This seemed really strange; in a test configuration, where the “WAN” connection for OPNsense was in fact an existing (but not OPNsense) packet-filtering firewall, the WAN interface was happily being allocated an IP address by DHCP but it wasn’t possible to get a ‘ping’ response from the next-hop Gateway. Looking at the packets on the network, it was clear the ICMP packets were indeed being sent – and responded to – but these replies were never being seen by the ‘ping’ command. As a consequence of ‘ping’ not working, the status monitoring on the WAN interface was failing, considering it to be always ‘down’ – and so not routing any traffic to it.<\/p>\n\n\n\n
The solution came via this Reddit post<\/a>, which says:<\/p>\n\n\n\n Check firewall > settings > advanced. Change the “reply-to on wan rules” to the opposite.<\/p>\n<\/blockquote>\n\n\n\n This is referring to the “Disable reply-to on WAN rules” tick-box, for which the additional help text says:<\/p>\n\n\n\n With Multi-WAN you generally want to ensure traffic leaves the same interface it arrives on, hence reply-to is added automatically by default. When using bridging, you must disable this behaviour if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface.<\/p>\n<\/blockquote>\n\n\n\n The OPNsense manual page for this setting is here<\/a>. It’s not clear how Bridging is related to this – there is<\/strong> a Bridge interface for one of the LAN VLANs; maybe the Tunable configuration settings required for that Bridge change the behaviour for the WAN interface too?<\/p>\n\n\n\n From some further reading, it seems the problem only manifests itself when the next-hop gateway is itself a packet-filtering firewall, so it might not be an issue in a more realistic deployment scenario.<\/p>\n\n\n\n There’s an in-depth discussion in this OPNsense Community posts: Reply-to on WAN by default is bogus<\/a><\/p>\n\n\n\n Admittedly it’s a slightly unusual deployment scenario to have one DNS server running in the Outbuildings, referencing another<\/em> DNS server running in the House – where both the House and the Outbuildings are using RFC1918 ‘private’ IP address ranges. One consequence of this deployment pattern is that the Outbuildings DNS server treats the receipt of an RFC1918 IP address from its upstream DNS server as a “possible DNS-rebind attack<\/em>” – because dnsmasq is configured (by OPNsense) with There’s certainly a requirement for the Outbuildings’ DNS server to return IP addresses for hostnames such as One option is to add a duplicate, local entry for Another option is to use the A third option is to not<\/strong> to specify A related point is that none of the DHCP host address reservations should have the ‘Local’ box ticked, since doing so declares the specified Domain will only be served by the local DNS server – and never forwarded upstream.<\/p>\n\n\n\n In the end, the all-round better solution turned out to be to centralise DHCP and DNS on the House firewall, using DHCP Relay settings on the local VLANs in the Outbuildings. A side-effect of this is that the DHCP leases returned by the House’s DHCP server automatically reference the House’s DNS server, so there’s only one DNS server that ever returns RFC1918 addresses.<\/p>\n\n\n\n Kept noticing packets tripping the “Default deny \/ state violation rule” when on inspection they belonged to legitimate traffic – so they were clearly failing on the ‘state’ element of the check.<\/p>\n\n\n\n There’s an Advanced Setting for the Firewall of “Firewall Optimization” which is “Normal” by default; changing this to “Conservative” seems to be helping to avoid this traffic being blocked unnecessarily.<\/p>\n\n\n\n Adding a new VLAN isn’t difficult but there are quite a few steps required, some of which must be performed in a specific order.<\/p>\n\n\n\n The first step is to allocate the configuration settings for the new VLAN, notably:<\/p>\n\n\n\n If this is going to be a ‘bridged’ VLAN (i.e. stretched between the two buildings \/ routers):<\/p>\n\n\n\n While there is Uninterruptible Power Supply protection on both of the OPNsense installations, those UPSes are only expected to cover a couple of seconds of outage while the Tesla Backup Gateway switches the whole site over to battery power. It therefore doesn’t seem necessary to configure a controlled shutdown of OPNsense when the UPS is about to shutdown because its battery is almost empty.<\/p>\n\n\n\n However, it can be useful to have visibility of UPS battery health which one of the UPS monitoring utilities can provide. As a long-time user of APS UPS devices I was aware of the APC UPS Daemon (apcupsd)<\/a> but read some reports that Network UPS Tools<\/a> is generally preferred – mostly because it is still being actively developed (whereas apcupsd is not).