I have a fairly vanilla opnsense. I don't have adblocking, unbound blacklist or any of that turned on. I have an allow all from lan rule. I am currently on 23.1_6.
When I'm logged into the shell or the web diagnosics, I can't ping or curl github.com (140.82.113.3). I have tried changing the source address between my LAN and WAN ips with no change.
I can ping and access github.com just fine rom my any machine on my LAN.
I have basically two theories:
- When I run opnsense-code ports or one of these curl commands, github itself doesn't like it and blocks me.
- Something internal to opnsense that I am not aware of is blocking me.
root@gw:/usr/local/opnsense/scripts/filter # curl -v https://github.com/ytjohn
* Trying 140.82.113.3:443...
* Immediate connect fail for 140.82.113.3: Permission denied
* Closing connection 0
curl: (7) Couldn't connect to server
root@gw:/usr/local/opnsense/scripts/filter # nc -v 140.82.113.3 443
nc: connect to 140.82.113.3 port 443 (tcp) failed: Permission denied
root@gw:/usr/local/opnsense/scripts/filter # ping -v 140.82.113.3
PING 140.82.113.3 (140.82.113.3): 56 data bytes
^C
--- 140.82.113.3 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
I found that it appears to pass icmp in the firewall rules. I never see any log messages related to my curl/netcat commands.
2024-01-26T14:48:09 Informational filterlog 99,,,761a166383f941c76dbf2c76c9e2f241,igb1,match,pass,out,4,0x0,,64,6692,0,none,1,icmp,84,75.xxx.yyy.zzz,140.82.113.3,datalength=64
2024-01-26T13:40:32 Informational filterlog 99,,,761a166383f941c76dbf2c76c9e2f241,igb1,match,pass,out,4,0x0,,64,37071,0,none,1,icmp,84,75.xxx.yyy.zzz,140.82.113.3,datalength=64
I did a major update to 23.7.12
OPNsense 23.7.12-amd64
FreeBSD 13.2-RELEASE-p7
OpenSSL 1.1.1w
Now I can ping github, but not connect to it on 443.
root@gw:~ # ping github.com
PING github.com (140.82.113.4): 56 data bytes
64 bytes from 140.82.113.4: icmp_seq=0 ttl=48 time=33.796 ms
64 bytes from 140.82.113.4: icmp_seq=1 ttl=48 time=31.082 ms
^C
--- github.com ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 31.082/32.439/33.796/1.357 ms
root@gw:~ # opnsense-code ports
Cloning into '/usr/tools'...
fatal: unable to access 'https://github.com/opnsense/tools/': Failed to connect to github.com port 443 after 6 ms: Couldn't connect to server
root@gw:~ # ping github.com
PING github.com (140.82.113.4): 56 data bytes
64 bytes from 140.82.113.4: icmp_seq=0 ttl=48 time=33.307 ms
64 bytes from 140.82.113.4: icmp_seq=1 ttl=48 time=33.764 ms
^C
--- github.com ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 33.307/33.536/33.764/0.229 ms
root@gw:~ # curl https://github.com/
curl: (7) Failed to connect to github.com port 443 after 6 ms: Couldn't connect to server
root@gw:~ # ping github.com
PING github.com (140.82.113.4): 56 data bytes
64 bytes from 140.82.113.4: icmp_seq=0 ttl=48 time=24.435 ms
64 bytes from 140.82.113.4: icmp_seq=1 ttl=48 time=22.012 ms
^C
--- github.com ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 22.012/23.223/24.435/1.211 ms
root@gw:~ # ping 140.82.113.3
PING 140.82.113.3 (140.82.113.3): 56 data bytes
64 bytes from 140.82.113.3: icmp_seq=0 ttl=47 time=24.530 ms
^C
--- 140.82.113.3 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 24.530/24.530/24.530/0.000 ms
root@gw:~ # curl -v https://github.com/opnsense/tools/
* Host github.com:443 was resolved.
* IPv6: (none)
* IPv4: 140.82.113.4
* Trying 140.82.113.4:443...
* Immediate connect fail for 140.82.113.4: Permission denied
* Failed to connect to github.com port 443 after 8 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to github.com port 443 after 8 ms: Couldn't connect to server