Hello,
I'm facing a real WTF situation and really could need some advice here.
I have a OPNSense FW (25.1.10), and cannot wrap my head around my issue.
Randomly, pings to 8.8.8.8 or 1.1.1.1 get blocked by the firewall.
From the same LAN subnet, some computers can ping, others can't.
After a while, other computers can't ping, and some that couldn't now can.
When looking at the firewall logs, the ICMP packets that get blocked are processed by the same rule as that passes other ICMP packets.
When clicking on the rule link, the window closes since the rule isn't found (see the attached screenshots).
In order to outrule some factors, I've:
- Disabled Zenarmor
- Disabled Suricata
- Disabled Crowdsec
- Marked my default gateway as always on (no monitoring)
When I ping 1.1.1.1 or 8.8.8.8 from the firewall itself, of course both respond.
I've also tried to check the Disable reply-to wan setting in firewall>settings>advanced.
I've checked that I don't have any special routes to 1.1.1.1 nor 8.8.8.8
This happened already with 24.7 series as far as I can remember.
I've just updated 25.1.10 to 25.1.11 and a computer that could ping 8.8.8.8 but couldn't ping 1.1.1.1 can now ping 1.1.1.1 but can't ping 8.8.8.8 anymore.
I've also exported my opnsense config file and searched for those IPs in order to make sure I didn't forget anything.
The only entry I found for 1.1.1.1 is for query forwarding in unbound.
I'm totally puzzled as why this is random.
I'd be grateful for any clue where to search for.
Thank you.
See this: https://forum.opnsense.org/index.php?topic=45991.0, it is a long and complex story...
FWIW, it seems like 25.7 RC2 has a fix for this very problem and 25.7 final is due out on 2025-07-23, AFAIR.
@meyergru: Thanks for the tip.
I've updated to 25.7rc2 and indeed the workaround fix from OPNsense team works.
I'm happy that there is a logical explanation, as I was just questioning my sanity :)
Context: this is a FreeBSD fix for an issue introduced last year by a FreeBSD security advisory.
Cheers,
Franco