Solved [Solved] PF: Can't ping my Gateway

Hi

My rules for pf.conf
Code:
...
set skip on $lo_if

block drop log all
antispoof log quick for { $lo_if, $ext_if } inet

pass out log on $ext_if inet proto icmp from ($ext_if) to any icmp-type echoreq keep state (if-bound)

Now when I'm trying to ping(8) my gateway (192.168.1.0), I get no response:
ping -c3 192.168.1.0

Looking at the pf.log file I see:
Code:
00:06:49.614398 rule 4..16777216/0(match): pass out on bge0: 192.168.1.2 > 192.168.1.0: ICMP echo request, id 47624, seq 0, length 64
00:00:00.000020 rule 3..16777216/0(match): block in on bge0: 192.168.1.2 > 192.168.1.0: ICMP echo request, id 47624, seq 0, length 64
00:06:01.063109 rule 3..16777216/0(match): block in on bge0: 192.168.1.2 > 192.168.1.0: ICMP echo request, id 47624, seq 1, length 64
00:06:01.063525 rule 3..16777216/0(match): block in on bge0: 192.168.1.2 > 192.168.1.0: ICMP echo request, id 47624, seq 2, length 64

Does anyone knows what am I doing wrong?

BTW my rc.conf has:
Code:
...
defaultrouter="192.168.1.0"
ifconfig_bge0="inet 192.168.1.2 netmask 255.255.255.248"
...

Thanks
 
Re: PF: Can't ping my Gateway

Hi

More information:
I disabled PF firewall and my sysctl.conf doesn't have anything. Try to ping(8) my gateway and it is still no response and after some seconds, I get 100.0% packet loss.

Thanks.
 
Re: PF: Can't ping my Gateway

Your gateway address is wrong. You cannot assign the IP address 192.168.1.0 if the subnet is 192.168.1.0/29. It's the network address, not a host address.

Remember that you cannot use all 0s and all 1s for the host part of the IP address. With the subnet 192.168.1.0/29 the only valid host addresses are 192.168.1.1 to 192.168.1.6. The .0 address (all 0s) is the network address and .7 (all 1s) is the broadcast address.
 
Re: PF: Can't ping my Gateway

That's generally true and especially when the netmask is the usual 255.255.255.0 but I can construct a set up where the gateway address ends with a .0 and it's completely fine. Also the addresses used may look odd but in fact they are just fine ;)

Code:
ifconfig_em0="inet 192.168.255.0 netmask 255.255.0.0"
defaultrouter="192.168.1.0"

I do remember that some older versions of MS Windows barfed on such set ups because the programmers who did the address checking code in it made the false assumption that addresses ending in zero can never be valid addresses for a host.
 
Re: PF: Can't ping my Gateway

kpa said:
That's generally true and especially when the netmask is the usual 255.255.255.0 but I can construct a set up where the gateway address ends with a .0 and it's completely fine.
I don't think it works if the host part contains all zeros. The .0 may work if there are more host bits, as with a 23 bit subnet mask for example. In that case 192.168.1.0 is indeed a valid host address. It's not so much the .0 that's the problem, it's the fact that all host bits are zero.
 
Re: PF: Can't ping my Gateway

Yes of course, the so called network address and the broadcast address are never valid addresses for hosts. My example is where the address ends with a .0 but is still distinct from the network address.
 
Re: PF: Can't ping my Gateway

The OP appears to have a 29 bit subnet mask, making 192.168.1.0 a network address ;)
 
I assume you changed the IP address of the gateway?
 
@SirDice

Yes, your solution on not using network id as a gateway IP address made everything to work.

Thank you.
 
Last edited by a moderator:
Back
Top