Pinging WAN IP address results in "TTL expired in transit"

My ISP provides a VDSL internet service and I'm using a modem that is configured to be in "bridge" mode. I recently signed up to have a block of static IP addresses with my ISP. They gave me a /30 block, lets call it So I have these IP addresses I can work with:

I'm using pfSense 2.0 as my router. I have a WAN interface configured as a PPPoE interface.  It gets the IP address dynamically. I then configured three "Virtual IPs" in the Firewall section for the other three IP addresses, and

So far, everything works. I tested out a few NAT rules, and tested NAT reflection, everything works great!

I wanted to allow pinging the address, so I added a rule to the firewall to allow pinging from the outside world to the WAN IP address ( Under FIrewall->Rules->WAN Tab, I added a rule to allow "ICMP echoreq" from Source: *, to Destination: WAN Address.

Applied this rule, and I  can now ping, no problems!

So, I added another rule to the firewall to allow pinging I thought it work work the same as the first IP address.

Unfortunately, this doesn't work. When I ping that address, I get "TTL expired in transit".

So I tried running a tracert from a computer outside of my network. This is the result:

  1    <1 ms    <1 ms    <1 ms
  2     *        *        *     Request timed out.


  6    25 ms    26 ms    23 ms []
  7    32 ms    23 ms    23 ms []
  8    21 ms    23 ms    24 ms  connex-internet-services-inc.10gigabitethernet3- []
  9   133 ms   112 ms    71 ms
 10    29 ms    29 ms    29 ms []
 11    30 ms    30 ms    33 ms
 12    34 ms    34 ms    35 ms []
 13    36 ms    47 ms    34 ms
 14    44 ms    40 ms    41 ms []
 15    41 ms    41 ms    41 ms
 16    47 ms    56 ms    47 ms []
 17    46 ms    47 ms    47 ms
 18    52 ms    52 ms    53 ms []
 19    53 ms    54 ms    55 ms
 20    64 ms    62 ms    61 ms []
 21    61 ms    59 ms    60 ms
 22    65 ms    64 ms    66 ms []
 23    67 ms    66 ms    65 ms
 24    73 ms    71 ms    71 ms []
 25    73 ms    78 ms    73 ms  ^C

Open in new window

So.... it's hitting my .240 address, and looping around somehow. Does anyone know what's going on?
LVL 31
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Sounds to me you don't have a static route to those other segments.  I'll look at my router tomorrow and see what I did for mine.

Good Luck!
AkinsdNetwork AdministratorCommented:
I'm surprised that you were able to add the 2 addresses on the firewall. More surprised that you were able to assign .240 address with a /30 notation on an interface.
From your statement above, you have x.x.x.240 /30 address meaning Your network ID is x.x.x.240 and your broadcast address is x.x.x.243. The only available addresses to use are x.x.x.241 and 242. I'm curious to find out what your gateway on the ISP side is.

/30 addresses are point to point links

Something is not adding up.

Well, with that mystery aside, you should check your route statements. The issue is on 240.x.x.x because that's where the route loop started from. Check that the default gateway (default route) is not (that's what it seems like to me)
TTL decreases as it hits a routable interface (decrements by 1) The two routers are bouncing traffic betwen themselves and the TTL eventually becomes 0 and the traffic stops. without ttl, the madness would go on forever.

Again, check the route statements or route map on the 240.x.x.x router. That's where the problem is
Frosty555Author Commented:

Yeah I agree with you - they advertised it as 2x static IP addresses, they said it was a /30 block, customer support suggested that the available addresses should be .241 and .242, and yet when I got the invoice it has a line item titled "4 IPs (/30 subnet) $5/month", the PPPoE interface in pfSense gets the .240 address as it's first address, and I can do NAT on all four IPs , .240, .241, 242 and 243 without any difficulty. The customer service for my ISP is pretty weak, so you have to take everything they say with a grain of salt.

So you're right, something doesn't add up, and my guess is that what the ISP is calling  "/30" block is referring to something different than what you and I are used to.

And indeed, the gateway on the ISP side, as provided by the PPPoE interface, is, Subnet mask is The first three stanzas of that IP address are significantly different from the static IPs that have been assigned to me.

Okay so you put me on the right path, I checked in Diagnostics->Routes and I could see that only the .240 address was listed in the routing table. Meaning my pfSense router was sending packets destined for right back out to the ISP's gateway, who sent the packets right back to me, and they went back and forth until the TTL expired.

I went back into the Virtual IP Address section, and almost by accident, I set the "Interface" to be "LAN" instead of WAN.

After I did that, I was able to ping the address properly, and the NAT is still working.

That seems weird to me. I thought the interface for this virtual IP ought to be WAN. Does that sound right to you?
AkinsdNetwork AdministratorCommented:
You may be able to configure NAT on the four IPS but only 1 of them is beneficial to you.
240 is your network identifier and 243 is your broadcast address. Neither of this can be configured on a host. They are valid IPs but they assume specific roles.
I understand the ISP biling for 4 addresses. 240 and 243 are still IP addresses. 241 is on your interface which most likely connects to a modem .242 Those accounts for your 4 addresses but the only one you can NAT to is the 241 in overload mode.

Your connection to the ISP is technically a WAN connection but in reality, it is a LAN. Your router is connecting to a modem which connects to the ISP. Meaning your direct connection to the modem is a LAN.

WANs are generally used on Serial Ports connecting to ATM, Frame Relay, MPLS etc. You are not directly connected to those, therefore, your connection is a LAN.

I hope that helps

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.