No ping from WAN to OPT1 (outbound NAT is disabled)

Started by alex.p, May 26, 2020, 01:48:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 26, 2020, 01:48:11 PM
Hi, Team!

I am dealing with strange behavior that I do not understand.

Here is my setup:

1. OPNsense has 4 interfaces:
Code Select
LAN  10.10.0.254 /24
WAN  10.10.10.1  /24
OPT1 10.10.1.254 /24
OPT2 10.10.2.254 /24

2. WAN gateway (not OPNsense, used as upstream gateway):
Code Select
WAN_GW 10.10.10.254

3. Outbound NAT is disabled.

4. WAN_GW has 3 interfaces:
Code Select
GLOBAL_WAN <Public IP>
LOCAL_WAN  10.10.10.254/24
OTHER_NET  10.10.100.254/24

5. WAN_GW has static route:
Code Select
10.10.0.0/22 via 10.10.10.1

6. There is a host in WAN:
Code Select
WAN_HOST:
IP 10.10.10.15/24
GW 10.10.10.1


The issue:

1. I am able to ping 10.10.2.1 (OPT2 host) from host in OPT1. Tracing is:
Code Select
10.10.1.254 (OPNsense)
10.10.2.1   (host)

2. I am also able to ping 10.10.2.1 from host in OTHER_NET. Tracing is:
Code Select
10.10.100.254 (not OPNsense)
10.10.10.1    (OPNsense)
10.10.2.1     (host)

3. But I am not able to ping 10.10.2.1 from WAN_HOST (request timed out). Tracing has only timed out records.

There are only 3 rules (all are floating) except automatically generated ones:
Code Select
Allow from source 10.10.100.0/24 to destination 10.10.0.0/22 for WAN  interface
Allow from source  10.10.10.0/24 to destination 10.10.0.0/22 for WAN  interface
Allow from source   10.10.1.0/24 to destination 10.10.0.0/22 for OPT1 interface

Nothing changes if I add the following rule:
Code Select
Allow from any source to any destination

Does anyone have any suggestions on what's going on? I suggest this is either some default rule issue or some routing issue, but I am not sure.
May 26, 2020, 03:23:49 PM #1
Most likely yet another case of the fantastic default reply-to behaviour. Disable reply-to in Firewall / Settings / Advanced and you should be good.

For some fun reading, you might want to search the forum and / or GitHub for "reply-to"...

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
May 26, 2020, 05:10:20 PM #2 Last Edit: May 26, 2020, 07:06:07 PM by alex.p
Print
Go Up Pages1
User actions