Cannot ping firewall from LAN

[gbds]

Hello all, just updated to 18.7.10 and can no longer ping the firewall from my LAN. I can access the web GUI and get online, just cannot ping. Pings from cmd return "Request timed out". Wireshark says "No response seen to ICMP request". From the Web GUI > Interfaces>Diagnostics>Ping, I can ping the firewall itself as well as my laptop, but cannot ping from my laptop to the firewall. I can ping other clients on the LAN just fine.

I even created an ICMP pass rule as follows, but no luck:
Action: Pass
Interface: LAN
TCP/IP Version: IPv4
Protocol: ICMP
ICMP Type: any
Source: LAN net
Destination: This Firewall

Still I get "request timed out" when I ping the firewall's IP from my laptop. Any thoughts?

[chemlud]

...I have an ICMP rule (LAN net to LAN net) (18.7.10 amd64 with LibreSSL) everything is fine, can ping sense on LAN as usual...

(edit due to check of FW rules... **cough**)

[guest19757]

Hello,

Just wanted to clarify something, on a default LAN interface, you have 'Default allow LAN to any rule'. If you disable it, traffic is blocked without an implicit 'Pass' rule.

Regards

[gbds]

I have added an ICMP pass rule from LAN Net to LAN Net, and double-checked that my "Default allow LAN to any" rule is Enabled. Still getting "Request timed out" when trying to ping the firewall.

[The_Sage]

Try from LAN Net to This Firewall.

[franco]

Shouldn't matter. It sounds like an issue with something between the OPNsense and your LAN client, could also be setup-related. It could be anti-spoof kicking in refusing to answer...

[gbds]

I have a LAN Net to This Firewall as well as a LAN Net to LAN Net ICMP pass rule, neither one seems to make a difference. It also doesn't seem to matter which LAN client I try from. I've tried to ping from a Windows 7 laptop as well as a Macbook running Mojave, I get a timeout either way.

Where would I find anti-spoof settings? Should I check the "bypass firewall rules for traffic on the same interface" box?

[guest19757]

Out of curiosity, did you run a ICMP packet capture on Lan interface to see that server is actually receive it? If the server is indeed receiving it but not responding and the appropriate FW rule(s) are set, perhaps you have network configuration problem?

Possibly the Firewall and Lan clients are on a different subnet?

[gbds]

Hmmm... I ran a packet capture on LAN interface and it does indeed see the ICMP echo request from my laptop. So it's just not responding for some reason. LAN clients (172.20.1.x) and the firewall (172.20.1.1) are on the same subnet, we only have one LAN net.

[guest19757]

Those the firewall have a route back to the clients? Did you ping Lan clients from the firewall?

I can ping the firewall itself as well as my laptop, but cannot ping from my laptop to the firewall. I can ping other clients on the LAN just fine.

I see you already tried that, aside from 'possible different subnet', not too sure what would be going on here. The firewall is 172.20.1.1/24?

Could you include a picture of your Lan firewall rules omitting sensitive bits?

[gbds]

Yes, I can ping my laptop and other LAN clients from the firewall with no packet loss. Just not the other way around.

[ab5g]

IPS off ?

[thexchair]

Did you ever figure out how to fix the problem?

[chemlud]

Why would one be so obsessed with pinging the firewalls LAN port? Did I miss something, but I have this disabled normally and I don't miss anything...

[walkerx]

Why would one be so obsessed with pinging the firewalls LAN port? Did I miss something, but I have this disabled normally and I don't miss anything...

could be for when your connection goes down

i have issues where i have no access to gui via ip or name and no internet access - have to manually check the console by plugging in a keyboard and monitor, which shows the system is still operational but something is blocking connection to the box and internet from devices on lan, which i believe is IDS as can ping sites from console