New user, help needed

[pun1x]

Hello,
First of all thanks for nice firewall distro, just switched from pfsense today.
Spent most of the time to mirror same setup I had previously (openvpn, ddns, etc)
So far I really like it and I think I will keep it.
There is one minor issue that I have.
Looks like by default ICMP responses are blocked (to WAN, like 8.8.8.8 ), I tried but I can't get it to work.
Any hints would be much appreciated

[bartjsmit]

Did you run the wizard? It puts in default allow any rules for LAN net source on the LAN rules tab. This allows ICMP responses from other interfaces on state.

Bart...

[pun1x]

Hi.
I have default rule from LAN to any. Everything works fine except ICMP responses from WAN


Sent from my iPhone using Tapatalk

[bartjsmit]

Run a packet trace on the WAN interface and confirm that the echo replies are making it back to OPNsense. If so, check your firewall log to see what's blocking it.

Bart...

[fabian]

can you try to create a pass rule for ICMP and IPv4 (any host to any host) and retry?

[pun1x]

Hi,
Thanks for all the suggestions,
I cannot get ICMP reply from 8.8.8.8 but ping replies from bbc.co.uk works fine. that is really weird
All I want to do is to be able to test if I get internet as my provider is flaky sometimes.
I did not know that I can run packet capture straight from the GUI, that is awesome.
I will start packet capture and see how it goes

[pun1x]

Hi,
I think it's something to do with my provider,
Here is traceroute from OPNsense with ICMP tickbox enabled

traceroute to 8.8.8.8 (8.8.8.8 ), 18 hops max, 48 byte packets
 1  * * *
 2  80.X.X.X  7.678 ms  10.443 ms  10.853 ms
 3  * * *
 4  62.253.175.34  10.873 ms  9.682 ms  9.309 ms
 5  74.125.52.226  15.216 ms  14.629 ms  16.521 ms
 6  * * *
 7  216.239.57.131  16.750 ms  16.018 ms  16.224 ms
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *

Ans here is regular traceroute from OPNsense

traceroute to 8.8.8.8 (8.8.8.8 ), 18 hops max, 40 byte packets
 1  * * *
 2  80.X.X.X  8.354 ms  9.074 ms  9.989 ms
 3  * * *
 4  62.253.175.34  10.876 ms  11.143 ms  9.875 ms
 5  74.125.48.190  9.789 ms
    74.125.52.226  14.174 ms  15.459 ms
 6  108.170.246.225  9.429 ms
    108.170.246.129  15.896 ms
    108.170.246.193  18.348 ms
 7  * 216.239.57.163  12.552 ms
    216.239.57.169  11.766 ms
 8  8.8.8.8  16.060 ms * *

From the above it looks like ICMP never gets to the destination.

[fabian]

Google drops your pings if you send to many.

[Ciprian]

All I want to do is to be able to test if I get internet as my provider is flaky sometimes.

You can also monitor the GW (apinger), it allows you to ping the IP of the provider's gateway, or another public IP. Though, I wasn't concerned about an URL, to check if DNS translations works... Try!

[pun1x]

Hi. That would actually be awesome. Thanks for that!


Sent from my iPhone using Tapatalk

[Ciprian]

Hi. That would actually be awesome. Thanks for that!


Sent from my iPhone using Tapatalk

You're welcome!