Hi, Team!
I am dealing with strange behavior that I do not understand.
Here is my setup:
1. OPNsense has 4 interfaces:
LAN 10.10.0.254 /24
WAN 10.10.10.1 /24
OPT1 10.10.1.254 /24
OPT2 10.10.2.254 /24
2. WAN gateway (not OPNsense, used as upstream gateway):
WAN_GW 10.10.10.254
3. Outbound NAT is disabled.
4. WAN_GW has 3 interfaces:
GLOBAL_WAN <Public IP>
LOCAL_WAN 10.10.10.254/24
OTHER_NET 10.10.100.254/24
5. WAN_GW has static route:
10.10.0.0/22 via 10.10.10.1
6. There is a host in WAN:
WAN_HOST:
IP 10.10.10.15/24
GW 10.10.10.1
The issue:
1. I am able to ping 10.10.2.1 (OPT2 host) from host in OPT1. Tracing is:
10.10.1.254 (OPNsense)
10.10.2.1 (host)
2. I am also able to ping 10.10.2.1 from host in OTHER_NET. Tracing is:
10.10.100.254 (not OPNsense)
10.10.10.1 (OPNsense)
10.10.2.1 (host)
3. But I am not able to ping 10.10.2.1 from WAN_HOST (request timed out). Tracing has only timed out records.
There are only 3 rules (all are floating) except automatically generated ones:
Allow from source 10.10.100.0/24 to destination 10.10.0.0/22 for WAN interface
Allow from source 10.10.10.0/24 to destination 10.10.0.0/22 for WAN interface
Allow from source 10.10.1.0/24 to destination 10.10.0.0/22 for OPT1 interface
Nothing changes if I add the following rule:
Allow from any source to any destination
Does anyone have any suggestions on what's going on? I suggest this is either some default rule issue or some routing issue, but I am not sure.
Most likely yet another case of the fantastic default reply-to behaviour. Disable reply-to in Firewall / Settings / Advanced and you should be good.
For some fun reading, you might want to search the forum and / or GitHub for "reply-to"...
Cheers
Maurice
Thank you! This helped me!
https://github.com/opnsense/core/issues/3952
https://forum.opnsense.org/index.php?topic=15900.0