Cannot ping firewall from LAN

[chemlud]

Have you tried pulling then cable from the box, wait for 10 sec and plug it in again? Helped with my interface blocking with latest suricata in IPS mode on one specific interface.

[gbds]

IPS is currently off. We intend to turn it back on soon, but having it on currently maxes out the CPU usage (this is a separate problem).

As far as why we want to ping the firewall, it is certainly not mission critical, but it can be helpful when connection goes down. Mostly I just found it odd that it has always been able to ping before, and then suddenly stopped working.

I have not tried to unplug the firewall and plug it back in yet, will try that and report back. LAN firewall rules are attached:

[chemlud]

How about "Gateway" set to * in the ICMP rules?

[gbds]

Setting the Gateway to "default" vs "WAN_GROUP" doesn't seem to make any difference.

[byrnejb]

I am having exactly the same problem.  I have managed to get outbound pings to pass through the FW with this rule on the LAN i/f:

`IPv4+6 ICMP    LAN_em0 net    *    *    *    *       Allow ICMP from LAN`

But that does not allow pings to the FW LAN i/f address from inside the LAN.  I tried adding this rule to the top as well:

`IPv4+6 ICMP    LAN_em0 net    *    This Firewall    *    *       `

Which had no effect whatsoever.  I have looked at the resulting PF rules and see reames of rules for ipv6-icmp but for ipv4 I see only this:

`
pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (em0:network) to (self) keep state label "USER_RULE"

pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (em0:network) to any keep state label "USER_RULE: Allow ICMP from LAN"
`

I then added the following rule and placed it immediately following the first rule given above:

`IPv4+6 ICMP    This Firewall    *    LAN_em0 net    *    *       `

which gave me this:

`
pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (em0:network) to (self) keep state label "USER_RULE"

pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (self) to (em0:network) keep state label "USER_RULE"

pass in quick on em0 reply-to (em0 72.142.105.234) inet proto icmp from (em0:network) to any keep state label "USER_RULE: Allow ICMP from LAN"
`

But this had no effect either.  The only way that I can ping the FW host is if I shutdown the FW application.  Then I can ping normally.

I am not interested in debating the merits of allowing ICMP requests on a FW.  I wish to do so and I would like someone to provide me with clear instructions as to how this is accomplished on on OPNsense 18.7.; since it is evidently beyond my abilities to figure this out on my own.

[chemlud]

To help you, someone has to reproduce your issue.

OK, I have an interface on the sense not allowing pinging. Test:

Code Select Expand

ping 10.34.0.1
PING 10.34.0.1 (10.34.0.1) 56(84) bytes of data.
^C
--- 10.34.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3078ms


No reply. I add the following rule on the interface:

Pass IPv4 ICMP (type: any) <respective net> This firewall

Then:

Code Select Expand

ping 10.34.0.1
PING 10.34.0.1 (10.34.0.1) 56(84) bytes of data.
64 bytes from 10.34.0.1: icmp_seq=1 ttl=64 time=0.428 ms
64 bytes from 10.34.0.1: icmp_seq=2 ttl=64 time=0.476 ms
64 bytes from 10.34.0.1: icmp_seq=3 ttl=64 time=0.427 ms
64 bytes from 10.34.0.1: icmp_seq=4 ttl=64 time=0.219 ms
^C
--- 10.34.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3048ms
rtt min/avg/max/mdev = 0.219/0.387/0.476/0.101 ms

What next?

[byrnejb]

You used this rule:

Pass IPv4 ICMP (type: any) <respective net> This firewall

The rule I used was this:

`IPv4+6 ICMP    LAN_em0 net    *    This Firewall    *    *       `

With this rule I can ping the WAN i/f IPv4 address but not the LAN i/f IPv4.  I do not see the difference between your rule and mine, other than you have left out the * for the source and destination ports and the gateway.  I assume that this is for brevity since I cannot find any way of configuring an OPNsense rule without some value for source, destination and associated ports.

This are all the configured rules for the LAN i/f:

`
      *       *    *    LAN_em0 Address    443, 80, 22    *       Anti-Lockout Rule    
      IPv4+6    ICMP    LAN_em0 net       *    This Firewall    *    *          
      IPv4+6    ICMP    This Firewall       *    LAN_em0 net    *    *          
      IPv4+6    ICMP    LAN_em0 net       *    *    *    *       Allow ICMP from LAN    
      IPv4    *       LAN_em0 net       *    *    *    *       Default allow LAN to any rule    
      IPv6    *       LAN_em0 net       *    *    *    *       Default allow LAN IPv6 to any rule
`

I do not understand why the default rules provided by OPNsense are not employed as they are stated. There is no indication that '*' excludes the IPv4 address of the FW LAN i/f itself.  Evidently there are  hidden rules which override the expected behaviour of those specified on the interface.  Otherwise, why does ping not work right out of the box?

[chemlud]

Yepp, simply let out the ports, but it's * *

Try "allow any any" right up on the top of the list. Save your config and reset the sense to factory. Try a fresh install. It's not the software ;-)

[byrnejb]

> Try "allow any any" right up on the top of the list.
> Save your config and reset the sense to factory. Try a fresh install. It's not the software ;-)

I have done that twice now and the result has been the same.  The default rules do not permit ping to work on the LAN i/f.  I am attaching a dump of the pf rule set created by the configuration shown previously.  Maybe there is aomething in there that someone can see but I cannot.