Can't ping my public loopback from the internet

[mixtefaste]

Hello,

I don't know if someone can help me but, I'm facing a problem.

I have setup correctly an public IP to my Lo1 interface. From this interface I can ping my gateway and internet (no problem with that).

root@FW-OVH-01:~ # ping -S 51.xx.xx.203 1.1.1.1
PING 1.1.1.1 (1.1.1.1) from 51.xx.28.203: 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=53 time=4.929 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=53 time=4.935 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=53 time=4.961 ms

I want to use this loopback interface to do many things, but at first I want to ping it from anywhere, and I don't know why, but I can't manahe to do it.

I have setup a rule like that in the WAN Rules section :

Interface : WAN
Direction : In
TCP/IP : ipv4
Protocol : ICMP (any icmp)
Source : any
Destination : Lo1 address
Action : Pass

even if I do like that it's not working :

Interface : Lo1
Direction : In
TCP/IP : ipv4
Protocol : ICMP (any icmp)
Source : any
Destination : Lo1 address
Action : Pass

I don't know what I'm doing wrong but it's dosen't work. It's my first time testing OPNsense. Because it's a stateful FW, I normaly don't have to setup a out direction rule, so...

Thanks in advance to anyone who will take the time to help me.

[bartjsmit]

Any router picks the most suitable interface to send packets based on their routing table. This will only ever be the loopback address if the traffic stays within the router. You can only ping addresses of external interfaces from outside the firewall.

ping -S 51.xx.xx.203 51.xx.xx.203 is the best you can hope for ;)

Regardless, directing traffic to your firewall is dicey from a security standpoint. Traffic should flow through a firewall as much as possible, not originate or terminate there.

Do you want to share a wider scope on the issue that you are addressing?

Bart...

[mixtefaste]

Hello Bart,

Thank you for you replie. You're right, I can't do it like that with because I don't have a proper transit.

I have an OVH server with esxi on it. My firewall have a public IP on his WAN interface and I want to use another Public IP to do separate trafic and do an 1:1 nat on that one.

So : Gateway is 51.xx.xx.254/32, WAN is 51.xx.xx.202/32 and the second IP is 51.xx.xx.203/32

OVH filter IPs by the assigned MAC address. If I create a Virtuel IP on the WAN interface, would I be able to separate the different flow and use it to do a 1:1 nat ?

[bartjsmit]

Gateway is 51.xx.xx.254/32

I'm doubtful - the network between your firewall and the gateway has to have a mask smaller than 32. E.g. class C would be /24. What mask did your provider give you?

You can pick other IP's in the 51.xx.xx.xx/? network for 1:1 NAT which is always defined in OPNsense from the inside out. E.g. source would be 192.168.123.123/32 (something on your internal network) and external network 51.xx.xx.205 without a mask, since the mask is defined on the WAN interface.

Bart...

[mixtefaste]

Yep, because It's public IP OVH give us /32 address.

Thank to the option "Far Gateway" I can access the gateway and internet. I managed to create my VIP with the .203 and now this IP is accessible from the outside.

Now I just need to figure out how to do my 1:1 nat on opnsense.

Thank you for your help Bart, I will close the topic  :D