OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: Nasrum Minallah Manzoor on December 18, 2018, 11:04:59 am

Title: can not ping OPNSENSE firewall???
Post by: Nasrum Minallah Manzoor on December 18, 2018, 11:04:59 am
Hi,

i have installed two OPNSENSE firewall.
One firewall has LAN IP of 172.16.1.1 and the other firewall has LAN IP of 172.16.2.1

ping fails from 1st firewall (172.16.1.1) to 2nd firewall (172.16.2.1)
ping successes from 2nd firewall (172.16.2.1) to 1st firewall (172.16.1.1)

why i am not getting ping in first scenario???

Any help would be highly appreciated.

Regards,

Nasrum Minallah
Title: Re: can not ping OPNSENSE firewall???
Post by: myksto on December 18, 2018, 11:59:26 am
Well, let me think about it a little bit.
Normally two hosts in two dìfferent subnets can't see each other unless they are between a router who routes their subnets just to make them communicate.
Now, you should describe your scenario better:

Please provide these basic information as a beginning.

Cheers,
Michele.
Title: Re: can not ping OPNSENSE firewall???
Post by: bartjsmit on December 18, 2018, 07:04:53 pm
Hi Nasrum,

Have you disabled 'block private networks' on the WAN interface(s)?

Bart...
Title: Re: can not ping OPNSENSE firewall???
Post by: Nasrum Minallah Manzoor on December 19, 2018, 07:06:59 am
Yes bart "block private networks" is disabled on wan interface


Nasrum Minallah
Title: Re: can not ping OPNSENSE firewall???
Post by: Nasrum Minallah Manzoor on December 19, 2018, 07:10:29 am
myksto dear i am using router in between two firewalls.

both are installed in the same building for load balancing purpose and hardware failover as well.

Title: Re: can not ping OPNSENSE firewall???
Post by: bartjsmit on December 19, 2018, 07:47:52 am
Hi Nasrum,

If ping works one way but not the other, and your routing is fairly simple then routing is unlikely to be your issue. You could have some asymmetric routes but if ping routes there and back one way, then the reverse will be fine.

That leaves NAT and firewall rules. Check that the rules are symmetrical between the two firewalls.

Finally, test with different ping configurations. Enable SSH and open a shell with option 8 to each firewall. Use the ping -S option to try with different source IP addresses, and observe the packet stream on the target with Interfaces, Diagnostics, Packet Capture.

Wireshark is your friend ;-)

Bart...
Title: Re: can not ping OPNSENSE firewall???
Post by: Dicolla on December 19, 2018, 01:58:23 pm
Maybe this tip can helps to fix this problem...

I had problems when trying PING to the firewall....When I started the firewall,  for a few moments the PING worked and then few seconds after it stops to respond. From inside the OpnSense I could PING my Desktop but from my Desktop can not PING the Firewall..

My default "Default allow LAN to any rule" was disable because I want to control all the traffic that cames from my LAN to my WAN.

So, I had  to create a specific rule to allow ICMP traffic:

Action: Pass
Interface: LAN
Protocol: ICMP
ICMP type: Echo Request
Source: LAN net
Destination: This Firewall
description: Allow Ping

After this ( and this is important ) I need to run "States reset"  ( Firewall->Diagnostics->Stated Reset ) to finally get the correct response of the PING to my Desktop.