Messages

1

18.7 Legacy Series / Re: Cannot ping firewall from LAN

« on: January 17, 2019, 10:06:42 pm »

> Try "allow any any" right up on the top of the list.
> Save your config and reset the sense to factory. Try a fresh install. It's not the software ;-)

I have done that twice now and the result has been the same.  The default rules do not permit ping to work on the LAN i/f.  I am attaching a dump of the pf rule set created by the configuration shown previously.  Maybe there is aomething in there that someone can see but I cannot.

2

18.7 Legacy Series / Re: Cannot ping firewall from LAN

« on: January 17, 2019, 09:45:00 pm »

You used this rule:

Pass IPv4 ICMP (type: any) <respective net> This firewall

The rule I used was this:

`IPv4+6 ICMP    LAN_em0 net    *    This Firewall    *    *       `

With this rule I can ping the WAN i/f IPv4 address but not the LAN i/f IPv4.  I do not see the difference between your rule and mine, other than you have left out the * for the source and destination ports and the gateway.  I assume that this is for brevity since I cannot find any way of configuring an OPNsense rule without some value for source, destination and associated ports.

This are all the configured rules for the LAN i/f:

`
      *       *    *    LAN_em0 Address    443, 80, 22    *       Anti-Lockout Rule    
      IPv4+6    ICMP    LAN_em0 net       *    This Firewall    *    *          
      IPv4+6    ICMP    This Firewall       *    LAN_em0 net    *    *          
      IPv4+6    ICMP    LAN_em0 net       *    *    *    *       Allow ICMP from LAN    
      IPv4    *       LAN_em0 net       *    *    *    *       Default allow LAN to any rule    
      IPv6    *       LAN_em0 net       *    *    *    *       Default allow LAN IPv6 to any rule
`

I do not understand why the default rules provided by OPNsense are not employed as they are stated. There is no indication that '*' excludes the IPv4 address of the FW LAN i/f itself.  Evidently there are  hidden rules which override the expected behaviour of those specified on the interface.  Otherwise, why does ping not work right out of the box?

3

18.7 Legacy Series / Re: Cannot ping firewall from LAN

« on: January 17, 2019, 08:37:46 pm »

I am having exactly the same problem.  I have managed to get outbound pings to pass through the FW with this rule on the LAN i/f:

`IPv4+6 ICMP    LAN_em0 net    *    *    *    *       Allow ICMP from LAN`

But that does not allow pings to the FW LAN i/f address from inside the LAN.  I tried adding this rule to the top as well:

`IPv4+6 ICMP    LAN_em0 net    *    This Firewall    *    *       `

Which had no effect whatsoever.  I have looked at the resulting PF rules and see reames of rules for ipv6-icmp but for ipv4 I see only this:

`
pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (em0:network) to (self) keep state label "USER_RULE"

pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (em0:network) to any keep state label "USER_RULE: Allow ICMP from LAN"
`

I then added the following rule and placed it immediately following the first rule given above:

`IPv4+6 ICMP    This Firewall    *    LAN_em0 net    *    *       `

which gave me this:

`
pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (em0:network) to (self) keep state label "USER_RULE"

pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (self) to (em0:network) keep state label "USER_RULE"

pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (em0:network) to any keep state label "USER_RULE: Allow ICMP from LAN"
`

But this had no effect either.  The only way that I can ping the FW host is if I shutdown the FW application.  Then I can ping normally.

I am not interested in debating the merits of allowing ICMP requests on a FW.  I wish to do so and I would like someone to provide me with clear instructions as to how this is accomplished on on OPNsense 18.7.; since it is evidently beyond my abilities to figure this out on my own.