Hi everyone,
We've a fresh install with the latest version of OpnSense. I can ping devices from OPT1 -> to -> LAN; but i cannot ping from LAN -> to -> OPT1.
For e.g.:
Laptop in OPT1 has 10.10.10.21 IP address and can ping the other Laptop in LAN has 192.168.21.5 ip address. But, just the opposite doesn't work.
PING ResultPING 10.10.10.21 (10.10.10.21): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Traceroute Result 1 {myhostname.domain} (192.168.21.1) 0.620 ms 0.280 ms 0.302 ms
2 192.168.0.1 (192.168.0.1) 0.612 ms 0.529 ms 0.479 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
I've configured the system from terminal and didn't make any changes in default configs after Wizard.
Here's the setup: LAN (igb0) -> v4: 192.168.21.1/24
OPT1 (igb2) -> v4: 10.10.10.1/24
OPT2 (igb3) -> v4: 172.16.16.1/24
WAN (igb1) -> v4/DHCP4: 192.168.0.19/24
Additional Notes:
- No VPN Configuration
- All firewall rules are ANY ANY for testing and checked from Live View, everything is allowed (no block)
- All the devices can access the internet without any problems.
Thanks everyone.
Hi,
analysis of your traceroute result needs chrystal ball, because the command you typed is missing but would be helpful.
Look at your 2nd hop in traceroute result. Packet is going to WAN interface? Looks strange for me.
Regards
Uwe
Hi,
I can ping 10.10.10.1 successfully; but cannot ping 10.10.10.21
All the configuration parameters are default. It's really strange.
Regards.
Quote from: bugrayuksel on April 26, 2021, 11:59:46 PM
Hi,
I can ping 10.10.10.1 successfully; but cannot ping 10.10.10.21
All the configuration parameters are default. It's really strange.
Regards.
Your ping to 10.10.10.1 is probably a rule set to allow to "This Firewall." The "This Firewall" alias encompasses all firewall interface addresses. Can you post the firewall rule on LAN that should allow this ping?
I am not familiar with the Wizard defaults. I tried using Wizard and it seemed broken.
Hi Gary,
Both LAN and OPT1 Firewall Rules are: IPv4 ANY ANY, IPv6 ANY ANY. I put these rules because of this problem.
Also, i've checked the ICMP (ping) request from Firewall -> Log Files -> Live View, it's ALLOWED. Not blocked.
I don't know, if IPv6 affets it? All the configs for IPv6 is default after factory reset. Just only in LAN and OPT1 Interface, I've selected NONE for IPv6. (no static ip or dhcp6, just NONE).
Thanks you,
Kind regards.
Hi everyone again,
I want to add that, my ISP doesn't provide IPv6 for my WAN.
When i checked https://ipv6test.google.com, it says that "You don't have IPv6, but you shouldn't have problems on websites that add IPv6 support."
Does this situation affect my internal network configuration? I'm configuring my OpnSense Firewall while my WAN Port is connected modem.
Thanks.
IPv6 will have zero effect.
From the Interface->Diagnostics->Ping
Select the OPT1 Interface and try pinging 192.168.21.1 does that work?
Hi,
I've tried it before.
From the Interface->Diagnostics->Ping:
OPT1 Interface and try pinging 192.168.21.1 -> It works
OPT1 Interface and try pinging 192.168.21.5 -> NOT WORKING
And you say the only rules you have are Protocol: Any Source: Any Destination: Any on both interfaces?
Quote from: bugrayuksel on April 26, 2021, 01:34:06 PM
Traceroute Result
1 {myhostname.domain} (192.168.21.1) 0.620 ms 0.280 ms 0.302 ms
2 192.168.0.1 (192.168.0.1) 0.612 ms 0.529 ms 0.479 ms
Again: Why is WAN interface the second hop? IF you traceroute to 10.10.10.21? Did you try a fresh install? Would that be possible?
How do you assign IP addresses to the clients, via DHCP oder manually. Are you shure all this is correct? What about local firewalls of the clients, do they answer to pings from other machines at the same interface?
regards
Good point on the ping response... noticed some windows machined blocking ping response if the rules are not correctly.
Quote from: marjohn56 on April 27, 2021, 04:03:24 PM
And you say the only rules you have are Protocol: Any Source: Any Destination: Any on both interfaces?
Yes, all the rules are as you metioned for LAN and OPT1.
Quote from: wurmloch on April 27, 2021, 04:03:42 PM
Again: Why is WAN interface the second hop? IF you traceroute to 10.10.10.21? Did you try a fresh install? Would that be possible?
How do you assign IP addresses to the clients, via DHCP oder manually. Are you shure all this is correct? What about local firewalls of the clients, do they answer to pings from other machines at the same interface?
regards
I don't why WAN interface at the second loop. I've installed OpnSense several times. Result is same.
Both 2 interfaces assigns IP addresses via DHCP. Everything is OK; because when 2 machines in same network, no problem about pinging each other and accessing INTERNET.
Quote from: marjohn56 on April 27, 2021, 04:06:00 PM
Good point on the ping response... noticed some windows machined blocking ping response if the rules are not correctly.
When all the Laptops in same network (on same switch at OPT1 or LAN interface), both machines pings each other. There's no problem.
