Dear all users, yesterday my firewall has some odd issues where my LAN not able to ping opnsense box(ping 192.168.1.1 and dig www.google.com). Today, the issue back to normal. This issue is very strange as i not touch anything that may possible break the setup.
Hi @nicholaswkc,
The same happens on OPNsense 25.1 in my home lab : there are 2 interfaces in addition to WAN, ie. LAN and let's say OPT1. The issue also occurs without any change in configuration on OPNsense, and I could identify something : DHCP works fine if I plug the LAN endpoint on the OPT1 interface, but the connection fails when it is connected to the LAN interface itself. It appears therefore that the connectivity loss on LAN could be linked to DHCP specifically on LAN.
Is DHCP activated on your LAN interface too?
Quote from: alex_62450 on March 27, 2025, 11:45:42 AMHi @nicholaswkc,
The same happens on OPNsense 25.1 in my home lab : there are 2 interfaces in addition to WAN, ie. LAN and let's say OPT1. The issue also occurs without any change in configuration on OPNsense, and I could identify something : DHCP works fine if I plug the LAN endpoint on the OPT1 interface, but the connection fails when it is connected to the LAN interface itself. It appears therefore that the connectivity loss on LAN could be linked to DHCP specifically on LAN.
Yes, I do have DHCP enable on LAN.Apart from this, my OPT1 seems reset and going down and not reactivate again. It need to replug the cable in order to have full functional internet.
Please help. Thanks in advance.
Is DHCP activated on your LAN interface too?
Hi @nicholaswkc,
Thanks for the swift response! As in both cases DHCP ia activated that may help to pinpoint the cause.
Personally I have made network traffic captures and on the LAN endpoint, the DHCP messages are being sent but get no response from OPNsense.
Another element / item to check please:
On LAN, I have also enabled IDS/IPS (Suricata) and I found online an older issue published on another forum mentioning that the DHCP problem could be linked to this service - although the thread didn't get a final or formal response.
https://www.reddit.com/r/OPNsenseFirewall/comments/rcwtdz/dhcp_seems_to_keep_failing/ (https://www.reddit.com/r/OPNsenseFirewall/comments/rcwtdz/dhcp_seems_to_keep_failing/)
On that other website, there is also a mention of messages such as
generic_netmap_attach Emulated adapter for [Interface name] created (prev was NULL)
These kind of messages are being now (in 25.1) displayed all the time on the console screen while earlier, I can't remember having seen those or maybe that happened but rarely.
Do you also use IDS/IPS on the LAN interface?
I am going to disable IDS/IPS to make a test and observe whether the issue occurs again and the connection is stable.
Update: a bit unexpectedly, but the DHCP and therefore possibly the LAN connectivity issue was linked to IPS which blocked the responses from OPNsense port 67 to LAN port 68 as potentially malicious. The LAN connectivity was restored after disabling IDS/IPS, and a closer look at IPS blocks pinpointed the above. Personally, I didn't see this kind of blocks happening in OPNsense earlier.
If IPS is also enabled on you LAN, maybe you can try to disable it temporarily - if that's permissible on your network - to check that assumption? The stability or connectivity issues on LAN seem to be gone for now.
Sharing also a bit of insights about how that specific issue interacted with other topics, in case it may help others too, as I think that the IPS has been doing its jobs well but this occurred in a given sequence of events:
- sometimes after upgrading OPNsense to 25.1, some LAN connectivity issues began to happen in an unpredictable fashion, not knowing what could have caused it ;
- in the same time frame and on some days, it occurred that the IPS recorded a very high and unusual number of alerts (for a home lab) - eg 90 million events or 210 million events - with a majority of error messages, which made genuine alerts impossible to notice. This may have also prevented the IPS to work normally ;
- point b°) was not visible from the routine check done with "df -h" as the command df appeared not to work as it should - on my new OPNsense re-install, things look back to normal as the command works now as expected.
- on the LAN interface, some connection attempts were repeatedly initiated from OPNsense, probing port 22 on the LAN subnet (and port 80 as well); it appeared that a similar of kind of probes were being initiated from OPNsense on the WAN interface, also on ports 22 and 80. Unaware of a legitimate service that may have been doing this kind of asynchronous probes
Hoping that may be useful - cheers.
YaHai, The issue happen again. I cannot evern login into OPNSense web console. How to disable Suricata on LAN using command line? I using 24.7.12_4
Ya, I got it service suricata stop.
I had stop suricata using command service suricata stop but it still cannot ping OPNSense from LAN. What are the others issue?
Two issues are occured at my OPNSense box.
1. LAN block by firewall or suricata - cannot ping from LAN - Root cause is oscrowdsec service
2. OPT1 is not getting IP Address (No light). Hardware or Software failure ?
What are the log to look for in shell? I tried to disable pfctl -d and it able to ping from LAN to OPNsense box. Why it blocks?
How to resolve this? Please help. Thanks in advance.
Root cause:
1. OSCrowdsec service stop for temp
2. OPT1 no IP address (No lights) Swith to LAN port for now.
Questions:
1. Why crowdsec blocking my LAN - It detect connection IN?
Did you configure your private networks for crowdsec? I.e. is the default whitelist parser installed or did you create one manually a documented?
https://docs.crowdsec.net/u/getting_started/post_installation/whitelists/
Quote from: Patrick M. Hausen on April 27, 2025, 02:05:12 PMDid you configure your private networks for crowdsec? I.e. is the default whitelist parser installed or did you create one manually a documented?
https://docs.crowdsec.net/u/getting_started/post_installation/whitelists/
I didn't configure anything for crowdsec except the collections.
Quote from: nicholaswkc on May 27, 2025, 09:29:31 AMI didn't configure anything for crowdsec except the collections.
Then you should probably follow the documentation I linked.
Quote from: Patrick M. Hausen on May 27, 2025, 09:34:27 AMQuote from: nicholaswkc on May 27, 2025, 09:29:31 AMI didn't configure anything for crowdsec except the collections.
Then you should probably follow the documentation I linked.
OK then, let me try to do it. Thanks.