Ping not working from WAN interface

This seemed really strange; in a test configuration, where the “WAN” connection for OPNsense was in fact an existing (but not OPNsense) packet-filtering firewall, the WAN interface was happily being allocated an IP address by DHCP but it wasn’t possible to get a ‘ping’ response from the next-hop Gateway. Looking at the packets on the network, it was clear the ICMP packets were indeed being sent – and responded to – but these replies were never being seen by the ‘ping’ command. As a consequence of ‘ping’ not working, the status monitoring on the WAN interface was failing, considering it to be always ‘down’ – and so not routing any traffic to it.

The solution came via this Reddit post, which says:

Check firewall > settings > advanced. Change the “reply-to on wan rules” to the opposite.

This is referring to the “Disable reply-to on WAN rules” tick-box, for which the additional help text says:

With Multi-WAN you generally want to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default. When using bridging, you must disable this behaviour if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.

The OPNsense manual page for this setting is here. It’s not clear how Bridging is related to this – there is a Bridge interface for one of the LAN VLANs; maybe the Tunable configuration settings required for that Bridge change the behaviour for the WAN interface too?

From some further reading, it seems the problem only manifests itself when the next-hop gateway is itself a packet-filtering firewall, so it might not be an issue in a more realistic deployment scenario.

There’s an in-depth discussion in this OPNsense Community posts: Reply-to on WAN by default is bogus

OPNsense – Miscellaneous Hints and Tips by Marsh Flatts Farm Self Build Diary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.