OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: gbds on January 10, 2019, 10:27:05 pm
-
Hello all, just updated to 18.7.10 and can no longer ping the firewall from my LAN. I can access the web GUI and get online, just cannot ping. Pings from cmd return "Request timed out". Wireshark says "No response seen to ICMP request". From the Web GUI > Interfaces>Diagnostics>Ping, I can ping the firewall itself as well as my laptop, but cannot ping from my laptop to the firewall. I can ping other clients on the LAN just fine.
I even created an ICMP pass rule as follows, but no luck:
Action: Pass
Interface: LAN
TCP/IP Version: IPv4
Protocol: ICMP
ICMP Type: any
Source: LAN net
Destination: This Firewall
Still I get "request timed out" when I ping the firewall's IP from my laptop. Any thoughts?
-
...I have an ICMP rule (LAN net to LAN net) (18.7.10 amd64 with LibreSSL) everything is fine, can ping sense on LAN as usual...
(edit due to check of FW rules... **cough**)
-
Hello,
Just wanted to clarify something, on a default LAN interface, you have 'Default allow LAN to any rule'. If you disable it, traffic is blocked without an implicit 'Pass' rule.
Regards
-
I have added an ICMP pass rule from LAN Net to LAN Net, and double-checked that my "Default allow LAN to any" rule is Enabled. Still getting "Request timed out" when trying to ping the firewall.
-
Try from LAN Net to This Firewall.
-
Shouldn't matter. It sounds like an issue with something between the OPNsense and your LAN client, could also be setup-related. It could be anti-spoof kicking in refusing to answer...
-
I have a LAN Net to This Firewall as well as a LAN Net to LAN Net ICMP pass rule, neither one seems to make a difference. It also doesn't seem to matter which LAN client I try from. I've tried to ping from a Windows 7 laptop as well as a Macbook running Mojave, I get a timeout either way.
Where would I find anti-spoof settings? Should I check the "bypass firewall rules for traffic on the same interface" box?
-
Out of curiosity, did you run a ICMP packet capture on Lan interface to see that server is actually receive it? If the server is indeed receiving it but not responding and the appropriate FW rule(s) are set, perhaps you have network configuration problem?
Possibly the Firewall and Lan clients are on a different subnet?
-
Hmmm... I ran a packet capture on LAN interface and it does indeed see the ICMP echo request from my laptop. So it's just not responding for some reason. LAN clients (172.20.1.x) and the firewall (172.20.1.1) are on the same subnet, we only have one LAN net.
-
Those the firewall have a route back to the clients? Did you ping Lan clients from the firewall?
I can ping the firewall itself as well as my laptop, but cannot ping from my laptop to the firewall. I can ping other clients on the LAN just fine.
I see you already tried that, aside from 'possible different subnet', not too sure what would be going on here. The firewall is 172.20.1.1/24?
Could you include a picture of your Lan firewall rules omitting sensitive bits?
-
Yes, I can ping my laptop and other LAN clients from the firewall with no packet loss. Just not the other way around.
-
IPS off ?
-
Did you ever figure out how to fix the problem?
-
Why would one be so obsessed with pinging the firewalls LAN port? Did I miss something, but I have this disabled normally and I don't miss anything...
-
Why would one be so obsessed with pinging the firewalls LAN port? Did I miss something, but I have this disabled normally and I don't miss anything...
could be for when your connection goes down
i have issues where i have no access to gui via ip or name and no internet access - have to manually check the console by plugging in a keyboard and monitor, which shows the system is still operational but something is blocking connection to the box and internet from devices on lan, which i believe is IDS as can ping sites from console
-
Have you tried pulling then cable from the box, wait for 10 sec and plug it in again? Helped with my interface blocking with latest suricata in IPS mode on one specific interface.
-
IPS is currently off. We intend to turn it back on soon, but having it on currently maxes out the CPU usage (this is a separate problem).
As far as why we want to ping the firewall, it is certainly not mission critical, but it can be helpful when connection goes down. Mostly I just found it odd that it has always been able to ping before, and then suddenly stopped working.
I have not tried to unplug the firewall and plug it back in yet, will try that and report back. LAN firewall rules are attached:
(http://i68.tinypic.com/hs2kh5.jpg)
-
How about "Gateway" set to * in the ICMP rules?
