Ping OPNsense from LAN not working

Started by HExSM, February 08, 2021, 10:57:56 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 08, 2021, 10:57:56 AM
Hi everyone,

I use OPNsense as a OpenVPN Gateway behind another firewall. So I have just a LAN interface. The system is running on Hyper-V.

Everything is running fine, except the ping from the LAN network. There I have a monitoring server running, which checks if my servers are running. For testing I created an ANY rule, but ping is still not working.

Action: pass
Interface: LAN
Direction: in
TCP/IP Version: IPv4
Protocol: any
Source: any
Destination: any

My OpenVPN clients are able to ping the OPNsense server.

Does anybody have an idea what I do wrong? :)

Thank you in advance!
February 09, 2021, 02:27:09 PM #1
Does this single interface have a default gateway?
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
February 10, 2021, 09:40:26 AM #2 Last Edit: February 10, 2021, 09:56:59 AM by HExSM
Yes, the LAN interface has a default gateway. It is the IP of the router which is connected to the WAN.

I captured the packets and it seems that the ping reply is sent to the gateway instead to the client who sent the ping request. But I have no idea what I have to change to fix this problem. :(
February 10, 2021, 11:08:30 AM #3
any custom rules created instead of default rules?
February 10, 2021, 11:34:21 AM #4
Quote from: Fright on February 10, 2021, 11:08:30 AM
any custom rules created instead of default rules?

No. But it seems that the firewall is fine. It seems that routing is the problem, because the reply is sent to the gateway instead to the client who sent the ping.
February 10, 2021, 01:38:52 PM #5
An interface with a default gateway is considered a WAN-type interface. And by default, replies to incoming packets on WAN interfaces always get sent to the default gateway, not to the host which sent the packet. This behaviour can be disabled in the advanced firewall settings (disable reply-to). You might also want to disable force gateway.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
February 10, 2021, 02:18:38 PM #6
or just leave "Auto-detect"  Upstream Gateway in LAN interface settings
February 10, 2021, 10:21:50 PM #7
Quote from: Maurice on February 10, 2021, 01:38:52 PM
An interface with a default gateway is considered a WAN-type interface. And by default, replies to incoming packets on WAN interfaces always get sent to the default gateway, not to the host which sent the packet. This behaviour can be disabled in the advanced firewall settings (disable reply-to). You might also want to disable force gateway.

Thank you very much Maurice! Disabling the reply-to feature was the key to solve my problem! :)

Quote from: Fright on February 10, 2021, 02:18:38 PM
or just leave "Auto-detect"  Upstream Gateway in LAN interface settings

Unfortunatly I did not find that setting, but thank you too Fright! :)
Print
Go Up Pages1
User actions