port?

Is there something that I need to configure? dhclient is running on the FreeBSD machine interface.

Kindest regards,

M

 

[mefizto]

Greetings all,

If I am reading the routing table correctly, there may be a problem because the destination for 192.168.10.4 is link#2, which is lo0. This seems to be confirmed by
route get 192.168.10.4

route to: 192.168.10.4
destination: 192.168.10.4
fib: 0
interface: lo0
flags: <UP, HOST, DONE, STATIC, PINNED>

Sorry for the formatting, I do not how to copy from the screen, as I am typing form a different computer.

Now, why is this happening, and how to fix this?

Kindest regards,

M

 

[dkh]

Just throwing things out there...

Is the cable good?

Is it plugged into the right port on the machine?

What does "ifconfig -a" show?

Is the gateway set?

Are non-icmp things working?

Does arp show the router or anything else?

Do you see any traffic on the interface via tcpdump?

 

[mefizto]

Hi dkh,

thank you for your reply.

Just throwing things out there...

Is the cable good?

I have no way to test it, but three different cables exhibit the same issue.

Is it plugged into the right port on the machine?

Yes, checked about 7,908,221 times.

What does "ifconfig -a" show?

The correct ID address, net-mask and broadcast domain.

Is the gateway set?

Yes.

Are non-icmp things working?

Like what?

Does arp show the router or anything else?

Ah, did not try this.

Do you see any traffic on the interface via tcpdump?

That is the strange issue, although the response to ping from the firewall is reported to come from the interface, or better to say from 192.168.10.1, I do not see any traffic in response to tcpdump -i em0.

Kindest regards,

M

 

[SirDice]

here may be a problem because the destination for 192.168.10.4 is link#2, which is lo0

No, that's normal. Technically the IP address isn't actually on the interface, it's on the host.

Internet:
Destination        Gateway            Flags         Netif Expire
default            192.168.10.1       UGS             re0
127.0.0.1          link#2             UH              lo0
192.168.10.0/24    link#1             U               re0
192.168.10.40      link#2             UHS             lo0

From this one I conclude that the FreeBSD machine is reachable, but no socket is opened on the port?

ICMP echo doesn't use "ports", that's a UDP/TCP thing. It's your router that responded, I would look for the fault there.

 

[mefizto]

Hi SirDice,

thank you for setting me straight, I cannot quite find any resource how to read the routing table.

Technically the IP address isn't actually on the interface, it's on the host.

Aha, this explanation really make it almost as clear as mud.

Kindest regards,

M

 

[SirDice]

Aha, this explanation really make it almost as clear as mud.

It's rather technical, but if you bind a service to 192.168.10.4 for example, it's not going to matter on which interface that packet arrives on, the service is going to handle the connection. Even if you have a dozen other interfaces, all on different subnets and the packet comes in on any of the other interfaces, the service is still going to accept the connection. You would have some really dodgy routing on your network, but the service will happily accept the connection.

Also a bit of a network primer:
A TCP connection starts with a SYN packet, if that SYN packet is sent to a closed port (i.e. no service listening), it will respond with a RST packet. And you get a "connection refused" error. When you send a TCP SYN and there's no response you get a "connection timed out" error, that's usually because a firewall dropped that packet. If the firewall was open but there is no service listening (closed port) you would get a RST packet in return.

A UDP packet sent to a closed port will result in an ICMP destination port unreachable. Or just deafening silence, depends a bit on the router or the receiving OS settings. You typically don't want to sent an ICMP response because UDP is easily spoofed. UDP is more like a fire and forget missile, there's no state, you send the packet and it arrives or not. The sender has no way to find out.