What about the checkbox in interface definition concerning ,,block private / bogon addresses"?
Both of them are unchecked for all interfaces.
I do not have any other idea, very sorry.
From LAN to LAN (from Diagnostics):
# /sbin/ping -S '192.168.21.1' -c '4' '192.168.21.10'
PING 192.168.21.10 (192.168.21.10) from 192.168.21.1: 56 data bytes
64 bytes from 192.168.21.10: icmp_seq=0 ttl=128 time=1.678 ms
64 bytes from 192.168.21.10: icmp_seq=1 ttl=128 time=1.599 ms
64 bytes from 192.168.21.10: icmp_seq=2 ttl=128 time=1.599 ms
64 bytes from 192.168.21.10: icmp_seq=3 ttl=128 time=1.618 ms
--- 192.168.21.10 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.599/1.623/1.678/0.032 ms
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
From LAN to OPT1 (from Diagnostics):
# /sbin/ping -S '192.168.21.1' -c '4' '10.10.10.25'
PING 10.10.10.25 (10.10.10.25) from 192.168.21.1: 56 data bytes
64 bytes from 10.10.10.25: icmp_seq=0 ttl=64 time=0.330 ms
64 bytes from 10.10.10.25: icmp_seq=1 ttl=64 time=0.308 ms
64 bytes from 10.10.10.25: icmp_seq=2 ttl=64 time=0.370 ms
64 bytes from 10.10.10.25: icmp_seq=3 ttl=64 time=0.454 ms
--- 10.10.10.25 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.308/0.366/0.454/0.056 ms
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
From OPT1 to LAN (from Diagnostics):
# /sbin/ping -S '10.10.10.1' -c '4' '192.168.21.10'
PING 192.168.21.10 (192.168.21.10) from 10.10.10.1: 56 data bytes
--- 192.168.21.10 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
It helps to get a screenshot of the rule entry pages if possible.
Can you ping the host on the same subnet?
What is in the Gateway field on the pass rules?
Hi,
You are right, it's best way to share screen shots for my configuration.
Here's the Drive URL, you can check everything in here:
https://drive.google.com/drive/folders/1_tgwpCh8nAzGz0gMPBmgwXtyJOpQk2KO?usp=sharing
Additionally, my ISP provider gives me CGNAT IP, not static. I don't know, does this situation affects this problem?
Thanks everyone.
I have looked these over, and everything seems right.
My only guess is that it's a problem with some static gateway assignment on 192.168.21.10. If the source that was pinging is outside the subnet, then it will route replies to the locally assigned gateway. (This is generally assigned through DHCP but can be overridden.)
I think you'll might need to use Wireshark or tcpdump on the interface that is being pinged to see the traffic to/from the interface. You can detect which path is failing and trace out the problem, but I would check the gateway on 192.168.21.10 first.
I can't find any details on your hardware, is it virtual or real? Which type of interfaces?
Another question: Have you ever enabled Intrusion Prevention?
LAN (igb0) is shown as disconnected (no carrier). Is this expected / was it unplugged when taking the screenshot?
Quote from: rhubarb on April 28, 2021, 04:57:47 AM
I have looked these over, and everything seems right.
My only guess is that it's a problem with some static gateway assignment on 192.168.21.10. If the source that was pinging is outside the subnet, then it will route replies to the locally assigned gateway. (This is generally assigned through DHCP but can be overridden.)
I think you'll might need to use Wireshark or tcpdump on the interface that is being pinged to see the traffic to/from the interface. You can detect which path is failing and trace out the problem, but I would check the gateway on 192.168.21.10 first.
I will try this, thank you very much my friend.
Quote from: chemlud on April 28, 2021, 01:26:35 PM
I can't find any details on your hardware, is it virtual or real? Which type of interfaces?
It's a physical device with 4 interfaces. Similar to this device: https://www.aliexpress.com/item/32815457324.html
Quote from: rhubarb on April 28, 2021, 04:47:31 PM
Another question: Have you ever enabled Intrusion Prevention?
No, I have never enabled IPS/IDS.
Quote from: Maurice on April 28, 2021, 06:19:37 PM
LAN (igb0) is shown as disconnected (no carrier). Is this expected / was it unplugged when taking the screenshot?
Yes, it's expected. I was trying other interfaces for testing.
I asked because I enabled IPS one time and I started having routing issues. I could never fix it even with a reset. I finally reflashed the OS and started clean. It worked. That's the nuclear option if all else fails. I think mine was a netmap issue.
Thank you very much for your effort. I will try to make a fresh install again.
Just, i want to ask you that, is it anyway to re-configure the routes according to current interfaces and network structure? Is there any terminal code, shell script or any other?
Thanks,
Sincerely.
Quote from: bugrayuksel on May 03, 2021, 01:23:56 AM
Just, i want to ask you that, is it anyway to re-configure the routes according to current interfaces and network structure? Is there any terminal code, shell script or any other?
I don't fully understand this question. You can add static routes in the OPNSense UI that redirect certain address ranges to a different interface. (This could be useful for site-to-site VPN perhaps.) You must be using the "default" gateway in the Firewall Rule to make this work.
You can use the route command in the shell to temporarily change routes. Again, your Firewall Rule must have gateway as default.