OPNsense does not generate ICMP echo replies on WAN

Started by penguingl, November 26, 2025, 11:56:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 26, 2025, 11:56:35 PM Last Edit: November 26, 2025, 11:59:25 PM by penguingl
Hi everyone,
I'm running into a strange issue with my OPNsense setup and I'd really appreciate any advice or if anyone has seen something similar.

Environment
OPNsense Version: 25.7.8‑amd64
Topology: single firewall appliance, public IPv4 directly on WAN (no NAT/CGNAT upstream).
LAN side works fine.

Problem
When I ping my WAN IP from an external host, the echo requests reach the firewall, I can see them in tcpdump on re0 (WAN) and in pflog0, and a pf state is created. But the firewall never generates an echo reply. There are no replies visible on lo0 or on re0.
For example, pflog shows just one entry like:
Code Select
rule 83/0(match): pass out on re0: External_IP > WAN_IP: ICMP echo request, id 53, seq 1, length 64 and then nothing else.

Packet capture on re0:
Code Select
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on re0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:11:37.187956 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 1, length 64
22:11:37.187972 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 1, length 64
22:11:38.187028 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 2, length 64
22:11:38.187033 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 2, length 64
22:11:39.210911 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 3, length 64
22:11:39.210918 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 3, length 64
22:11:40.234803 IP External_IP > WAN_IP: ICMP echo request, id 52, seq 4, length 64

Firewall rule I added on WAN:
Code Select
pass in quick on re0 route-to (re0 <WAN_GATEWAY_IP>) inet proto icmp all keep state label "5356e56fce90cafaa6b6ebdb3a91031a"
I've tried
Explicit allow rule for all IPv4 ICMP on WAN.
Checked pf states: requests are tracked.
Tried enabling and disabling "force gateway" and "reply‑to" under Firewall > Settings > Advanced. No change.
Verified that LAN pings to the WAN IP work fine (so the address is bound and reachable internally).

At this point I'm not sure what else to check. If you have any suggestions on how to fix this, I'd really appreciate it.
Today at 08:48:39 AM #1
What's the order of firewall rules on WAN, any other rules on WAN (ignoring the automatically generate ones)? Does the rule get executed at all (press 'Inspect' on the firwall WAN page)?

Setting a gateway for that rules does not work in my case, not sure if that is expected.
Deciso DEC740
Today at 10:01:25 AM #2
IDK how you got the <WAN_GATEWAY_IP> into that rule at all, since I do not see where you could select that from the UI. Out of curiosity: How did you do that?

Your rule will never fire this way, because you do not see the packets your rule would select.

The target of a ping would be the WAN IP, which you can select from the dropdown as "WAN address". You could also use "this firewall". Your rule should simply be:

You cannot view this attachment.

If you want to be sure, create it in Flowating Rules and move it to the top of the list.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions