[SOLVED] Unable to ping LAN addresses from firewall

Started by sabersoul1217, December 23, 2023, 04:13:29 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 23, 2023, 04:13:29 AM Last Edit: January 04, 2024, 04:19:26 AM by sabersoul1217
I'm going a little nuts here trying to get my new OPNsense install to even so much as PING anything on my local LAN.  I'm trying to set up an LDAP connection to one of my DCs, but ping fails to both as well as to devices with static IPs on my network (such as my printer or WAPs).  Since Ping fails, the LDAP connection fails with just the generic LDAP bind error [; Can't contact LDAP server] in the log file.  I'm not seeing anything in the firewall logs that it's even trying to connect from the firewall itself to any of my internal devices I try to ping.

I have two internet connections and just the one LAN connection (with two additional VLANs).

OPT1, IGC0 is my primary WAN connection
WAN, IGC1 is my backup WAN connection (both are DHCP, but only my primary gets a public IP because the router provided by the ISP for my backup doesn't support passing through its IP to the firewall)
LAN, IGC2 is my LAN interface with a static IP of 192.168.10.1/24.  All of my internal devices are able to access the internet without issue
The VLANs I'm not concerned about as they only need internet access and they work just fine

I have AD controllers at 192.168.10.15 and .16.  I have Group Policy configured to have the Windows Firewall disabled on domain-joined systems including these DCs.

I do have two port forwards, one for Plex and one for an XMPP server (hosted on DC01 at .15) I run for my wife and me.  These work just fine as well.

Whenever I attempt to ping anything from the firewall to any device on my LAN, it's 100% packet loss, but I can ping these devices and get replies from my laptop.  I'm about to pull my hair out at this.

I don't see anything in the firewall logs to even lead me to believe it's trying to ping or initiate the LDAP connection to either DC on the LAN interface.

I'm happy to provide any screenshots or even my config file (uploaded to a secure source, of course) as needed to help me with this.
December 23, 2023, 08:12:22 AM #1
If ping on IP address fails from your firewall, you may have something else blocking it (e.g. IDS/IPS).

Back up your config and start from a clean install - primary WAN and LAN only with default rules. Add Plex and Jabber for family harmony and test the ping again.

Add features back in until it breaks, then analyse what broke it.

Bart...
December 23, 2023, 04:30:07 PM #2
This was a clean install.  Your solution makes no sense as there is nothing on my LAN running IDS/IPS, there's no software firewalls on my LAN, nothing. IDS is not enabled in OPNsense, either.
December 23, 2023, 05:16:10 PM #3
Go to your servers and check the network profile and logs there. They do not accept ping from anything but domain/private network by default.
December 23, 2023, 05:48:48 PM #4 Last Edit: December 23, 2023, 05:54:34 PM by sabersoul1217
They are set to the domain profile for Windows firewall which I have it turned off.  The firewall can't even ping things like my printer which I can ping from my servers.  I can ping from my laptop to my DCs without issue as well.  It is literally just the firewall itself that cannot ping any device on my LAN
December 23, 2023, 06:13:40 PM #5
What's the subnet mask/prefix length of your firewall's LAN interface set to?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 23, 2023, 08:14:20 PM #6
192.168.10.1/24
December 30, 2023, 02:54:58 AM #7
Bringing this back to the first page just to hopefully get some help.
December 31, 2023, 02:47:57 AM #8
Quote from: bartjsmit on December 23, 2023, 08:12:22 AM
Back up your config and start from a clean install - primary WAN and LAN only with default rules. Add Plex and Jabber for family harmony and test the ping again.

Add features back in until it breaks, then analyse what broke it.

I agree with bartjsmit. This could be any of many possibilities with your network configuration. We won't find it by guessing. The best way to find out is by backing up your current configuration, resetting to defaults, and configuring again, checking at each step for broken ping. Then you can analyze what it is about that step that's preventing the ping from working. If things get too hairy, or it takes too long, you can always restore your old working configuration from backup and be right back where you were before.
January 04, 2024, 04:19:00 AM #9
My apologies for being standoff-ish there.  Reinstalling and recreating everything from scratch somehow worked.
Print
Go Up Pages1
User actions