Things to check on the FreeBSD host end: ifconfig re0 (or whatever interface you use). You should see something similar to this:

% ifconfig re0
re0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 00:01:2e:41:a3:e8
        inet 192.168.10.40 netmask 0xffffff00 broadcast 192.168.10.255
        inet6 fe80::201:2eff:fe41:a3e8%re0 prefixlen 64 scopeid 0x1
        inet6 2a02:a46e:550b:10:201:2eff:fe41:a3e8 prefixlen 64 autoconf pltime 604800 vltime 2592000
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

Things to note, the UP in the first line to indicate the interface is actually up. Is the IP address correct and what you expect, same for the netmask. Don't worry too much about the inet6 addresses.
Second thing to look at is the media, this should be "Ethernet autoselect" and then "1000baseT <full-duplex>" is an indication it successfully negotiated a 1Gbps connection. Third and last is the "status", this has to be "active", this indicates the network card found a carrier signal. Which means it's been plugged in and should be working.

Then look at the routing table,

% netstat -rn4
Routing tables

Internet:
Destination        Gateway            Flags         Netif Expire
default            192.168.10.1       UGS             re0
127.0.0.1          link#2             UH              lo0
192.168.10.0/24    link#1             U               re0
192.168.10.40      link#2             UHS             lo0

default is your default gateway. It should be there, but even without a gateway you should still be able to connect to anything on the so-called directly connected network. Which is the network associated with the interface. The gateway is really only important when you need to access something beyond your directly connected networks.

Which brings me to the final thing to look at. The ARP table. Whenever you need to send a packet to a directly connected host you first need to know the MAC address of the destination host. Here's were ARP comes in. An ARP request will be broadcast on the network like "Hey! Who has IP address 192.168.1.1?" And the host with that IP address will send a response ARP "I am 192.16.1.1". This information is cached in the ARP table. You can look at it with arp -a. You should, at the very least, have an entry for your router's IP address, myrouterhostname (192.168.10.1) at de:ad:be:ef:f0:0d on re0 expires in 324 seconds [ethernet].

If you ping(1) your gateway address you SHOULD get its MAC address in your ARP table. If you don't get that there's something really fishy going on on layer 2. And everything on top of that IP/ICMP/TCP/UDP (layer3/4) is going to fail. And all layers above it (layer 7; HTTP for example) is certainly never going to work.

Now, your layer 2 is probably working fine, I understood you're using DHCP. If layer 2 wasn't working DHCP would fail too. So just the fact the host send out a DHCP DISCOVER and received a DHCP OFFER with an IP address, mask and router means things work.

And the router not responding to pings is probably because somebody turned its firewall up to 11 and it blocks all ICMP to itself. So start looking there.

 

[mefizto]

Hi SirDice,

first thank you very much for the time to write all the information. I have the false impression, that I understand or at least I checked that all the items you suggested check out, except the first paragraph.

Regarding the firewall, as I noted there is no firewall on the FreeBSD machine, and after disconnecting the router form the Internet, I turned of the firewall with the same problem.

I had made a little progress by adjusting some configuration changes (DHCP daemon on the router), flushed all the network related function on the Windows 10 machine, added Domain to the Windows firewall to allow ping request and now I have the following results:

The Windows 10 machine on the 192.168.1.0/24 network can now ping both sub-nets gateways and the FreeBSD machine on the 192.168.10.0/24 network.

The FreeBSD machine can ping both gateways, but not the Windows 10 machine. This is with both the firewall on the router being on or off. Since I can ping the Windows 10 machine from the router, I do not believe that the Windows firewall is the problem, but who knows. However, if there is a Windows experts here, please let me know, perhaps by p.m. so that the forum rules are not violated.

Kindest regards,

M

 

[mefizto]

Greetings all,

the problem of not being able to reach the Windows 10 machine was/is caused by the Windows firewall because upon turning it off, the machine can be reached.

Now, none of the "Windows' experts" advise how to let ping through worked. So, although the root of the problem is known, the solution is not.

Kindest regards,

M

P.S. Update if anyone has the same problem. For reasons known only to Microsoft, the "Scope" for the ICMPv4In for "Remote IP address" was set to "These IP addresses" and "localnet" was listed. All other ICMPXX setting were correct. Strange.

M