I deployed the latest version of OPNSense to a box. It is a simple setup so far. There is a wan and a lan. The WAN was able to pull a public IP address. But from the OPNSense box, ping does not seem to work. I attempt to ping in the web ui and in the terminal, and it fails. When I look in the packet capture, I see a echo reply. I've attached my WAN firewall rules.
https://ibb.co/sgSwZc1
Pinging from the OPN shell and UI to where please? The default rules will allow you to ping from it to clients on LAN. Maybe the client hasn't got an IP from OPN yet?
From the device, I attempt to ping the ISP GW as well as a public DNS server's IP.
putting aside the apparent ping failure,do you have a working setup ? Some destinations disable ping although public dns servers normally don't.
I am able to confirm that 9.9.9.9 does respond to ping from a working computer.
Please define "working setup"? I am not actively using it, because the clients have no connectivity, but that's another issue, and I want to be able to resolve the issue with the OPNSense device not able to connect out onto the internet.
I am assuming you can tell us that. There are so many things a router/firewall like OPN can do but nobody needs to use them all.
So as a basis and assuming this is a residential setup, I'm referring to having your LAN clients being able to get out to the internet browsing public websites.
If you can, then a spurious ping can be a nothing or all sign.
It's quite hard to tell the level of networking understanding from people on forums. I have someone at home that will just tell "the internet is down" or at work who would say "there's no connectivity". This last one is a bugbear, mostly from developers/testers that should know better. Once you start asking for what they can/not do, you realise it could be DNS problem, a DHCP problem, etc.
Long way to say, have you set everying up as per docs., have clients getting an ip address and dns server setup on OPN & clients getting those settings.
Chances are when all this is working, you can move to understanding what's happening with this ping thing.
I've been using pfsense up until now. I would say I'm pretty knowledgeable, including dhcp, dns, and ports, as well as firewall rules.
Yes, this is a residential setup.
Let me know if there are any other screenshots of settings you'd like to see.
for now just describe your overall network setup and what diagnostic have you done, what works ?
Very broad request, right ? We need to narrow down what is the problem. Give us a sense of things.
I'm not sure what else to describe. I think ping is one of the most basic tests. If I can't get out/ping, then it's not worth it to go any further.
Quote from: cookiemonster on December 01, 2023, 10:42:14 AM
for now just describe your overall network setup and what diagnostic have you done.Quote from: CursedGravity on December 07, 2023, 01:21:13 AM
I think ping is one of the most basic tests. If I can't get out/ping, then it's not worth it to go any further.
As an "overall network setup", that 'description' is somewhat incomplete. Instead, you provide a single symptom:
"Doc, it hurts.
"Where does it hurt?"
"It hurts".
I notice that your original firewall rules link is also now defunct.
Your problem will be solvable. The basic information requested is needed to do so.
Internet -> Modem -> opnsense box -> switch -> end client machine.
Thank you. Your description gleaned from posts is:
Opnsense gets a public IP (modem is invisible, does not translate IP).
You can ping 9.9.9.9 from a computer but not from Opnsense
When you ping from Opnsense you get an echo packet, but no display?
No statement on whether a client computer can access the internet, aside from that earlier comment about successful ping.
There seem to be some inconsistencies there, or a need for clarification of the statements (contexts).
Is your Opnsense bare silicon or in a VM?
What is the form of your internet connection please? Does Opnsense replace another box or did your modem formerly carry routing?
I am not expert in Opnsense but my configuration looks like yours except that I have FTTP, no modem. I have no special setup yet from Opnsense I can ping things freely should the mood take me, out of the box. The issue is to track down what is different.
I pinged 9.9.9.9 from my phone, connected to a cell tower, to confirm that it responds to ping. That was not a client on my network.
I get no response. But when I do packet capture, I see echo replies.
Client computers can not access the internet. My opnsense box also has issues (ie checking for updates, fails). Something like name resolution.
My box is an old desktop.
It is a placeholder for my current pfsense box. I didn't wanna wipe my pfsense box till I was 100% sure I got the config right, and secured.
I will post the firewall rules for lan and wan.
https://ibb.co/kMfYcs5
https://ibb.co/rMMqzhR
my guess from the thread is that the installation is either a VM alongside another of pfsense or another installation or as described "another box", that said "box" is downstream from pfsense i.e. the current firewall. Therefore the WAN ip is a private one in the LAN range of the clients. If this is the case, then the required adjustments for a "router behind a router" are missing.
No, opnsense box has replaced the pfsense device. I switch between the devices until I can get this working.
Ah Ok, that will help.
You've gone over the documentation for first setup, and have a DNS setup on OPN? We'll get to the ping question but in my opinion, getting the basics of setting up OPN will ensure there's nothing getting in the way of ping working for you.
So DNS setup and clients getting an IP address, and resolving names, appearing in DHCP leases?
Please confirm what are the DNS servers in general settings and dnsmasq/unbound if you are using any.
What IP address is your OpnSense device getting from your ISP?
You say "public", but that's no always the case with modern ISPs.
If it is a 10.x.x.x, or 172.16.x.x or 192.168.x.x then this is a private IP address.
If so, under Interfaces -> [WAN] -> Generic configuration uncheck "Block private networks".
This is not a setting in psSense so if you are a previous pfSense user like me, this setting is a gotcha you are not expecting.
I imagine you're talking about CGNAT. Fine, semantics are important. The OP stated he is pretty knowledgeable, so this is assumed known and understood.
That said, those are the known RFC1918 networks, they are always private and should NOT be allowed from the WAN side unless you really know what you're doing. There's a reason they're blocked by default on WAN in.
So back to the thread, the "public" ip in this context it the one assigned by your ISP.
I followed this guide: https://homenetworkguy.com/how-to/beginners-guide-to-set-up-home-network-using-opnsense/. That should tell you what my DNS settings are.
This linked guide is not the basic one, for instance it includes VLANs, that might be something you won't be using. Even if you wan to use them later, right now you just want to setup the basic system, right?
I suggest you use another of his guides https://homenetworkguy.com/how-to/install-and-configure-opnsense/
The more relevant part of it is the configuration after installation.
I have gone through the wizard already.
Ok then. Now you have WAN and LAN setup. What is exactly the setup with services setup and how i.e. DCHP which version?, which pool, DNS is by what Unbound, something else?. What is exactly the problem, include details like ip addresses involved, any VLANs, switches involved, virtualisation, etc.
I'm not asking to describe everything, it is too much and many not needed to identify what the problem might be BUT one-liners don't help that much ;)