CG keeps blocking incoming traffic on the external interface

I'm testing CG in a setup where CG would be in between clients and a pfSense based router.

The clients' LAN is In this LAN, CG has IP (internal interface) and will be the default gateway for these clients.
CG's external interface is and is connected to pfSense with address
CG has as its default gateway.

CG's SNAT is turned off. Also the IP firewall is turned off.

On pfSense, there is a static route: via

But from pfSense, I cannot ping or any other client in Using tcpdump, I can tell that pfSense did put it on the right interface, aiming at, but there is no response.

CG log tells me it is blocking it (Internal rule "Policy"). The firewall is off. I tried to add "allow any any" rules to no effect. Should not matter because firewall is off but nevertheless...

Any thoughts? I just want CG to be a router. No NATting, no firewalling.

Re: CG keeps blocking incoming traffic on the external interface

Thank you for this first post.

You must be aware that any attempt to ping CG's internal interface form the external zone is denied by CG so it's normal if you can't ping the from the pfSense. However you should be able to ping other machines in your configuration (mode firewall off).

I just reproduced your configuration in our lab, tested the whole and have been able to ping a PC on the the internal zone ( from the pfSense. Did you also activate the router mode on your CG (mode router on) ? Can you ping a public IP address from a machine on your LAN?

I would also suggest that you verify the following:

- There no local firewall rules on the machines that you try to ping from the pfSense.
- There are no asymmetric routing in your environment.

