Messages

I tried without any NAT, just to test from OPNsense to the modem as that is supposed to work without any NAT, however that gives me the same results:
- The reply from the modem is sent incorrectly to the ISP with default WAN interface NAT applied. (The destination IP is the OPNsense IP, but the destination MAC is the ISP gateway.)
(And when making a NAT exception, the reply from the modem is still sent to the ISP, only with with the modem IP as source.)

In the end I gave up on using an IP alias and now use a bridge interface.

I removed the IP alias, created a new bridge device on WAN, assigned a new interface to this bridge with the same IP as previously used as alias and this worked without any issue.
First from OPNsense itself and after adding a NAT rule it works from everywhere.

I still can't explain why IP aliases didn't work for me.

Thank you for your quick reply, this is actually the weirdness.

If I ping (or traceroute) the modem from OPNsense itself, it doesn't work (All timeouts), although I can see the requests and replies on the WAN interface.
It doesn't matter if I specify the source IP address or not for ping. (The correct one is used in both cases.)
(Also NAT from the LAN is correctly applied if I ping from an internal host in case you are wondering.)

The virtual IP itself of OPNsense can be pinged successfully, also from the LAN.

Block bogons and private IP addresses are already disabled on the WAN interface. To be sure, I enabled and disabled again.
In the firewall settings I log everything blocked/passed by the default rules and also in all FW rules itself. I also have explicit deny rules configured to catch all remaining traffic and log it.

Nevertheless, the outgoing echo request is being logged as accepted and the echo reply traffic should be handled as "related" and therefor never blocked.
State violations are configured to be logged as well, so I would expected to see in the logs if there is something blocking.
(I can also see a FW state being created when trying to access the modem.)

As a test, I temporary allowed all traffic, both inbound and outbound ICMP traffic on the WAN interface.
Besides this new outbound rule being matched, it didn't result in any change in behaviour.
I can still see the request and reply on the WAN interface, but still have 100% packet loss for ping from OPNsense itself.

Further analysis learned:

- The received modem reply on the WAN interface is sent back out through the same WAN interface (to the ISP) after being NATed behind the main public IP address. (This is not logged.)
- If I change/add NAT rules, the reply still goes out to my ISP, but with the un NATed modem address

Is this a routing problem? After adding the alias IPv4 address in the DHCP config, a new route to this subnet was automatically created on the WAN interface, this looks correct to me.

Hi,

I have a weird issue and can't figured it out.
Using OPNsense 25.1.10.

Recently, I switched ISPs and have a new modem.
I receive a public IP through DHCP and added a static "Alias IPv4 address" in the WAN DHCP config with the intention to access my modem to gather statistics. That last one is not working.
The IP address of the modem is not-configurable, but does not conflict with any IP range already used. (Modem is 192.168.100.1/24 and I use 192.168.100.5/24 as configured IP alias in OPNsense. The modem is connected directly to an ethernet interface on OPNsense used for WAN. (Internet works fine.)

I added FW and NAT rules to access the IP of the modem, all with logging enabled and I can see expected traffic being logged in the FW live log.
However, no access to the modem is possible and it doesn't respond to ping.
Block private IPs and bogons on the WAN interface is disabled.

To ensure the modem is functional, I configured a new (VLAN) interface in OPNsense and connected the modem temporary to a switchport with that VLAN set as native VLAN. Then everything works as expected. (Modem is pingable and webinterface reachable.)

I've tried various other methods to add an additional IP address on the WAN interface as described in https://forum.opnsense.org/index.php?topic=36936.0 and https://forum.opnsense.org/index.php?topic=33497.0, however none of these work for me, so I suspect there is something wrong with my setup and I can't figure out what.

I reverted back to the IP alias in the DHCP config and did some further troubleshooting, all when the modem is directly connected to the WAN interface and providing internet access:

- Verified by a packet capture on the WAN interface the ICMP echo requests are sent out. (With IP 192.168.100.5 as configured.)
- In fact: I could see the modem is actually responding correctly with ICMP echo replies, there is however no indication OPNsense "sees"/"reacts" on these.
- Same for access to the webinterface. Modem correctly responds, but the TCP handshake is never completed as these responses get lost somewhere.
- When there is no ARP mapping for the MAC address of the modem, a correct one is created once access is tried. (So ARP seems to work.)
- If I look at diagnostics/netstat for the WAN interface with the virtual IP, all statistics (sent/received) remain at 0. I expect this is have data.

Any hints at what could be wrong, or what next troubleshooting steps could be?