opnsense 25.1.3 erroneously dropping LAN to WAN outbound traffic

Started by hharry, March 28, 2025, 11:49:46 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 28, 2025, 11:49:46 AM Last Edit: March 28, 2025, 12:26:39 PM by hharry
opnsense 25.1.3-amd64 erroneously operationally dropping LAN to WAN outbound traffic, in the WAN interface rule 'let out anything from firewall host itself (force gw)' for which is administratively configured permits outbound traffic

LAN side device is attempting to ping 8.8.8.8 via SNAT to WAN side interface, opnsense erroneously dropping the traffic, opnsense is a very basic deployment, with default WAN side F/W rules

LAN -->Opnsense_LAN vmx0. SNAT to .Opnsense_WAN vmx1(pppoe0)--->---WAN

any ideas ?

WAN source IP redacted for security reasons....


It's a very strange issue, only 1 device on the same LAN side 10.0.0.0/24 subnet is affected....all other devices traffic is not dropped....



OPNsense 25.1.7_4-amd64 running on ESXi 6.7 U2 VM, 4Gbytes RAM, 2 x vCPU
Basic non-complex install with frr, IDS and sftp-backup plugins
March 28, 2025, 01:16:23 PM #1 Last Edit: March 28, 2025, 01:26:33 PM by hharry
so i did some pcaps from the opnsense LAN (vmx0) interface, and found the device sends the ICMP echo requests, with sequence number = 0 , and does not increment. Is the trigger for opnsense to misbehave....


whilst not an ideal device ICMP ping implementation, sequence number 0 is permitted in IETF RFC https://datatracker.ietf.org/doc/html/rfc792

seems like a clear opnsense bug to me....

is already  known opnsense bug ?

OPNsense 25.1.7_4-amd64 running on ESXi 6.7 U2 VM, 4Gbytes RAM, 2 x vCPU
Basic non-complex install with frr, IDS and sftp-backup plugins
March 28, 2025, 01:52:08 PM #2
Quote from: hharry on March 28, 2025, 01:16:23 PMdevice sends the ICMP echo requests, with sequence number = 0 ,
Is this/Are these Windows devices?

There's a bug open in FreeBSD ICMP echo requests from Windows hosts dropped when NAT'ed.
Deciso DEC740
March 28, 2025, 02:00:32 PM #3
Quote from: patient0 on March 28, 2025, 01:52:08 PM
Quote from: hharry on March 28, 2025, 01:16:23 PMdevice sends the ICMP echo requests, with sequence number = 0 ,
Is this/Are these Windows devices?

There's a bug open in FreeBSD ICMP echo requests from Windows hosts dropped when NAT'ed.

thanks for the reply, the device is an Android SMART TV, it an interesting article, as i do have a number of windows PC's connected to the same LAN side subnet, and no outbound packets are dropped....only the traffic from my Son's Android TV outbound ICMP echo traffic destined to 8.8.8.8 is always dropped. Have 3 x other Android TV's also on the same subnet that are not affected....


In total have about 60 LAN side devices, and only 1 device outbound traffic is dropped by opnsense.
OPNsense 25.1.7_4-amd64 running on ESXi 6.7 U2 VM, 4Gbytes RAM, 2 x vCPU
Basic non-complex install with frr, IDS and sftp-backup plugins
Print
Go Up Pages1
User actions