Do I need reinstall? Give me your hand.

[gnsinfo]

Greeting.
I'm newbie on opnsense.
Which is my problem; Routing, NAT, Rules?

opnsense version : 26.1.4

I configured below;
- Interface : Virutal IP 192.168.55.127, master .254, backup .1
- Gateway : Group WAN_GW1, WAN_GW2
- High Availability : Service sync Caddy, Unbound DNS
- Firewall : Destination NAT, Outbound NAT, Reflection for destination NAT, Sticky Connection
- VPN : OpenVPN
- Service : Caddy, Kea DHCP, Unbound DNS, Zabbix Agent

Now I have problem is I can't ping 192.168.55.127 and 192.168.55.254.
And I can't query to Unbound DNS.
But I can ping 1.1.1.1, and use DNS.
And DNAT function are working properly.

How to get icmp reply from opnsense and how to use dns?
On this problem I checked live log, and there is no block.
To avoid NAT, I configured Hybrid outbound NAT and add rule.
Lastly, I adjusted lo0 routing.
All of my effort to solve it, the opnsense doesn't accept me.

Please show me the way to use opnsense properly.
Thanks for your time.

Good days all in all.

[meyergru]

Too little information given here. Sounds like a router-behind-router setup. See this, especially points 1, 4 and 16.

And BTW: There is no such thing as "lo0 routing".

[opnessense]

From what you wrote, it sounds like you actually have two separate issues: 1) ICMP to the virtual IPs, and 2) Unbound DNS queries not being answered, even though general Internet and DNAT work.

Below is a step‑by‑step way to troubleshoot and also some explanation of what to look for.

1. Pinging 192.168.55.127 / 192.168.55.254 (virtual IPs / CARP)
When a VIP / CARP address does not respond to ping, the most common causes are:

No firewall rule allowing ICMP to the firewall

CARP / VIP not correctly bound to the interface, or the node is not MASTER

If virtualized: hypervisor not allowing MAC spoofing / promiscuous mode

Please check:

Go to Firewall → Rules → LAN (and any interface where traffic is coming from).

Add a rule like this:

Action: Pass

Protocol: ICMP

Source: your LAN network (or "any" for testing)

Destination: This Firewall (or explicitly 192.168.55.127 / 192.168.55.254)

Move this rule near the top (above any "block" rules) and Apply changes.

Go to Firewall → Virtual IPs and verify:

Type: CARP or IP Alias as intended

Interface: the correct interface where 192.168.55.127 / .254 live

On Status → CARP (failover): the active node should show MASTER for that VIP.

If this is running in a hypervisor (Proxmox, ESXi, Hyper‑V, etc.):

Make sure the virtual NIC / vSwitch allows MAC spoofing or promiscuous mode, otherwise the VIP MAC address may not be forwarded and you will not get replies to ping.

After that, from a LAN client, test:

bash
ping 192.168.55.127
ping 192.168.55.254
If this starts replying, the ICMP part is solved.

2. Unbound DNS not answering queries
You mentioned you cannot query Unbound, but you can ping 1.1.1.1 and use DNS in general, and your DNAT works. That means routing/WAN are basically fine, but the firewall is not answering DNS on the IP you expect (or is blocking it).

Please check the following:

Unbound DNS → General

Go to Services → Unbound DNS → General.

Under Network Interfaces, make sure the interfaces where your clients are (e.g. LAN, maybe the CARP/VIP interface, and "Localhost") are selected, not just WAN.

Save & Apply.

Firewall rules for DNS

Go again to Firewall → Rules → LAN.

Ensure there is a rule that allows TCP/UDP port 53 from your LAN to the OPNsense address you are using as DNS.

Source: LAN net

Destination: "This Firewall" or the VIP you want (e.g. 192.168.55.127)

Port: 53 (TCP/UDP)

Client configuration

On a LAN client, check that:

Default gateway points to the correct IP (e.g. 192.168.55.127 or .254, depending on your design).

DNS server is set to that same IP if you want HA with CARP (for example 192.168.55.127 as a shared VIP used for DNS).

Tests

From a LAN client, run:

bash
nslookup opnsense.org 192.168.55.127
nslookup opnsense.org 192.168.55.254
or with dig:

bash
dig @192.168.55.127 opnsense.org
dig @192.168.55.254 opnsense.org
If you get a timeout, it's still a firewall / interface binding issue.
If it works for one IP but not the other, then the problem is specific to that VIP / node.

Check from OPNsense itself

Go to Diagnostics → DNS Lookup and try resolving something (e.g. opnsense.org).

If this works on the firewall but not from LAN, then Unbound is fine and the issue is purely firewall / routing between your LAN and the firewall address.

3. What would help to debug further
If you are still stuck after these checks, it would be very helpful if you can share:

Screenshot of Firewall → Virtual IPs (showing the config for 192.168.55.127 and .254, with type and interface).

Screenshot of Firewall → Rules → LAN (at least the top rules, including ICMP and DNS).

Screenshot of Services → Unbound DNS → General (especially Network Interfaces section).

Output from a LAN client:

ping 192.168.55.127

ping 192.168.55.254

nslookup opnsense.org 192.168.55.127

With those, it's much easier for us to point out exactly what needs to be adjusted.

[gnsinfo]

Thanks for all the reply.
To archive good communication, I used AI skills.


I finally found why I couldn't ping **192.168.55.127** and **.254** from my LAN client (**192.168.55.51**).

The issue is related to the **Gateway Group** configuration for Multi-WAN redundancy.
When I specify the Gateway Group in the "Gateway" field of the LAN firewall rule, OPNsense stops responding to ICMP and DNS queries directed to itself.

**Diagnostic Findings:**

1. According to the firewall logs, traffic from **.51** to **.127** is being **NATed on the WAN interface**.
   
2. It seems that because of Policy-Based Routing (PBR), the firewall forces local traffic out through the WAN gateway instead of routing it locally.
   
3. I switched Outbound NAT from "Automatic" to "Hybrid" and added a "No NAT" rule for LAN-to-LAN traffic. Now the traffic passes the firewall, but there is still **no reply**.
   

**My Question:**

Where is my traffic going, and why isn't the firewall intercepting traffic destined for its own interface when a Gateway Group is active?

How can I properly use Gateway Load Balancing/Failover while ensuring that traffic destined for the LAN Gateway or Virtual IPs (VIPs) is excluded from the Policy-Based Routing?

Thanks for all of your effort.
Good days all in all.

[gnsinfo]

Too little information given here. Sounds like a router-behind-router setup. See this, especially points 1, 4 and 16.

And BTW: There is no such thing as "lo0 routing".

Thanks, solved.
I add Firewall rule to LAN.
I can ping 192.168.55.127.^^*