can not ping OPNSENSE firewall???

Started by Nasrum Minallah Manzoor, December 18, 2018, 11:04:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 18, 2018, 11:04:59 AM
Hi,

i have installed two OPNSENSE firewall.
One firewall has LAN IP of 172.16.1.1 and the other firewall has LAN IP of 172.16.2.1

ping fails from 1st firewall (172.16.1.1) to 2nd firewall (172.16.2.1)
ping successes from 2nd firewall (172.16.2.1) to 1st firewall (172.16.1.1)

why i am not getting ping in first scenario???

Any help would be highly appreciated.

Regards,

Nasrum Minallah
December 18, 2018, 11:59:26 AM #1
Well, let me think about it a little bit.
Normally two hosts in two dìfferent subnets can't see each other unless they are between a router who routes their subnets just to make them communicate.
Now, you should describe your scenario better:

  • where phisically are installed those 2 firewall (same building, same office)?
  • if in the same office why the need of two firewall?
  • is there a router between them?
  • have you configured any static route in both firewalls? If yes, how did you do that?

Please provide these basic information as a beginning.

Cheers,
Michele.
December 18, 2018, 07:04:53 PM #2
Hi Nasrum,

Have you disabled 'block private networks' on the WAN interface(s)?

Bart...
December 19, 2018, 07:06:59 AM #3
Yes bart "block private networks" is disabled on wan interface


Nasrum Minallah
December 19, 2018, 07:10:29 AM #4
myksto dear i am using router in between two firewalls.

both are installed in the same building for load balancing purpose and hardware failover as well.

December 19, 2018, 07:47:52 AM #5
Hi Nasrum,

If ping works one way but not the other, and your routing is fairly simple then routing is unlikely to be your issue. You could have some asymmetric routes but if ping routes there and back one way, then the reverse will be fine.

That leaves NAT and firewall rules. Check that the rules are symmetrical between the two firewalls.

Finally, test with different ping configurations. Enable SSH and open a shell with option 8 to each firewall. Use the ping -S option to try with different source IP addresses, and observe the packet stream on the target with Interfaces, Diagnostics, Packet Capture.

Wireshark is your friend ;-)

Bart...
December 19, 2018, 01:58:23 PM #6
Maybe this tip can helps to fix this problem...

I had problems when trying PING to the firewall....When I started the firewall,  for a few moments the PING worked and then few seconds after it stops to respond. From inside the OpnSense I could PING my Desktop but from my Desktop can not PING the Firewall..

My default "Default allow LAN to any rule" was disable because I want to control all the traffic that cames from my LAN to my WAN.

So, I had  to create a specific rule to allow ICMP traffic:

Action: Pass
Interface: LAN
Protocol: ICMP
ICMP type: Echo Request
Source: LAN net
Destination: This Firewall
description: Allow Ping

After this ( and this is important ) I need to run "States reset"  ( Firewall->Diagnostics->Stated Reset ) to finally get the correct response of the PING to my Desktop.
Print
Go Up Pages1
User actions