Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: pun1x on July 16, 2017, 10:00:36 PM

Title: New user, help needed
Post by: pun1x on July 16, 2017, 10:00:36 PM
Hello,
First of all thanks for nice firewall distro, just switched from pfsense today.
Spent most of the time to mirror same setup I had previously (openvpn, ddns, etc)
So far I really like it and I think I will keep it.
There is one minor issue that I have.
Looks like by default ICMP responses are blocked (to WAN, like 8.8.8.8 ), I tried but I can't get it to work.
Any hints would be much appreciated
Title: Re: New user, help needed
Post by: bartjsmit on July 17, 2017, 08:18:41 AM
Did you run the wizard? It puts in default allow any rules for LAN net source on the LAN rules tab. This allows ICMP responses from other interfaces on state.

Bart...
Title: Re: New user, help needed
Post by: pun1x on July 17, 2017, 09:25:22 AM
Hi.
I have default rule from LAN to any. Everything works fine except ICMP responses from WAN


Sent from my iPhone using Tapatalk
Title: Re: New user, help needed
Post by: bartjsmit on July 17, 2017, 06:20:56 PM
Run a packet trace on the WAN interface and confirm that the echo replies are making it back to OPNsense. If so, check your firewall log to see what's blocking it.

Bart...
Title: Re: New user, help needed
Post by: fabian on July 17, 2017, 08:16:15 PM
can you try to create a pass rule for ICMP and IPv4 (any host to any host) and retry?
Title: Re: New user, help needed
Post by: pun1x on July 17, 2017, 09:01:34 PM
Hi,
Thanks for all the suggestions,
I cannot get ICMP reply from 8.8.8.8 but ping replies from bbc.co.uk works fine. that is really weird
All I want to do is to be able to test if I get internet as my provider is flaky sometimes.
I did not know that I can run packet capture straight from the GUI, that is awesome.
I will start packet capture and see how it goes
Title: Re: New user, help needed
Post by: pun1x on July 17, 2017, 09:31:26 PM
Hi,
I think it's something to do with my provider,
Here is traceroute from OPNsense with ICMP tickbox enabled

traceroute to 8.8.8.8 (8.8.8.8 ), 18 hops max, 48 byte packets
1  * * *
2  80.X.X.X  7.678 ms  10.443 ms  10.853 ms
3  * * *
4  62.253.175.34  10.873 ms  9.682 ms  9.309 ms
5  74.125.52.226  15.216 ms  14.629 ms  16.521 ms
6  * * *
7  216.239.57.131  16.750 ms  16.018 ms  16.224 ms
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *

Ans here is regular traceroute from OPNsense

traceroute to 8.8.8.8 (8.8.8.8 ), 18 hops max, 40 byte packets
1  * * *
2  80.X.X.X  8.354 ms  9.074 ms  9.989 ms
3  * * *
4  62.253.175.34  10.876 ms  11.143 ms  9.875 ms
5  74.125.48.190  9.789 ms
    74.125.52.226  14.174 ms  15.459 ms
6  108.170.246.225  9.429 ms
    108.170.246.129  15.896 ms
    108.170.246.193  18.348 ms
7  * 216.239.57.163  12.552 ms
    216.239.57.169  11.766 ms
8  8.8.8.8  16.060 ms * *

From the above it looks like ICMP never gets to the destination.
Title: Re: New user, help needed
Post by: fabian on July 17, 2017, 10:04:18 PM
Google drops your pings if you send to many.
Title: Re: New user, help needed
Post by: Ciprian on July 18, 2017, 10:29:32 AM
Quote from: pun1x on July 17, 2017, 09:01:34 PM

All I want to do is to be able to test if I get internet as my provider is flaky sometimes.


You can also monitor the GW (apinger), it allows you to ping the IP of the provider's gateway, or another public IP. Though, I wasn't concerned about an URL, to check if DNS translations works... Try!
Title: Re: New user, help needed
Post by: pun1x on July 18, 2017, 01:15:01 PM
Hi. That would actually be awesome. Thanks for that!


Sent from my iPhone using Tapatalk
Title: Re: New user, help needed
Post by: Ciprian on July 18, 2017, 03:09:49 PM
Quote from: pun1x on July 18, 2017, 01:15:01 PM
Hi. That would actually be awesome. Thanks for that!


Sent from my iPhone using Tapatalk

You're welcome! :)
Text only | Text with Images