Print Page - Enable ARP replies on WAN network

Title: Enable ARP replies on WAN network
Post by: cchris321 on August 02, 2017, 12:33:08 PM

I recently brought up a OPNSense firewall that has to accept connection from multiple IPs on the same subnet from the WAN interface.
The default gateway is connected on the same interface and on the same subnet of the other devices.
However, it seems that OPNSense accept connections only from the default gateway.
After some investigations, I discovered that OPNSense seems to reply only to ARP request that comes from the default gateway on the WAN interface.
Can you please help me in order to enable ARP replies from any device on the WAN interface that belongs on the same network?

Thank you and best regards

Title: Re: Enable ARP replies on WAN network
Post by: franco on August 03, 2017, 07:56:42 AM

This may not be enough info to pin down the problem. ARP is Layer 2, it cannot and will not be blocked by the firewall filter. How are you observing this? Did you check the ARP table on the OPNsense?

# arp -na

Cheers,
Franco

Title: Re: Enable ARP replies on WAN network
Post by: Zeitkind on August 03, 2017, 01:31:10 PM

Sounds IMHO like the old problem with WAN network and the reply-to rules?

Title: Re: Enable ARP replies on WAN network
Post by: franco on August 03, 2017, 01:50:21 PM

Oh, it could be. Try setting Firewall: Settings: Advanced: [ x ] disable reply-to.

Title: Re: Enable ARP replies on WAN network
Post by: cchris321 on August 03, 2017, 02:02:47 PM

First of all, some IP definition in order to explain me better:

10.0.1.254/24 Ip address of OPNSense WAN interface
10.0.1.1/24 Ip address of the default gateway
10.0.1.138/24 Ip address of another PC that has to reach OPNSense

I have made the following checks:

In OPNSense ARP table I have only entries for 10.0.1.254 and 10.0.1.1 on WAN interface
If I try to ping from 10.0.1.138 to 10.0.1.254 it returns "host unreacheable" error
If I try to ping from 10.0.1.1 to 10.0.1.254 it replies correctly
I try to enable on firewall --> advanced settings the "disable reply to" rule with no success
By checking with tcpdump on OPNSense, I see the ARP request and reply if they are sent by 10.0.1.1, I cannot see no ARP request if they are sent by 10.0.1.138
By checking with another PC using wireshark, I see the ARP request and reply if they are sent by 10.0.1.1, also I can see only the ARP request from 10.0.1.138, but no reply
By checking ARP table on 10.0.1.138, I see an entry related to 10.0.1.254 with no mac address and a Failed note

I then made also the following test:

From OPNsense I tried to ping 10.0.1.138 and it replies correctly
After the above point if I tried to ping 10.0.1.254 from 10.0.1.138 then it will start to reply correctly
By checking the OPNSense ARP table now I have also the 10.0.1.138 entry
The same as point 3 also on 10.0.1.138 (ARP entry for 10.0.1.254)

Thank you and best regards

OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: cchris321 on August 02, 2017, 12:33:08 PM