Topics

1

20.1 Legacy Series / No ping from WAN to OPT1 (outbound NAT is disabled)

« on: May 26, 2020, 01:48:11 pm »

Hi, Team!

I am dealing with strange behavior that I do not understand.

Here is my setup:

1. OPNsense has 4 interfaces:

Code: [Select]

LAN  10.10.0.254 /24
WAN  10.10.10.1  /24
OPT1 10.10.1.254 /24
OPT2 10.10.2.254 /24
2. WAN gateway (not OPNsense, used as upstream gateway):

Code: [Select]

WAN_GW 10.10.10.254
3. Outbound NAT is disabled.

4. WAN_GW has 3 interfaces:

Code: [Select]

GLOBAL_WAN <Public IP>
LOCAL_WAN  10.10.10.254/24
OTHER_NET  10.10.100.254/24
5. WAN_GW has static route:

Code: [Select]

10.10.0.0/22 via 10.10.10.1
6. There is a host in WAN:

Code: [Select]

WAN_HOST:
IP 10.10.10.15/24
GW 10.10.10.1

The issue:

1. I am able to ping 10.10.2.1 (OPT2 host) from host in OPT1. Tracing is:

Code: [Select]

10.10.1.254 (OPNsense)
10.10.2.1   (host)
2. I am also able to ping 10.10.2.1 from host in OTHER_NET. Tracing is:

Code: [Select]

10.10.100.254 (not OPNsense)
10.10.10.1    (OPNsense)
10.10.2.1     (host)
3. But I am not able to ping 10.10.2.1 from WAN_HOST (request timed out). Tracing has only timed out records.

There are only 3 rules (all are floating) except automatically generated ones:

Code: [Select]

Allow from source 10.10.100.0/24 to destination 10.10.0.0/22 for WAN  interface
Allow from source  10.10.10.0/24 to destination 10.10.0.0/22 for WAN  interface
Allow from source   10.10.1.0/24 to destination 10.10.0.0/22 for OPT1 interface
Nothing changes if I add the following rule:

Code: [Select]

Allow from any source to any destination
Does anyone have any suggestions on what's going on? I suggest this is either some default rule issue or some routing issue, but I am not sure.