Messages

1

General Discussion / Re: Question on ICMP Behavior

« on: March 08, 2024, 01:23:59 am »

It really seems weird to me too.

So, I am running OPNsense bare metal on a ZimaBoard. I had heard that FreeBSD and the native RealTech NICs did not play well together, so I got a dual port PCIe Intel NIC to use. My WAN port is connected to my ISP router, so I am double NATed but my research indicated this should not be a problem. My LAN goes out to a Zyxel GS1900 switch. In testing, I have disconnected both the ISP router and the switch and the problem remain, so those are ruled out as the source.

I am using my LAN is untagged going out igb1 and my other VLANS are tagged going out the same interface. So, I went in and assigned the RealTech NICS to T1_LAN and T2_LAN, both untagged. I setup T1 LAN with a default allow any rule and a block all private networks as shown in a previous screen shot. I set up T2_LAN with a default allow any rule to mimic the LAN interface rules.  I still have the same pinging behavior between the two separate networks that are on completely different interfaces.

So, I guess I could try moving my VLANs over to one of the RealTech NICS so that all VLANS are off the same NIC, but I am not sure that will do anything given my test with T1_LAN and T2_LAN. I could get a 4 port Intel NIC and see if that helps any. As a last resort, I could get an entire different hardware platform to see if that makes any difference.

Again, thanks so much for your help. I am sure I will eventually figure it out.

2

General Discussion / Re: Question on ICMP Behavior

« on: March 08, 2024, 12:03:43 am »

Ok, attached are the only NAT rules that are in place and the floating rules. In both cases, I have added nothing, just the default configuration.

I enabled logging on the T1_LAN interface block local networks rule, and when I ping from a machine on that interface, I see nothing in the log with a source IP address matching the computer that I pinged from.

Thanks again

3

General Discussion / Re: Question on ICMP Behavior

« on: March 07, 2024, 09:44:00 pm »

meyergru,

Well, I thought I understood it all. I created a new interface T1_LAN to test some of this. Attached is what I have for rules on this interface right now (one with auto-generated rules shows, one without). The PrivateNetworks source is the RFC1918 private network addresses. This did not fix the situation. I am getting the same exact behavior.

I have watched so many videos and read so much on this. I though I had the in/out concept down, but obviously that might not be the case. As far as first/last match, I have that. I also think I pretty much have the priorities down.

I know this is something that I just don't understand or something that I am overlooking. I appreciate the help in looking at this and attempting to educate me on the concepts.

4

General Discussion / Re: Question on ICMP Behavior

« on: March 07, 2024, 08:20:40 pm »

meyergru,

I tried adding an block all protocols from my other VLANS to the LAN rule set ahead of the allow LAN to any rule, and I still get the same behavior.

I guess I am going to have to back-step on my configuration and rule out my switch setup. I guess it could be causing this, but I am pretty sure I have it correct. Oh, the joys of trying of trying to figure out where the problem lies.

5

General Discussion / Question on ICMP Behavior

« on: March 04, 2024, 12:43:08 pm »

Hello all,

Just getting started with OPNsense and trying to make sense of something I am seeing. I am sure this is just a misunderstanding on my part, but I would like to make sure I do not have something set up wrong.

My setup has LAN (192.168.10.*), GUEST (192.168.20.*), IoT (192.168.30.*), and NoT_CAM (192.168.40.*) networks set up with nothing other than the automatically generated rules and the allow LAN to any rules on the LAN network.

Using IoT as an example (all non-LAN networks have this behavior, though), If I first ping from IoT to LAN, I get no return, as would be expected. If I then ping from LAN to IoT I get responses, also as expected. Now, if I immediately go back to IoT and ping LAN I get responses. This is what I was not expecting to happen. If I let the connection sit idle for about 30 seconds, and try the ping from IoT to LAN again, I get no responses.

So, I think this has to do with the stateful nature of the firewall, but I am not sure. Could someone please clarify what is going on here? Also, is there any way to keep this from happening?

Thanks in advance for helping out a newbie.