SOLVED: Why no responses to ICMP from one subnet?

[seamus]

NOTE: You won't find the solution here. Instead, look here: https://forum.opnsense.org/index.php?topic=18381.msg83553#msg83553

I've just added an embedded device to my network that configures itself to use 192.168.6.0 network. The balance of my LAN is all on 192.168.1.0 and it has worked fine for years. I've added static routes in OPNsense to accomodate the new 192.168.6.0 subnet, and this seems to be working just fine - hosts on both subnets are able to connect to each other.

But I've run into what seems (to me) to be an odd problem - from a host on the 192.168.6.0 subnet I can ping hosts on the 192.168.1.0 subnet & all works fine. I can ping hosts on the Internet from 192.168.1.0 subnet as usual. However pinging hosts on the Internet from 192.168.6.0 subnet gets no reply. I suspect the firewall is blocking, but I don't find anything in the logs that helps isolate this (maybe I'm looking for the wrong things?). It seems that nothing from the 192.168.6.0 subnet is getting through - this based on failures to download webpages using `curl` with an IP address.

I have a "pass anything" rule on the LAN interface & use automatic outbound NAT generation rules. What could be blocking my replies originating in the 192.168.6.0 subnet?

[lfirewall1243]

What does the live log say while pinging?

[seamus]

What does the live log say while pinging?

Filtering on protoname=icmp, I see 1 (one) icmp going out on WANem0 from src 192.168.6.2 (green) in response to that unsuccessful attempt

**AND**

I see 1 (one) icmp going out on WANem0 from src 136.53.77.100 (green) in response to a successful attempt originating on host at 192.168.1.178

The differences I see in these 2 log entries are the source address for the successful ping is my external IP, whereas it's the internal IP for the unsuccessful one. And there's a "(force gw)" designation in the label for the successful ping attempt.

Here's a screenshot in case that's not clear:

[lfirewall1243]

What does the live log say while pinging?

Filtering on protoname=icmp, I see 1 (one) icmp going out on WANem0 from src 192.168.6.2 (green) in response to that unsuccessful attempt

**AND**

I see 1 (one) icmp going out on WANem0 from src 136.53.77.100 (green) in response to a successful attempt originating on host at 192.168.1.178

The differences I see in these 2 log entries are the source address for the successful ping is my external IP, whereas it's the internal IP for the unsuccessful one. And there's a "(force gw)" designation in the label for the successful ping attempt.

Here's a screenshot in case that's not clear:

So nothin happening there when you make the unsuccessful ping

[seamus]

So nothin happening there when you make the unsuccessful ping

Maybe the problem is with my routing? Here's a shot of the route I added to allow the embedded device (aka pocketbeagle) to be found on the LAN:

[lfirewall1243]

So nothin happening there when you make the unsuccessful ping

Maybe the problem is with my routing? Here's a shot of the route I added to allow the embedded device (aka pocketbeagle) to be found on the LAN:

That means everything from the 192.168.6.0 network is going to that thing. So not to the Internet

[seamus]

So nothin happening there when you make the unsuccessful ping

And here's a shot of the status of all ipv4 routes:

[lfirewall1243]

So nothin happening there when you make the unsuccessful ping

And here's a shot of the status of all ipv4 routes:

That will not work

[lfirewall1243]

Delete that route. And create a Rule with Gateway selected, for the traffic you want to go to that device.

[seamus]

Delete that route. And create a Rule with Gateway selected, for the traffic you want to go to that device.

Not following you exactly...

so - delete the route for 192.168.6.0?

...and add a firewall rule with Gateway selected? Could you be a little more specific?

How will other hosts on the network find 192.168.6.0 hosts without a route on 192.168.1.1?

[lfirewall1243]

Yeah delete the route.

Create a Rule on the 192.168.6.0 interface which matches the traffic you want to go to the pocketbeagle. At the bottom of the rule page you can select a Gateway, use the Pocketeagle-Gateway there

[seamus]

Yeah delete the route.

Create a Rule on the 192.168.6.0 interface which matches the traffic you want to go to the pocketbeagle. At the bottom of the rule page you can select a Gateway, use the Pocketeagle-Gateway there

OK - I'll try that now. In the meantime, could you please look at the attached network diagram I've made to confirm it doesn't change your advice?

[seamus]

Yeah delete the route.

Create a Rule on the 192.168.6.0 interface which matches the traffic you want to go to the pocketbeagle. At the bottom of the rule page you can select a Gateway, use the Pocketeagle-Gateway there

I'm confused...

1. I don't see how to create a rule on the 192.168.6.0 network - it's the destination, and there doesn't seem to be a way to specify this network as the destination?


2. when you say "use the Pocketeagle-Gateway there", do you mean the WiFi interface on macbuntupro (192.168.1.104)?

[lfirewall1243]

On your "Painting" i see that you dont have the 6.0 Network on the OPNsense conencted. That will not work.

So Ping from every device in the 1.0 Network is working. But not from 6.0 to Internet. That is because every Packet from the 6.0 Network is going to your Pocketbeagle, but thats it.

[lfirewall1243]

Do a tracert from a 6.0 device. Than you will see where your Packets are going and where they stop