OPNSense Unreachable From LAN

Started by nicholaswkc, March 27, 2025, 01:28:03 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 27, 2025, 01:28:03 AM
Dear all users, yesterday my firewall has some odd issues where my LAN not able to ping opnsense box(ping 192.168.1.1 and dig www.google.com). Today, the issue back to normal. This issue is very strange as i not touch anything that may possible break the setup.

March 27, 2025, 11:45:42 AM #1
Hi @nicholaswkc,

The same happens on OPNsense 25.1 in my home lab : there are 2 interfaces in addition to WAN, ie. LAN and let's say OPT1. The issue also occurs without any change in configuration on OPNsense, and I could identify something : DHCP works fine if I plug the LAN endpoint on the OPT1 interface, but the connection fails when it is connected to the LAN interface itself. It appears therefore that the connectivity loss on LAN could be linked to DHCP specifically on LAN.

Is DHCP activated on your LAN interface too? 
March 28, 2025, 05:41:22 AM #2
Quote from: alex_62450 on March 27, 2025, 11:45:42 AMHi @nicholaswkc,

The same happens on OPNsense 25.1 in my home lab : there are 2 interfaces in addition to WAN, ie. LAN and let's say OPT1. The issue also occurs without any change in configuration on OPNsense, and I could identify something : DHCP works fine if I plug the LAN endpoint on the OPT1 interface, but the connection fails when it is connected to the LAN interface itself. It appears therefore that the connectivity loss on LAN could be linked to DHCP specifically on LAN.

Yes, I do have DHCP enable on LAN.Apart from this, my OPT1 seems reset and going down and not reactivate again. It need to replug the cable in order to have full functional internet.

Please help. Thanks in advance.


Is DHCP activated on your LAN interface too? 
March 28, 2025, 10:53:43 AM #3
Hi @nicholaswkc,

Thanks for the swift response! As in both cases DHCP ia activated that may help to pinpoint the cause.

Personally I have made network traffic captures and on the LAN endpoint, the DHCP messages are being sent but get no response from OPNsense.

Another element / item to check please:

On LAN, I have also enabled IDS/IPS (Suricata) and I found online an older issue published on another forum mentioning that the DHCP problem could be linked to this service - although the thread didn't get a final or formal response.
https://www.reddit.com/r/OPNsenseFirewall/comments/rcwtdz/dhcp_seems_to_keep_failing/

On that other website, there is also a mention of messages such as
Code Select
generic_netmap_attach Emulated adapter for [Interface name] created (prev was NULL)
These kind of messages are being now (in 25.1) displayed all the time on the console screen while earlier, I can't remember having seen those or maybe that happened but rarely.

Do you also use IDS/IPS on the LAN interface?

I am going to disable IDS/IPS to make a test and observe whether the issue occurs again and the connection is stable.
March 29, 2025, 02:51:54 PM #4 Last Edit: March 29, 2025, 02:54:39 PM by alex_62450
Update:
a bit unexpectedly, but the DHCP and therefore possibly the LAN connectivity issue was linked to IPS which blocked the responses from OPNsense port 67 to LAN port 68 as potentially malicious. The LAN connectivity was restored after disabling IDS/IPS, and a closer look at IPS blocks pinpointed the above. Personally, I didn't see this kind of blocks happening in OPNsense earlier.

If IPS is also enabled on you LAN, maybe you can try to disable it temporarily - if that's permissible on your network - to check that assumption? The stability or connectivity issues on LAN seem to be gone for now.


Sharing also a bit of insights about how that specific issue interacted with other topics, in case it may help others too, as I think that the IPS has been doing its jobs well but this occurred in a given sequence of events:

  • sometimes after upgrading OPNsense to 25.1, some LAN connectivity issues began to happen in an unpredictable fashion, not knowing what could have caused it ;
  • in the same time frame and on some days, it occurred that the IPS recorded a very high and unusual number of alerts (for a home lab) - eg 90 million events or 210 million events - with a majority of error messages, which made genuine alerts impossible to notice. This may have also prevented the IPS to work normally ;
  • point b°) was not visible from the routine check done with "df -h" as the command df appeared not to work as it should - on my new OPNsense re-install, things look back to normal as the command works now as expected. 
  • on the LAN interface, some connection attempts were repeatedly initiated from OPNsense, probing port 22 on the LAN subnet (and port 80 as well); it appeared that a similar of kind of probes were being initiated from OPNsense on the WAN interface, also on ports 22 and 80. Unaware of a legitimate service that may have been doing this kind of asynchronous probes

Hoping that may be useful - cheers.
Print
Go Up Pages1
User actions