Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: w1ldthing on January 22, 2024, 11:40:11 AM

Title: Strange (Seemingly) Device Level Issue
Post by: w1ldthing on January 22, 2024, 11:40:11 AM
Hi,
Opnsense install is installed and running fine, except since a clean restart / update (I think).

The weird thing that is now happening is that one particular subnet cannot talk to / ping x2 devices on a different subnet (PC to CAR BLACKVUE DASHCAM). Yet, the same subnet can talk to / ping any other device on all other subnets (not found a device I can't ping yet).

Any ideas where to begin looking or something obvious is at fault ?

This is my setup (which has worked without this issue in the past):
MODEM ----> OPNSENSE (WAN)

            OPNSENSE (LAN)          ----> 10.10.10.1 >---- 6.6.6.47 (CAN'T PING FROM 10.10.10.X)
                                                     >---- 6.6.6.48 (CAN   PING FROM 10.10.10.X)

            OPNSESNE (OPT1)         ----> 1.1.1.1    >---- 6.6.6.47 (CAN   PING FROM 1.1.1.X)
                                                     >---- 6.6.6.48 (CAN   PING FROM 1.1.1.X)

            OPNSENSE (OPT2 NO VLAN) ----> 6.6.6.1    >---- 6.6.6.47 (CAN   PING FROM 6.6.6.X)
                                                     >---- 6.6.6.48 (CAN   PING FROM 6.6.6.X)

            OPNSENSE (OPT2 VLAN 51) ----> 7.7.7.1    >---- 6.6.6.47 (CAN   PING FROM 7.7.7.X)
                                                     >---- 6.6.6.48 (CAN   PING FROM 7.7.7.X)


1st Image shows:

Last Row - 10.x.x.x can't ping 6.6.6.47
Rows 1 to 3 - 10.x.x.x can ping other devices on 6.x.x.x and 1.x.x.x
Rows 4 to 6 - 1.x.x.x, 6.x.x.x & 7.x.x.x can ping 6.6.6.47 fine where 10.x.x.x can't

2nd Image shows similar also:
Title: Re: Strange (Seemingly) Device Level Issue
Post by: cookiemonster on January 22, 2024, 01:14:16 PM
there's probably an allow rule missing on the network that can not go to the other. It would be helpful to show the current rules on it.
p.s. the interface ip addresses assigned are nice looking but not great choices and would cause some pain in the future. 1.1.1.1 for instance is Cloudflare and is a public ip. You should adhere to RFC1918 ips.
Title: Re: Strange (Seemingly) Device Level Issue
Post by: w1ldthing on January 22, 2024, 01:40:14 PM
Yeh, IPs is on the To-Do list as they are a hang-over from when they were first setup and to help keep things straight in my head 10 = 10GbE, 1 = 1GbE, 6 = Wifi6, 7 = Wifi6 Guest.

Attached are the firewall rules, mostly the auto generated ones on both the issue and non issue net.
The only difference being the 10 has the Anti-Lockout.

The two manual rules both net's have are 1 to redirect certain devices to the VPN and the other to allow traffic between the various net's.
Title: Re: Strange (Seemingly) Device Level Issue
Post by: w1ldthing on January 22, 2024, 01:40:55 PM
No Issues net rules
Title: Re: Strange (Seemingly) Device Level Issue
Post by: cookiemonster on January 22, 2024, 02:50:07 PM
apart from some at-first-glance seemingly duplicated rules, they seem should be fine for this.
Maybe the destination is not up or accepting. Or the ping "from" is not suitable. I would normally diagnose from a device on the network, not on the router first. If you get "no route to host" you know there is something to investigate.
Title: Re: Strange (Seemingly) Device Level Issue
Post by: w1ldthing on January 22, 2024, 03:45:56 PM
So...
A wifi device connecting to 6 & 7 net can ping 6.6.6.47 no problem.
A wired device on 1 net can ping 6.6.6.47 no problem.
Multiple wired devices on 10 net cannot ping 6.6.6.47 with DEVICE NOT FOUND.
Title: Re: Strange (Seemingly) Device Level Issue
Post by: cookiemonster on January 22, 2024, 04:41:47 PM
I would then enable temporarily logging of default rules and use the live view of the firewall, to see if it hits any rule.
Next is use of packet capture.
Text only | Text with Images