Text only | Text with Images

OPNsense Forum

English Forums => 25.1, 25.4 Production Series => Topic started by: hharry on March 28, 2025, 11:49:46 AM

Title: opnsense 25.1.3 erroneously dropping LAN to WAN outbound traffic
Post by: hharry on March 28, 2025, 11:49:46 AM
opnsense 25.1.3-amd64 erroneously operationally dropping LAN to WAN outbound traffic, in the WAN interface rule 'let out anything from firewall host itself (force gw)' for which is administratively configured permits outbound traffic

LAN side device is attempting to ping 8.8.8.8 via SNAT to WAN side interface, opnsense erroneously dropping the traffic, opnsense is a very basic deployment, with default WAN side F/W rules

LAN -->Opnsense_LAN vmx0. SNAT to .Opnsense_WAN vmx1(pppoe0)--->---WAN

any ideas ?

WAN source IP redacted for security reasons....


It's a very strange issue, only 1 device on the same LAN side 10.0.0.0/24 subnet is affected....all other devices traffic is not dropped....



Title: Re: opnsense 25.1.3 erroneously dropping LAN to WAN outbound traffic
Post by: hharry on March 28, 2025, 01:16:23 PM
so i did some pcaps from the opnsense LAN (vmx0) interface, and found the device sends the ICMP echo requests, with sequence number = 0 , and does not increment. Is the trigger for opnsense to misbehave....


whilst not an ideal device ICMP ping implementation, sequence number 0 is permitted in IETF RFC https://datatracker.ietf.org/doc/html/rfc792

seems like a clear opnsense bug to me....

is already  known opnsense bug ?

Title: Re: opnsense 25.1.3 erroneously dropping LAN to WAN outbound traffic
Post by: patient0 on March 28, 2025, 01:52:08 PM
Quote from: hharry on March 28, 2025, 01:16:23 PMdevice sends the ICMP echo requests, with sequence number = 0 ,
Is this/Are these Windows devices?

There's a bug open in FreeBSD ICMP echo requests from Windows hosts dropped when NAT'ed (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283795).
Title: Re: opnsense 25.1.3 erroneously dropping LAN to WAN outbound traffic
Post by: hharry on March 28, 2025, 02:00:32 PM
Quote from: patient0 on March 28, 2025, 01:52:08 PM
Quote from: hharry on March 28, 2025, 01:16:23 PMdevice sends the ICMP echo requests, with sequence number = 0 ,
Is this/Are these Windows devices?

There's a bug open in FreeBSD ICMP echo requests from Windows hosts dropped when NAT'ed (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283795).

thanks for the reply, the device is an Android SMART TV, it an interesting article, as i do have a number of windows PC's connected to the same LAN side subnet, and no outbound packets are dropped....only the traffic from my Son's Android TV outbound ICMP echo traffic destined to 8.8.8.8 is always dropped. Have 3 x other Android TV's also on the same subnet that are not affected....


In total have about 60 LAN side devices, and only 1 device outbound traffic is dropped by opnsense.
Text only | Text with Images