Author Topic: Ping OPNsense from LAN not working (Read 6660 times)

HExSM · « **on:** February 08, 2021, 10:57:56 am »

Hi everyone,

I use OPNsense as a OpenVPN Gateway behind another firewall. So I have just a LAN interface. The system is running on Hyper-V.

Everything is running fine, except the ping from the LAN network. There I have a monitoring server running, which checks if my servers are running. For testing I created an ANY rule, but ping is still not working.

Action: pass
Interface: LAN
Direction: in
TCP/IP Version: IPv4
Protocol: any
Source: any
Destination: any

My OpenVPN clients are able to ping the OPNsense server.

Does anybody have an idea what I do wrong?

Thank you in advance!

Maurice · « **Reply #1 on:** February 09, 2021, 02:27:09 pm »

Does this single interface have a default gateway?

HExSM · « **Reply #2 on:** February 10, 2021, 09:40:26 am »

Yes, the LAN interface has a default gateway. It is the IP of the router which is connected to the WAN.

I captured the packets and it seems that the ping reply is sent to the gateway instead to the client who sent the ping request. But I have no idea what I have to change to fix this problem.

Fright · « **Reply #3 on:** February 10, 2021, 11:08:30 am »

any custom rules created instead of default rules?

HExSM · « **Reply #4 on:** February 10, 2021, 11:34:21 am »

Quote from: Fright on February 10, 2021, 11:08:30 am

any custom rules created instead of default rules?

No. But it seems that the firewall is fine. It seems that routing is the problem, because the reply is sent to the gateway instead to the client who sent the ping.

Maurice · « **Reply #5 on:** February 10, 2021, 01:38:52 pm »

An interface with a default gateway is considered a WAN-type interface. And by default, replies to incoming packets on WAN interfaces always get sent to the default gateway, not to the host which sent the packet. This behaviour can be disabled in the advanced firewall settings (disable reply-to). You might also want to disable force gateway.

Fright · « **Reply #6 on:** February 10, 2021, 02:18:38 pm »

or just leave "Auto-detect" Upstream Gateway in LAN interface settings

HExSM · « **Reply #7 on:** February 10, 2021, 10:21:50 pm »

Quote from: Maurice on February 10, 2021, 01:38:52 pm

An interface with a default gateway is considered a WAN-type interface. And by default, replies to incoming packets on WAN interfaces always get sent to the default gateway, not to the host which sent the packet. This behaviour can be disabled in the advanced firewall settings (disable reply-to). You might also want to disable force gateway.

Thank you very much Maurice! Disabling the reply-to feature was the key to solve my problem!

Quote from: Fright on February 10, 2021, 02:18:38 pm

or just leave "Auto-detect" Upstream Gateway in LAN interface settings

Unfortunatly I did not find that setting, but thank you too Fright!

Author Topic: Ping OPNsense from LAN not working (Read 6660 times)

HExSM

Ping OPNsense from LAN not working

Maurice

Re: Ping OPNsense from LAN not working

HExSM

Re: Ping OPNsense from LAN not working

Fright

Re: Ping OPNsense from LAN not working

HExSM

Re: Ping OPNsense from LAN not working

Maurice

Re: Ping OPNsense from LAN not working

Fright

Re: Ping OPNsense from LAN not working

HExSM

Re: Ping OPNsense from LAN not working