Can not ping OPNSense LAN Interface

[cyberganny]

Hi all,

OPNSense runs fine but I have the Problem that I am not able to ping the FW LAN Interface (10.1.1.1) from within the local Network.

The Ping ist routed through the WAN Interface! Why?
Login in on the OPNSense Admin Interface at 10.1.1.1 works fine.

Here the traceroute:

traceroute to 10.1.1.1 (10.1.1.1), 30 hops max, 60 byte packets
 1  10.1.1.1 (10.1.1.1)  0.672 ms  0.446 ms  0.490 ms
 2  192.168.0.1 (192.168.0.1)  0.855 ms  0.877 ms  0.790 ms
 3  213-146-234-185.skytron.de (213.146.234.185)  3.467 ms  2.431 ms  2.202 ms
 4  10.255.2.116 (10.255.2.116)  3.402 ms  3.312 ms  3.223 ms
 5  10.255.7.97 (10.255.7.97)  3.156 ms !H  4.818 ms !H  4.734 ms !H

Any ideas?

[Julien]

Hi all,

OPNSense runs fine but I have the Problem that I am not able to ping the FW LAN Interface (10.1.1.1) from within the local Network.

The Ping ist routed through the WAN Interface! Why?
Login in on the OPNSense Admin Interface at 10.1.1.1 works fine.

Here the traceroute:

traceroute to 10.1.1.1 (10.1.1.1), 30 hops max, 60 byte packets
 1  10.1.1.1 (10.1.1.1)  0.672 ms  0.446 ms  0.490 ms
 2  192.168.0.1 (192.168.0.1)  0.855 ms  0.877 ms  0.790 ms
 3  213-146-234-185.skytron.de (213.146.234.185)  3.467 ms  2.431 ms  2.202 ms
 4  10.255.2.116 (10.255.2.116)  3.402 ms  3.312 ms  3.223 ms
 5  10.255.7.97 (10.255.7.97)  3.156 ms !H  4.818 ms !H  4.734 ms !H

Any ideas?

please provide more info so we can help.
are you on a VPN ?
10.1.1.1    is this your lan ?
192.168.0.1  what is this ?

[cyberganny]

I am not on VPN

LAN (10.1.1.0)  <-> 10.1.1.1 (LAN Interface) OPNSense (WAN Interface) 192.168.0.1
all other IPs in the traceroute are on Provider Site

I can not ping the 10.1.1.1 out of the LAN (10.1.1.0).

[Julien]

Can you describe your scenario ?
is opnsense between your ISP modem ?

ISP Router >>>>>> OPNSENSE >>>>>> LAN NETWORK ?

have you checked your firewall rules ? on the LAN ?

[cyberganny]

+----------+                 +-------------------------------------------+     +--------------+
| Client     |                  | Lan intf.  |                 | WAN intf.        |      | ISP Router  |
|              | -> ICMP -> | 10.1.1.1 | OPNSense | 192.168.0.100 | -> |  192.168.0.1| -> ISP Net
| 10.1.1.5 |                  |                                                         |      |                   |
+----------+                 +-------------------------------------------+     +--------------+

[cyberganny]

I checked the firewall rules all traffic to LAN Interface ist allowed

[Julien]

What are you outband rules ?
where are you ping to where ?

[JasMan]

I guess the IP range 10.0.0.0/8 is something in your providers network or some kind of management network of your modem. Because in the tracerout we can see your WAN address and after that you get an answer from 10.255.x.x. This address is also an part of 10.0.0.0/8.

Do you see any dynamic or static route on your OPNsense for 10.x.y.z networks? Any policy-based routing?

[cyberganny]

Yes my Provider seems also to you use 10.x.x.x Network.
10.255.7.97 is an IP of my provider.

How can I stop routing of 10.x.x.x target adresses out of my internal Network.

[JasMan]

Normaly this should not happen because 10.1.1.1 is in your LAN and the next hop from your clients view.
Please check and post the routing and also the subnet masks of your client and OPNsense LAN interface.

[cyberganny]

find attached the screenshot of the LAN interface config

[cyberganny]

find attached the screenshot of the recent routing table

[cyberganny]

Subnetmask of the clients is always /24

[JasMan]

Mmhh, looks fine 

Do you have any firewall rule for ICMP on the LAN interface where you've select an gateway?

[cyberganny]

Nope no Rules for ICMP in general