ping trouble with Opnsense

Started by Vivo, February 14, 2025, 03:50:20 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 14, 2025, 03:50:20 PM Last Edit: February 14, 2025, 04:20:44 PM by Vivo
Hi everyone
I have set up a network with a switch whose ports are configured with tagged VLANs, two PCs on different subnets, and an OPNsense firewall, which I have configured with VLANs, interfaces, routes, and gateways. Attached are some screenshots.

From my PC, located on the LAN at 192.168.120.23, I am trying to ping my other PC at 10.20.0.23, but the response comes from the gateway (192.168.120.250) instead.

However, I can successfully ping my external gateway at 10.20.0.254, which responds correctly.
Additionally, from OPNsense, I can also ping 10.20.0.23 without any issues.
When I run a tracert, it only makes one hop to 192.168.120.254.

There is probably a missing configuration, but I can't figure out what it is.
I would appreciate your help.

Thank you!
February 14, 2025, 04:29:42 PM #1
What are that gateways supposed to be for? You have a gateway with the same IP address as your firewall's LAN interface (192.168.120.250) (for example). You also have some strange-looking routes (what is 192.168.120.254?). I think you may be overthinking things......
February 14, 2025, 04:49:38 PM #2 Last Edit: February 14, 2025, 04:59:24 PM by Vivo
Ok so we don't need to put a gateway on each interface ?
I remove all gateway and the 2 route that was a mistake indeed the 120.254 and 125.254
But still the same no ping answer from my computer but from the gateway
February 14, 2025, 05:47:46 PM #3
So what ping (source and destination) is failing now? Is there a firewall rule to allow it?
February 15, 2025, 08:48:08 PM #4
The test interface with the 1.1.1.1 IP seems questionable. It's the IP for CloudFlare's DNS primary server.

It's also not the only interface with /32...

Adding VLANs does not require the manual management of gateways and routes.
Whatever OPN does by default is sufficient for inter-VLAN routing to work.

OTOH, no traffic can get in (from the perspective of the FW) on any VLANs by default.
So if you want to allow ping, you need to at least allow ICMP Echo in on the interface corresponding to the machine from which you initiate ping.
You decide how precise the source and destination are (any or VLAN_net or specific host).

Additionally, the Windows FW blocks ICMP Echo by default.
You need to enable it in the correct profile (private or public). It's under network diagnostics (or something similar).
And that's not it. By default, the rule only allows the source to be in the same subnet, so you'll need to alter the rule itself.


February 17, 2025, 11:15:12 AM #5 Last Edit: February 17, 2025, 02:18:16 PM by Vivo
Ok thx a lot for your helps
So I delete IP of the test interface in 1.1.1.1, I correct the /32 in the mgmt

I disable the FW of both computer so it cannot block me ...
I put some floating rules on all the interface in any any and it's still the same
I can ping my passerelle in and out in 192.168.120.250 and 10.20.0.254 but not the computer in 23 ... it's my passerelle in that answer me :(
I also had in each interface a Rules any any  (Capure 4)
And it's the same from my other computer if I ping the 192.168.120.23 it's my passerelle in that answer me 10.20.0.254 but I can ping the passerelle out 192.168.120.250
I'm lost
February 19, 2025, 04:03:35 AM #6
What's the purpose of these floating rules specifying a gateway/passerelle ?
A gateway on the WAN side is fine. I'm not clear why you need the others.

All you need for firewall rules is 1 rule on the interface corresponding to the machine originating the ping (likely LAN_COMPUTER).
Allow IN (from the perspective of the FW), IPv4 ICMP Echo Request from LAN_COMPUTER net to GVOIP net.

Disabling the FW on the target machine is extreme but it works too.

With this simple setup, ping across VLANs works as expected.
I suspect the floating rules are having that side effect.
Print
Go Up Pages1
User actions