Pinging WAN IP address results in  "TTL expired in transit"

Posted on 2014-09-05
Last Modified: 2014-09-13
My ISP provides a VDSL internet service and I'm using a modem that is configured to be in "bridge" mode. I recently signed up to have a block of static IP addresses with my ISP. They gave me a /30 block, lets call it So I have these IP addresses I can work with:

I'm using pfSense 2.0 as my router. I have a WAN interface configured as a PPPoE interface.  It gets the IP address dynamically. I then configured three "Virtual IPs" in the Firewall section for the other three IP addresses, and

So far, everything works. I tested out a few NAT rules, and tested NAT reflection, everything works great!

I wanted to allow pinging the address, so I added a rule to the firewall to allow pinging from the outside world to the WAN IP address ( Under FIrewall->Rules->WAN Tab, I added a rule to allow "ICMP echoreq" from Source: *, to Destination: WAN Address.

Applied this rule, and I  can now ping, no problems!

So, I added another rule to the firewall to allow pinging I thought it work work the same as the first IP address.

Unfortunately, this doesn't work. When I ping that address, I get "TTL expired in transit".

So I tried running a tracert from a computer outside of my network. This is the result:

  1    <1 ms    <1 ms    <1 ms
  2     *        *        *     Request timed out.


  6    25 ms    26 ms    23 ms []
  7    32 ms    23 ms    23 ms []
  8    21 ms    23 ms    24 ms  connex-internet-services-inc.10gigabitethernet3- []
  9   133 ms   112 ms    71 ms
 10    29 ms    29 ms    29 ms []
 11    30 ms    30 ms    33 ms
 12    34 ms    34 ms    35 ms []
 13    36 ms    47 ms    34 ms
 14    44 ms    40 ms    41 ms []
 15    41 ms    41 ms    41 ms
 16    47 ms    56 ms    47 ms []
 17    46 ms    47 ms    47 ms
 18    52 ms    52 ms    53 ms []
 19    53 ms    54 ms    55 ms
 20    64 ms    62 ms    61 ms []
 21    61 ms    59 ms    60 ms
 22    65 ms    64 ms    66 ms []
 23    67 ms    66 ms    65 ms
 24    73 ms    71 ms    71 ms []
 25    73 ms    78 ms    73 ms  ^C

Open in new window

So.... it's hitting my .240 address, and looping around somehow. Does anyone know what's going on?
Question by:Frosty555
  • 2

Expert Comment

ID: 40307159

Sounds to me you don't have a static route to those other segments.  I'll look at my router tomorrow and see what I did for mine.

Good Luck!
LVL 18

Assisted Solution

Akinsd earned 500 total points
ID: 40307236
I'm surprised that you were able to add the 2 addresses on the firewall. More surprised that you were able to assign .240 address with a /30 notation on an interface.
From your statement above, you have x.x.x.240 /30 address meaning Your network ID is x.x.x.240 and your broadcast address is x.x.x.243. The only available addresses to use are x.x.x.241 and 242. I'm curious to find out what your gateway on the ISP side is.

/30 addresses are point to point links

Something is not adding up.

Well, with that mystery aside, you should check your route statements. The issue is on 240.x.x.x because that's where the route loop started from. Check that the default gateway (default route) is not (that's what it seems like to me)
TTL decreases as it hits a routable interface (decrements by 1) The two routers are bouncing traffic betwen themselves and the TTL eventually becomes 0 and the traffic stops. without ttl, the madness would go on forever.

Again, check the route statements or route map on the 240.x.x.x router. That's where the problem is
LVL 31

Author Comment

ID: 40313278

Yeah I agree with you - they advertised it as 2x static IP addresses, they said it was a /30 block, customer support suggested that the available addresses should be .241 and .242, and yet when I got the invoice it has a line item titled "4 IPs (/30 subnet) $5/month", the PPPoE interface in pfSense gets the .240 address as it's first address, and I can do NAT on all four IPs , .240, .241, 242 and 243 without any difficulty. The customer service for my ISP is pretty weak, so you have to take everything they say with a grain of salt.

So you're right, something doesn't add up, and my guess is that what the ISP is calling  "/30" block is referring to something different than what you and I are used to.

And indeed, the gateway on the ISP side, as provided by the PPPoE interface, is, Subnet mask is The first three stanzas of that IP address are significantly different from the static IPs that have been assigned to me.

Okay so you put me on the right path, I checked in Diagnostics->Routes and I could see that only the .240 address was listed in the routing table. Meaning my pfSense router was sending packets destined for right back out to the ISP's gateway, who sent the packets right back to me, and they went back and forth until the TTL expired.

I went back into the Virtual IP Address section, and almost by accident, I set the "Interface" to be "LAN" instead of WAN.

After I did that, I was able to ping the address properly, and the NAT is still working.

That seems weird to me. I thought the interface for this virtual IP ought to be WAN. Does that sound right to you?
LVL 18

Accepted Solution

Akinsd earned 500 total points
ID: 40320590
You may be able to configure NAT on the four IPS but only 1 of them is beneficial to you.
240 is your network identifier and 243 is your broadcast address. Neither of this can be configured on a host. They are valid IPs but they assume specific roles.
I understand the ISP biling for 4 addresses. 240 and 243 are still IP addresses. 241 is on your interface which most likely connects to a modem .242 Those accounts for your 4 addresses but the only one you can NAT to is the 241 in overload mode.

Your connection to the ISP is technically a WAN connection but in reality, it is a LAN. Your router is connecting to a modem which connects to the ISP. Meaning your direct connection to the modem is a LAN.

WANs are generally used on Serial Ports connecting to ATM, Frame Relay, MPLS etc. You are not directly connected to those, therefore, your connection is a LAN.

I hope that helps

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question