Some DNS IPs blocked by the firewall
Last week, we started experiencing an (unusual) issue with our DNS.
8.8.8.8, 9.9.9.9, 1.1.1.1 suddenly became unreachable.
There are no entries in the traffic monitor indicating a problem and no denied requests.
Pinging those IPs from WG diagnostics, I get the following:
When trying to pin 8.8.8.8 or 9.9.9.9 from the firebox diagnostic menu, Web UI and WSM, I get the following:
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
--- 9.9.9.9 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2034ms
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2035ms
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2054ms
#
Pinging 1.0.0.1 and a few other DNS IPs works ok, at the moment
PING 1.0.0.1 (1.0.0.1) 56(84) bytes of data.
64 bytes from 1.0.0.1: icmp_seq=1 ttl=57 time=2.60 ms
64 bytes from 1.0.0.1: icmp_seq=2 ttl=57 time=2.64 ms
64 bytes from 1.0.0.1: icmp_seq=3 ttl=57 time=2.60 ms
--- 1.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.604/2.618/2.644/0.018 ms
Update:
I just upgraded the OS to 12.10.3, and I can now ping these IPs.
I reported this to support, but they're less than helpful atm.
Nothing has changed on the firebox, the issue became apparent on Friday afternoon last week. Why would the firebox prevent me to ping these IPs and return ping: sendmsg: Operation not permitted?
Any ideas?
Comments
The firewall will show that error if ping can't determine what interface to send traffic out.
Try specifying the interface via the advanced options checkbox. You can supply an argument like this (pretend 160.51.52.53 is the external IP of the interface I want to ping from - use whatever your external IP address is on the firebox instead.)
"-I 160.51.52.53 8.8.8.8"
(the -I is an uppercase i, don't include the quotes.)
-James Carson
WatchGuard Customer Support
The firewall may also display this error if there's simply no useable route to that host -- for example, if you are using multi-wan link monitor to determine if an interface is up or down, and it's marked down - the firewall won't use it.
-James Carson
WatchGuard Customer Support
@james.carson thanks for your reply. 7 days ago when I created this post, I rebooted the firewall in the evening and all started working again.
I added 8 different DNS IPs to our guest network pool.
A few days ago, a user reported that their TV's WiFi is no longer working, and it turns out that two of those DNS IPs are blocked:
94.140.14.14 & 94.140.15.15
I executed -I 94.140.15.15, and I am now getting this:
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
Executing this command with 1.1.1.1 and other DNSs works fine.
I can't see anything in the traffic monitor being denied.
Works for me, including the below format, using V12.10.3 Firebox System Manager:
-I eth0 94.140.15.15
result from dns.adguard.com
The firewall might be sourcing from the wrong interface. Instead of defining "-I eth0 IP" try defining the IP you want the firewall to ping from.
e.g. if my firewall's external IP is 169.254.100.100 I would specify:
-I_169.254.100.100_94.140.15.15
(I put underscores where the spaces should go because text formatting.)
If that's still not working, there's likely a reason:
-Has the Ping policy on the firewall been modified to not allow this?
-Has anything been placed in front of the "Any-From-Firebox" rule if you have that exposed?
-Are any of these IPs on your blocked sites list? (Botnet protection will also appear as a blocked site.)
-James Carson
WatchGuard Customer Support