LAN - OPT1 Access Problem (Cannot ping)

[bugrayuksel]

From LAN to LAN (from Diagnostics):

# /sbin/ping -S '192.168.21.1' -c '4' '192.168.21.10'
PING 192.168.21.10 (192.168.21.10) from 192.168.21.1: 56 data bytes
64 bytes from 192.168.21.10: icmp_seq=0 ttl=128 time=1.678 ms
64 bytes from 192.168.21.10: icmp_seq=1 ttl=128 time=1.599 ms
64 bytes from 192.168.21.10: icmp_seq=2 ttl=128 time=1.599 ms
64 bytes from 192.168.21.10: icmp_seq=3 ttl=128 time=1.618 ms

--- 192.168.21.10 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.599/1.623/1.678/0.032 ms

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

From LAN to OPT1 (from Diagnostics):

# /sbin/ping -S '192.168.21.1' -c '4' '10.10.10.25'
PING 10.10.10.25 (10.10.10.25) from 192.168.21.1: 56 data bytes
64 bytes from 10.10.10.25: icmp_seq=0 ttl=64 time=0.330 ms
64 bytes from 10.10.10.25: icmp_seq=1 ttl=64 time=0.308 ms
64 bytes from 10.10.10.25: icmp_seq=2 ttl=64 time=0.370 ms
64 bytes from 10.10.10.25: icmp_seq=3 ttl=64 time=0.454 ms

--- 10.10.10.25 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.308/0.366/0.454/0.056 ms

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

From OPT1 to LAN (from Diagnostics):

# /sbin/ping -S '10.10.10.1' -c '4' '192.168.21.10'
PING 192.168.21.10 (192.168.21.10) from 10.10.10.1: 56 data bytes

--- 192.168.21.10 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

[rhubarb]

It helps to get a screenshot of the rule entry pages if possible.

Can you ping the host on the same subnet?

What is in the Gateway field on the pass rules? 

[bugrayuksel]

Hi,

You are right, it's best way to share screen shots for my configuration.

Here's the Drive URL, you can check everything in here:
https://drive.google.com/drive/folders/1_tgwpCh8nAzGz0gMPBmgwXtyJOpQk2KO?usp=sharing

Additionally, my ISP provider gives me CGNAT IP, not static. I don't know, does this situation affects this problem?

Thanks everyone.

[rhubarb]

I have looked these over, and everything seems right.

My only guess is that it's a problem with some static gateway assignment on 192.168.21.10.  If the source that was pinging is outside the subnet, then it will route replies to the locally assigned gateway. (This is generally assigned through DHCP but can be overridden.)

I think you'll might need to use Wireshark or tcpdump on the interface that is being pinged to see the traffic to/from the interface. You can detect which path is failing and trace out the problem, but I would check the gateway on 192.168.21.10 first.

[chemlud]

I can't find any details on your hardware, is it virtual or real? Which type of interfaces?

[rhubarb]

Another question: Have you ever enabled Intrusion Prevention?

[Maurice]

LAN (igb0) is shown as disconnected (no carrier). Is this expected / was it unplugged when taking the screenshot?

[bugrayuksel]

I have looked these over, and everything seems right.

My only guess is that it's a problem with some static gateway assignment on 192.168.21.10.  If the source that was pinging is outside the subnet, then it will route replies to the locally assigned gateway. (This is generally assigned through DHCP but can be overridden.)

I think you'll might need to use Wireshark or tcpdump on the interface that is being pinged to see the traffic to/from the interface. You can detect which path is failing and trace out the problem, but I would check the gateway on 192.168.21.10 first.

I will try this, thank you very much my friend.

I can't find any details on your hardware, is it virtual or real? Which type of interfaces?

It's a physical device with 4 interfaces. Similar to this device: https://www.aliexpress.com/item/32815457324.html

Another question: Have you ever enabled Intrusion Prevention?

No, I have never enabled IPS/IDS.

LAN (igb0) is shown as disconnected (no carrier). Is this expected / was it unplugged when taking the screenshot?

Yes, it's expected. I was trying other interfaces for testing.

[rhubarb]

I asked because I enabled IPS one time and I started having routing issues. I could never fix it even with a reset. I finally reflashed the OS and started clean. It worked. That's the nuclear option if all else fails. I think mine was a netmap issue.

[bugrayuksel]

Thank you very much for your effort. I will try to make a fresh install again.

Just, i want to ask you that, is it anyway to re-configure the routes according to current interfaces and network structure? Is there any terminal code, shell script or any other?

Thanks,
Sincerely.

[rhubarb]

Just, i want to ask you that, is it anyway to re-configure the routes according to current interfaces and network structure? Is there any terminal code, shell script or any other?

I don't fully understand this question.  You can add static routes in the OPNSense UI that redirect certain address ranges to a different interface. (This could be useful for site-to-site VPN perhaps.) You must be using the "default" gateway in the Firewall Rule to make this work.

You can use the route command in the shell to temporarily change routes.  Again, your Firewall Rule must have gateway as default.