Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: OpenNonsense on April 19, 2025, 07:11:56 PM

Title: One maching cannot access internet
Post by: OpenNonsense on April 19, 2025, 07:11:56 PM
Hi, I'm sure this is a stupid error on my end, but I struggle to find it:

I have one maching (192.168.5.57), which cannot access the internet. For debugging purposes, I've turned on packet capture on opnsense (LAN interface). This is how an access to https://www.google.com from that machine looks like:

Code Select
LAN
igc0 2025-04-19
18:48:23.259179 90:e9:5e:19:bb:8d 64:62:66:2f:15:d6 ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 31521, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.5.57.39284 > 142.251.36.228.443: Flags [S], cksum 0xb126 (correct), seq 2244134618, win 64240, options [mss 1460,sackOK,TS val 1390339964 ecr 0,nop,wscale 7], length 0
LAN
igc0 2025-04-19
18:48:23.511877 90:e9:5e:19:bb:8d
Cisco Systems, Inc
64:62:66:2f:15:d6 ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 24830, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.5.57.52394 > 142.251.36.228.443: Flags [S], cksum 0x4fda (correct), seq 3763509603, win 64240, options [mss 1460,sackOK,TS val 1390340217 ecr 0,nop,wscale 7], length 0
LAN
igc0 2025-04-19
18:48:24.268413 90:e9:5e:19:bb:8d 64:62:66:2f:15:d6
IEEE Registration Authority
ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 31522, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.5.57.39284 > 142.251.36.228.443: Flags [S], cksum 0xad34 (correct), seq 2244134618, win 64240, options [mss 1460,sackOK,TS val 1390340974 ecr 0,nop,wscale 7], length 0
LAN
igc0 2025-04-19
18:48:24.528358 90:e9:5e:19:bb:8d 64:62:66:2f:15:d6 ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 24831, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.5.57.52394 > 142.251.36.228.443: Flags [S], cksum 0x4be1 (correct), seq 3763509603, win 64240, options [mss 1460,sackOK,TS val 1390341234 ecr 0,nop,wscale 7], length 0
LAN
igc0 2025-04-19
18:48:26.284309 90:e9:5e:19:bb:8d 64:62:66:2f:15:d6 ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 31523, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.5.57.39284 > 142.251.36.228.443: Flags [S], cksum 0xa554 (correct), seq 2244134618, win 64240, options [mss 1460,sackOK,TS val 1390342990 ecr 0,nop,wscale 7], length 0
LAN
igc0 2025-04-19
18:48:26.540341 90:e9:5e:19:bb:8d 64:62:66:2f:15:d6 ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 24832, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.5.57.52394 > 142.251.36.228.443: Flags [S], cksum 0x4405 (correct), seq 3763509603, win 64240, options [mss 1460,sackOK,TS val 1390343246 ecr 0,nop,wscale 7], length 0
LAN
igc0 2025-04-19
18:48:30.540340 90:e9:5e:19:bb:8d 64:62:66:2f:15:d6 ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 31524, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.5.57.39284 > 142.251.36.228.443: Flags [S], cksum 0x94b4 (correct), seq 2244134618, win 64240, options [mss 1460,sackOK,TS val 1390347246 ecr 0,nop,wscale 7], length 0
LAN
igc0 2025-04-19
18:48:30.796349 90:e9:5e:19:bb:8d 64:62:66:2f:15:d6 ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 24833, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.5.57.52394 > 142.251.36.228.443: Flags [S], cksum 0x3365 (correct), seq 3763509603, win 64240, options [mss 1460,sackOK,TS val 1390347502 ecr 0,nop,wscale 7], length 0

There is just outgoing traffic on LAN. No traffic back in (which is why 192.168.5.57 shows a timeout).
If I use some other machine (e.g., 192.168.5.232) for https to www.google.com, packet capture shows traffic back and forth on the interface.

I've checked firewall rules. There is no deny-rule that should apply to 192.168.5.57, all deny-rules have logging enabled, and there is a catch-all-permit rule at the bottom. There are no entries in the firewall log for 192.168.5.57.

Please, where else could I look to find out what is happening?

Thanks!
Title: Re: One maching cannot access internet
Post by: meyergru on April 19, 2025, 08:37:30 PM
Is just one client affected or is that the only one?

What is your ISP config / topology? For Internet access, you need to have outbound NAT enabled. There are different ways on how to configure OpnSense, maybe you have a a router-behind-router setup? With that, you have to setup NAT or back routing.
Title: Re: One maching cannot access internet
Post by: EricPerl on April 19, 2025, 09:28:25 PM
Apparently, the .232 client can browse that site from the same subnet (apparently).

You ought to know which rule SHOULD allow that traffic. Enable logging for it to confirm.
The FW live view should show in traffic from PC to google on LAN, then out traffic from WAN_IP to google on WAN (assuming NAT).
If default pass rules are used, then you can enable logging in FW > Settings > Advanced.

For return traffic, you have to do network captures.
You can filter by target IP (easier if you choose a site that's not otherwise used on your network).

The goal of all the above is to find where traffic gets lost.

A badly configured port forward rule could also direct that traffic in the void.
Text only | Text with Images