Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: penguingl on November 26, 2025, 11:56:35 PM

Title: OPNsense does not generate ICMP echo replies on WAN
Post by: penguingl on November 26, 2025, 11:56:35 PM
Hi everyone,
I'm running into a strange issue with my OPNsense setup and I'd really appreciate any advice or if anyone has seen something similar.

Environment
OPNsense Version: 25.7.8‑amd64
Topology: single firewall appliance, public IPv4 directly on WAN (no NAT/CGNAT upstream).
LAN side works fine.

Problem
When I ping my WAN IP from an external host, the echo requests reach the firewall, I can see them in tcpdump on re0 (WAN) and in pflog0, and a pf state is created. But the firewall never generates an echo reply. There are no replies visible on lo0 or on re0.
For example, pflog shows just one entry like:
Code Select
rule 83/0(match): pass out on re0: External_IP > WAN_IP: ICMP echo request, id 53, seq 1, length 64 and then nothing else.

Packet capture on re0:
Code Select
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on re0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:11:37.187956 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 1, length 64
22:11:37.187972 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 1, length 64
22:11:38.187028 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 2, length 64
22:11:38.187033 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 2, length 64
22:11:39.210911 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 3, length 64
22:11:39.210918 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 3, length 64
22:11:40.234803 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 4, length 64

Firewall rule I added on WAN:
Code Select
pass in quick on re0 route-to (re0 <WAN_GATEWAY_IP>) inet proto icmp all keep state label "5356e56fce90cafaa6b6ebdb3a91031a"
I've tried
Explicit allow rule for all IPv4 ICMP on WAN.
Checked pf states: requests are tracked.
Tried enabling and disabling "force gateway" and "reply‑to" under Firewall > Settings > Advanced. No change.
Verified that LAN pings to the WAN IP work fine (so the address is bound and reachable internally).

At this point I'm not sure what else to check. If you have any suggestions on how to fix this, I'd really appreciate it.
Text only | Text with Images