Pings Failing to Hosts Behind OPTx Interfaces

[kagbasi-wgsdac]

Good-day folks,

So I have an OPNsense box with three LANs defined as follows:

• LAN - 10.0.10.1/24
• OPT1 - 10.0.11.1/24
• OPT2 - 10.0.12.1/24

The appropriate firewall rules are in place to ensure that devices behind those networks can route out to the Internet and all seems okay - so no issues there.

The problem I'm having is that, I am unable to ping a couple of devices on each of those networks (even from the interfaces directly, using the diagnostics tools in the Admin Interface).  These are Wireless Access Points that I'd like to add to my monitoring system and monitor their uptime.  At first I thought that perhaps it was the devices themselves that were rejecting the ping packets, however, I pulled each of them off, connected them to an unmanaged switch and viola, I could ping them.  So the issues appears to be on my OPNsense firewall.

I manage this box remotely using an OpenVPN tunnel, which is configured with the above local networks.  And with this, I am able to successfully ping the interface address of each network (as evidenced below).

Code Select Expand

C:\Users\kisme>ping 10.0.10.1 && ping 10.0.11.1 && ping 10.0.12.1

Pinging 10.0.10.1 with 32 bytes of data:
Reply from 10.0.10.1: bytes=32 time=15ms TTL=64
Reply from 10.0.10.1: bytes=32 time=15ms TTL=64
Reply from 10.0.10.1: bytes=32 time=15ms TTL=64
Reply from 10.0.10.1: bytes=32 time=16ms TTL=64

Ping statistics for 10.0.10.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 15ms, Maximum = 16ms, Average = 15ms

Pinging 10.0.11.1 with 32 bytes of data:
Reply from 10.0.11.1: bytes=32 time=15ms TTL=64
Reply from 10.0.11.1: bytes=32 time=17ms TTL=64
Reply from 10.0.11.1: bytes=32 time=15ms TTL=64
Reply from 10.0.11.1: bytes=32 time=16ms TTL=64

Ping statistics for 10.0.11.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 15ms, Maximum = 17ms, Average = 15ms

Pinging 10.0.12.1 with 32 bytes of data:
Reply from 10.0.12.1: bytes=32 time=15ms TTL=64
Reply from 10.0.12.1: bytes=32 time=15ms TTL=64
Reply from 10.0.12.1: bytes=32 time=15ms TTL=64
Reply from 10.0.12.1: bytes=32 time=15ms TTL=64

Ping statistics for 10.0.12.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 15ms, Maximum = 15ms, Average = 15ms

Unfortunately, a traceroute from one of the interfaces in question fails:

Code Select Expand

# /usr/sbin/traceroute -w 2 -I  -n  -m '18' -s '10.0.12.1'   '10.0.12.201'
traceroute to 10.0.12.201 (10.0.12.201) from 10.0.12.1, 18 hops max, 48 byte packets
1  * * *
2  * * *
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *
9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *

What am I missing here?  Any help/guidance is appreciated, thanks.  Ready and willing to post whatever portions of my config are needed, just ask please.

[kagbasi-wgsdac]

I just wanted to add a quick update that for the same systems that aren't pingable, I am able to create a port forward to port 80/tcp and reach their web interface without any issues.  Someone I think my firewall rules aren't allowing the ICMP traffic but I'm just not seeing where the problem is coming from.

[samsonmcnulty]

Look at your FW live logs in OPNsense and filter by "block" or by the device IP and see what rule is causing the issue, if any.

[kagbasi-wgsdac]

I have been looking at the logs and whenever I do a ping I don't see a block.  I have a floating rule to allow ICMP on all interface and I see that rule get triggered, but then the ping doesn't go anywhere.

Strange thing is, as you can see in the screenshot below, I am able to ping out to the Internet from that very same device.  But for whatever reason I cannot ping it from the OPT1 interface and it cannot ping the OPT1 interface.....weird.

[lfirewall1243]

Take a Screenshot of your Rules ;)