1
General Discussion / Unable to ping devices behind interface OPT1
« on: October 08, 2022, 04:29:00 am »
Good evening,
This is a huge headscratcher and I'm hoping that maybe you can share some ideas, because I feel like maybe I'm being too narrow minded here.
At work an old Watchguard firewall died, which was being used for connecting two networks and filtering packets between them.
I've done this in my homelab with OPNSense, so I thought it'd be easy to put together a desktop with an Intel NIC with two port, set them up as LAN and OPT interfaces and configure rules between the two of them. But, alas, here I am asking help after 8 hours of head banging alone.
I attached to this post a simple diagram: This is a setup patching two Layer 2 networks using copper uplinks to a Cisco switch (using an Access VLAN) and another Cisco switch maintained remotely by a sister company. Both uplinks are Gigabit interfaces.
The WAN interface was assigned to the onboard NIC, which I disabled.
To simplify the testing I decided, first, to create a Rule in the LAN Interface that allows any traffic to all the other networks, and same for the OPT1 interface.
With this setup, I am able to do the following:
* OPT1 interface can ping the LAN interface IP address (192.168.96.2) and any other IP addresses in its range (Submask of 20).
* LAN interface can ping the OPT1 interface IP address (172.16.16.110) but none of the IP addresses available in its range (Submask of 24)
I didn't see any packets blocked in the Firewall logs, but I disabled all the Packet Filtering from the Advanced menu under Firewall\Settings.
Same issue.
Traceroute tests:
* Traceroutes from the OPT1 interface to addresses in the LAN interface exit the firewall and reaches immediately the subnet gateway (outside of OPNSense) to reach those IP addresses' subnets successfully.
Here's an excerpt:
# /usr/sbin/traceroute -w 2 -n -m '10' -s '172.16.16.110' '192.168.100.12'
traceroute to 192.168.100.12 (192.168.100.12) from 172.16.16.110, 10 hops max, 40 byte packets
1 192.168.96.1 3.018 ms 0.900 ms 1.076 ms
2 172.16.14.2 1.051 ms 0.680 ms 0.657 ms
********
(I skipped the remaining steps)
* Traceroutes from the LAN interface to addresses in the OPT1 interface show nothing at all:
# /usr/sbin/traceroute -w 2 -n -m '10' -s '192.168.96.2' '172.16.16.15'
traceroute to 172.16.16.15 (172.16.16.15) from 192.168.96.2, 10 hops max, 40 byte packets
1 * * *
2 * * *
3 * * *
As far as I've tested in the past and read from the documentation, there's no need to NAT, static routes and similar when passing traffic between LAN and OPT interfaces. Did I miss something entirely? Am I just tired and not thinking straight?
I'm hoping that a fresh set of eyes will be able to see this more clearly than I do.
Thanks in advance for any input.
This is a huge headscratcher and I'm hoping that maybe you can share some ideas, because I feel like maybe I'm being too narrow minded here.
At work an old Watchguard firewall died, which was being used for connecting two networks and filtering packets between them.
I've done this in my homelab with OPNSense, so I thought it'd be easy to put together a desktop with an Intel NIC with two port, set them up as LAN and OPT interfaces and configure rules between the two of them. But, alas, here I am asking help after 8 hours of head banging alone.
I attached to this post a simple diagram: This is a setup patching two Layer 2 networks using copper uplinks to a Cisco switch (using an Access VLAN) and another Cisco switch maintained remotely by a sister company. Both uplinks are Gigabit interfaces.
The WAN interface was assigned to the onboard NIC, which I disabled.
To simplify the testing I decided, first, to create a Rule in the LAN Interface that allows any traffic to all the other networks, and same for the OPT1 interface.
With this setup, I am able to do the following:
* OPT1 interface can ping the LAN interface IP address (192.168.96.2) and any other IP addresses in its range (Submask of 20).
* LAN interface can ping the OPT1 interface IP address (172.16.16.110) but none of the IP addresses available in its range (Submask of 24)
I didn't see any packets blocked in the Firewall logs, but I disabled all the Packet Filtering from the Advanced menu under Firewall\Settings.
Same issue.
Traceroute tests:
* Traceroutes from the OPT1 interface to addresses in the LAN interface exit the firewall and reaches immediately the subnet gateway (outside of OPNSense) to reach those IP addresses' subnets successfully.
Here's an excerpt:
# /usr/sbin/traceroute -w 2 -n -m '10' -s '172.16.16.110' '192.168.100.12'
traceroute to 192.168.100.12 (192.168.100.12) from 172.16.16.110, 10 hops max, 40 byte packets
1 192.168.96.1 3.018 ms 0.900 ms 1.076 ms
2 172.16.14.2 1.051 ms 0.680 ms 0.657 ms
********
(I skipped the remaining steps)
* Traceroutes from the LAN interface to addresses in the OPT1 interface show nothing at all:
# /usr/sbin/traceroute -w 2 -n -m '10' -s '192.168.96.2' '172.16.16.15'
traceroute to 172.16.16.15 (172.16.16.15) from 192.168.96.2, 10 hops max, 40 byte packets
1 * * *
2 * * *
3 * * *
As far as I've tested in the past and read from the documentation, there's no need to NAT, static routes and similar when passing traffic between LAN and OPT interfaces. Did I miss something entirely? Am I just tired and not thinking straight?
I'm hoping that a fresh set of eyes will be able to see this more clearly than I do.
Thanks in advance for any input.