-
Setting the Gateway to "default" vs "WAN_GROUP" doesn't seem to make any difference.
-
I am having exactly the same problem. I have managed to get outbound pings to pass through the FW with this rule on the LAN i/f:
`IPv4+6 ICMP LAN_em0 net * * * * Allow ICMP from LAN`
But that does not allow pings to the FW LAN i/f address from inside the LAN. I tried adding this rule to the top as well:
`IPv4+6 ICMP LAN_em0 net * This Firewall * * `
Which had no effect whatsoever. I have looked at the resulting PF rules and see reames of rules for ipv6-icmp but for ipv4 I see only this:
`
pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (em0:network) to (self) keep state label "USER_RULE"
pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (em0:network) to any keep state label "USER_RULE: Allow ICMP from LAN"
`
I then added the following rule and placed it immediately following the first rule given above:
`IPv4+6 ICMP This Firewall * LAN_em0 net * * `
which gave me this:
`
pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (em0:network) to (self) keep state label "USER_RULE"
pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (self) to (em0:network) keep state label "USER_RULE"
pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (em0:network) to any keep state label "USER_RULE: Allow ICMP from LAN"
`
But this had no effect either. The only way that I can ping the FW host is if I shutdown the FW application. Then I can ping normally.
I am not interested in debating the merits of allowing ICMP requests on a FW. I wish to do so and I would like someone to provide me with clear instructions as to how this is accomplished on on OPNsense 18.7.; since it is evidently beyond my abilities to figure this out on my own.
-
To help you, someone has to reproduce your issue.
OK, I have an interface on the sense not allowing pinging. Test:
ping 10.34.0.1
PING 10.34.0.1 (10.34.0.1) 56(84) bytes of data.
^C
--- 10.34.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3078ms
No reply. I add the following rule on the interface:
Pass IPv4 ICMP (type: any) <respective net> This firewall
Then:
ping 10.34.0.1
PING 10.34.0.1 (10.34.0.1) 56(84) bytes of data.
64 bytes from 10.34.0.1: icmp_seq=1 ttl=64 time=0.428 ms
64 bytes from 10.34.0.1: icmp_seq=2 ttl=64 time=0.476 ms
64 bytes from 10.34.0.1: icmp_seq=3 ttl=64 time=0.427 ms
64 bytes from 10.34.0.1: icmp_seq=4 ttl=64 time=0.219 ms
^C
--- 10.34.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3048ms
rtt min/avg/max/mdev = 0.219/0.387/0.476/0.101 ms
What next?
-
You used this rule:
Pass IPv4 ICMP (type: any) <respective net> This firewall
The rule I used was this:
`IPv4+6 ICMP LAN_em0 net * This Firewall * * `
With this rule I can ping the WAN i/f IPv4 address but not the LAN i/f IPv4. I do not see the difference between your rule and mine, other than you have left out the * for the source and destination ports and the gateway. I assume that this is for brevity since I cannot find any way of configuring an OPNsense rule without some value for source, destination and associated ports.
This are all the configured rules for the LAN i/f:
`
* * * LAN_em0 Address 443, 80, 22 * Anti-Lockout Rule
IPv4+6 ICMP LAN_em0 net * This Firewall * *
IPv4+6 ICMP This Firewall * LAN_em0 net * *
IPv4+6 ICMP LAN_em0 net * * * * Allow ICMP from LAN
IPv4 * LAN_em0 net * * * * Default allow LAN to any rule
IPv6 * LAN_em0 net * * * * Default allow LAN IPv6 to any rule
`
I do not understand why the default rules provided by OPNsense are not employed as they are stated. There is no indication that '*' excludes the IPv4 address of the FW LAN i/f itself. Evidently there are hidden rules which override the expected behaviour of those specified on the interface. Otherwise, why does ping not work right out of the box?
-
Yepp, simply let out the ports, but it's * *
Try "allow any any" right up on the top of the list. Save your config and reset the sense to factory. Try a fresh install. It's not the software ;-)
-
> Try "allow any any" right up on the top of the list.
> Save your config and reset the sense to factory. Try a fresh install. It's not the software ;-)
I have done that twice now and the result has been the same. The default rules do not permit ping to work on the LAN i/f. I am attaching a dump of the pf rule set created by the configuration shown previously. Maybe there is aomething in there that someone can see but I cannot.