LAN - OPT1 Access Problem (Cannot ping)

[bugrayuksel]

Hi everyone,

We've a fresh install with the latest version of OpnSense. I can ping devices from OPT1 -> to -> LAN; but i cannot ping from LAN -> to -> OPT1.

For e.g.:

Laptop in OPT1 has 10.10.10.21 IP address and can ping the other Laptop in LAN has 192.168.21.5 ip address. But, just the opposite doesn't work.

PING Result
PING 10.10.10.21 (10.10.10.21): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3

Traceroute Result
1  {myhostname.domain} (192.168.21.1)  0.620 ms  0.280 ms  0.302 ms
2  192.168.0.1 (192.168.0.1)  0.612 ms  0.529 ms  0.479 ms
3  * * *
4  * * *
5  * * *
6  * * *
7  * * *
8  * * *

I've configured the system from terminal and didn't make any changes in default configs after Wizard.

Here's the setup:

LAN (igb0)   -> v4: 192.168.21.1/24
OPT1 (igb2) -> v4: 10.10.10.1/24
OPT2 (igb3) -> v4: 172.16.16.1/24
WAN (igb1)  -> v4/DHCP4: 192.168.0.19/24

Additional Notes:

• No VPN Configuration
• All firewall rules are ANY ANY for testing and checked from Live View, everything is allowed (no block)
• All the devices can access the internet without any problems.

Thanks everyone.

[wurmloch]

Hi,

analysis of your traceroute result needs chrystal ball, because the command you typed is missing but would be helpful.

Look at your 2nd hop in traceroute result. Packet is going to WAN interface? Looks strange for me.

Regards
Uwe

[bugrayuksel]

Hi,

I can ping 10.10.10.1 successfully; but cannot ping 10.10.10.21

All the configuration parameters are default. It's really strange.

Regards.

[rhubarb]

Hi,

I can ping 10.10.10.1 successfully; but cannot ping 10.10.10.21

All the configuration parameters are default. It's really strange.

Regards.

Your ping to 10.10.10.1 is probably a rule set to allow to "This Firewall." The "This Firewall" alias encompasses all firewall interface addresses. Can you post the firewall rule on LAN that should allow this ping? 

I am not familiar with the Wizard defaults.  I tried using Wizard and it seemed broken.

[bugrayuksel]

Hi Gary,

Both LAN and OPT1 Firewall Rules are: IPv4 ANY ANY, IPv6 ANY ANY. I put these rules because of this problem.

Also, i've checked the ICMP (ping) request from Firewall -> Log Files -> Live View, it's ALLOWED. Not blocked.

I don't know, if IPv6 affets it? All the configs for IPv6 is default after factory reset. Just only in LAN and OPT1 Interface, I've selected NONE for IPv6. (no static ip or dhcp6, just NONE).

Thanks you,
Kind regards.

[bugrayuksel]

Hi everyone again,

I want to add that, my ISP doesn't provide IPv6 for my WAN.

When i checked https://ipv6test.google.com, it says that "You don't have IPv6, but you shouldn't have problems on websites that add IPv6 support."

Does this situation affect my internal network configuration? I'm configuring my OpnSense Firewall while my WAN Port is connected modem.

Thanks.

[marjohn56]

IPv6 will have zero effect.
From the Interface->Diagnostics->Ping


Select the OPT1 Interface and try pinging  192.168.21.1 does that work?

[bugrayuksel]

Hi,

I've tried it before.

From the Interface->Diagnostics->Ping:

OPT1 Interface and try pinging  192.168.21.1 -> It works
OPT1 Interface and try pinging  192.168.21.5 -> NOT WORKING

[marjohn56]

And you say the only rules you have are Protocol: Any Source: Any Destination: Any on both interfaces?

[wurmloch]

Traceroute Result
1  {myhostname.domain} (192.168.21.1)  0.620 ms  0.280 ms  0.302 ms
2  192.168.0.1 (192.168.0.1)  0.612 ms  0.529 ms  0.479 ms

Again: Why is WAN interface the second hop? IF you traceroute to 10.10.10.21? Did you try a fresh install? Would that be possible?

How do you assign IP addresses to the clients, via DHCP oder manually. Are you shure all this is correct? What about local firewalls of the clients, do they answer to pings from other machines at the same interface?

regards

[marjohn56]

Good point on the ping response... noticed some windows machined blocking ping response if the rules are not correctly.

[bugrayuksel]

And you say the only rules you have are Protocol: Any Source: Any Destination: Any on both interfaces?

Yes, all the rules are as you metioned for LAN and OPT1.

Again: Why is WAN interface the second hop? IF you traceroute to 10.10.10.21? Did you try a fresh install? Would that be possible?

How do you assign IP addresses to the clients, via DHCP oder manually. Are you shure all this is correct? What about local firewalls of the clients, do they answer to pings from other machines at the same interface?

regards

I don't why WAN interface at the second loop. I've installed OpnSense several times. Result is same.

Both 2 interfaces assigns IP addresses via DHCP. Everything is OK; because when 2 machines in same network, no problem about pinging each other and accessing INTERNET.

Good point on the ping response... noticed some windows machined blocking ping response if the rules are not correctly.

When all the Laptops in same network (on same switch at OPT1 or LAN interface), both machines pings each other. There's no problem.

[wurmloch]

What about the checkbox in interface definition concerning ,,block private / bogon addresses"?

[bugrayuksel]

Both of them are unchecked for all interfaces.

[wurmloch]

I do not have any other idea, very sorry.