Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - penguingl

Pages1
#1
General Discussion / Re: OPNsense does not generate ICMP echo replies on WAN
November 27, 2025, 09:45:36 PM
Quote from: meyergru on November 27, 2025, 10:01:25 AMIDK how you got the <WAN_GATEWAY_IP> into that rule at all, since I do not see where you could select that from the UI. Out of curiosity: How did you do that?

Your rule will never fire this way, because you do not see the packets your rule would select.

The target of a ping would be the WAN IP, which you can select from the dropdown as "WAN address". You could also use "this firewall". Your rule should simply be:

You cannot view this attachment.

If you want to be sure, create it in Floating Rules and move it to the top of the list.


Thanks a lot for the guidance. Removing the gateway from the rule fixed it right away and everything is working now.
I had assumed I needed to select my WAN gateway instead of the default for the rule to apply on the WAN, but that turned out to be the mistake.
Appreciate the help and clear explanation!
#2
General Discussion / OPNsense does not generate ICMP echo replies on WAN
November 26, 2025, 11:56:35 PM
Hi everyone,
I'm running into a strange issue with my OPNsense setup and I'd really appreciate any advice or if anyone has seen something similar.

Environment
OPNsense Version: 25.7.8‑amd64
Topology: single firewall appliance, public IPv4 directly on WAN (no NAT/CGNAT upstream).
LAN side works fine.

Problem
When I ping my WAN IP from an external host, the echo requests reach the firewall, I can see them in tcpdump on re0 (WAN) and in pflog0, and a pf state is created. But the firewall never generates an echo reply. There are no replies visible on lo0 or on re0.
For example, pflog shows just one entry like:
Code Select
rule 83/0(match): pass out on re0: External_IP > WAN_IP: ICMP echo request, id 53, seq 1, length 64 and then nothing else.

Packet capture on re0:
Code Select
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on re0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:11:37.187956 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 1, length 64
22:11:37.187972 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 1, length 64
22:11:38.187028 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 2, length 64
22:11:38.187033 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 2, length 64
22:11:39.210911 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 3, length 64
22:11:39.210918 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 3, length 64
22:11:40.234803 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 4, length 64

Firewall rule I added on WAN:
Code Select
pass in quick on re0 route-to (re0 <WAN_GATEWAY_IP>) inet proto icmp all keep state label "5356e56fce90cafaa6b6ebdb3a91031a"
I've tried
Explicit allow rule for all IPv4 ICMP on WAN.
Checked pf states: requests are tracked.
Tried enabling and disabling "force gateway" and "reply‑to" under Firewall > Settings > Advanced. No change.
Verified that LAN pings to the WAN IP work fine (so the address is bound and reachable internally).

At this point I'm not sure what else to check. If you have any suggestions on how to fix this, I'd really appreciate it.
Pages1