<\/p>\n\n\n\n Both utilities are available as OPNsense plugins but NUT proved problematic with a USB-connected UPS. The UPS was being recognised by the Kernel with no issue:<\/p>\n\n\n\n However there were error messages suggesting NUT was not able to auto-detect the USB-connected UPS, perhaps due to permission issues:<\/p>\n\n\n\n A bit of research turned up some matching error reports – notably NUT Doesn’t Find USB Buses<\/a> – with some pointers to workarounds based on setting Tuneables to stop the Kernel attaching its own USB driver.<\/p>\n\n\n\n Trying apsupsd instead, that ‘just worked’ and immediately showed a status page with a whole bunch of details retrieved from the UPS. Looks like that will be the better option – especially since both UPS devices are from APC.<\/p>\n","protected":false},"excerpt":{"rendered":" Ping not working from WAN interface This seemed really strange; in a test configuration, where the “WAN” connection for OPNsense was in fact an existing (but not OPNsense) packet-filtering firewall, the WAN interface was happily being allocated an IP address … Continue reading \n
\n
possible DNS-rebind attack detected:<\/h2>\n\n\n\n
stop-dns-rebind<\/code> in its configuration file.<\/p>\n\n\n\nunifi<\/code> (so UniFi network equipment knows where to find its Controller) which trigger the ‘rebind attack’ error if the response comes from the House’s DNS server.<\/p>\n\n\n\nunifi<\/code> to the Outbuildings’ DNS server, since that avoids triggering the error (because the entry is ‘local’) – but it means maintaining a duplicate entry on both DNS servers.<\/p>\n\n\n\nrebind-domain-ok=\/unifi\/<\/code> dnsmasq configuration syntax to specify domain names which should be permitted RFC1918 addresses. Since this construct is not supported by OPNsense’s GUI for dnsmasq, such configuration lines need adding to a custom .conf<\/code> file placed in directory \/usr\/local\/etc\/dnsmasq.conf.d\/<\/code> While this works OK it’s a bit of a pain to have to maintain entries for all hosts in the House.<\/p>\n\n\n\nstop-dns-rebind<\/code> in the dnsmasq configuration file (and hence turn off rebind checking completely, for the Outbuildings’ DNS server) – but this line is automatically added to the main dnsmasq.conf<\/code> file by OPNsense and there is no GUI option to remove it. It appears that the same result can be achieved by adding the following in a custom .conf<\/code> file – which effectively says that ‘all hosts’ are rebind-domain-ok<\/code>:<\/p>\n\n\n\nrebind-domain-ok=<\/code><\/pre>\n\n\n\nTCP Session Timeout<\/h2>\n\n\n\n
Checklist for Adding an Extra VLAN<\/h2>\n\n\n\n
\n
AAAA<\/em><\/code> below)<\/li>\n\n\n\n\n
\n
vlan01<\/strong>.nnnn<\/code> where nnnn<\/code> is the numeric VLAN ID, padded to 4 digits (e.g. 0080<\/code>)<\/li>\n\n\n\nlagg0<\/code> (LAGG)<\/li>\n\n\n\nL_nnnn<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n\n
vlan02<\/strong>.nnnn<\/code> where nnnn<\/code> is the numeric VLAN ID, padded to 4 digits (e.g. 0080<\/code>)<\/li>\n\n\n\nigb4<\/code> (BACK)<\/li>\n\n\n\nB_nnnn<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\nL_nnnn<\/code> and B_nnnn<\/code> respectively)<\/li>\n\n\n\nBridge_Parents<\/code> Group (under ‘Firewall’)<\/li>\n\n\n\nBridge for AAAA<\/em> VLAN<\/code><\/li>\n\n\n\nAAAA<\/em><\/code> and being sure to Enable and Lock the interface\n\n
Static IPv4<\/code> and enter the IPv4 details further down\n\n
172.16.nn<\/em>.1<\/code> and the CIDR suffix will normally be \/22<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\nTrack Interface<\/code> and enter the relevant Track Interface ‘prefix’ allocated earlier<\/li>\n\n\n\nLocal_VLANs<\/code> Group (under ‘Firewall’)<\/li>\n\n\n\n\n
172.16.nn+2.1<\/code> through 172.16.nn+3.254<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\nBridge_Parents<\/code> Group<\/li>\n\n\n\nAPC UPS Monitoring<\/h2>\n\n\n\n
# usbconfig\nugen1.1: <EHCI root HUB AMD> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (0mA)\nugen0.1: <XHCI root HUB AMD> at usbus0, cfg=0 md=HOST spd=SUPER (5.0Gbps) pwr=SAVE (0mA)\nugen1.2: <Root Hub Advanced Micro Devices, Inc.> at usbus1, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=SAVE (100mA)\nugen0.2: <Uninterruptible Power Supply American Power Conversion> at usbus0, cfg=0 md=HOST spd=LOW (1.5Mbps) pwr=ON (0mA)<\/strong><\/code><\/pre>\n\n\n\n# upsdrvctl start\nNetwork UPS Tools - UPS driver controller 2.8.2\nNetwork UPS Tools - Generic HID driver 0.53 (2.8.2)\nUSB communication driver (libusb 1.0) 0.47\nlibusb1: Could not open any HID devices: no USB buses found\nNo matching HID UPS found<\/strong>\nupsnotify: failed to notify about state 4: no notification tech defined, will not spam more about it\nDriver failed to start (exit status=1)<\/code><\/pre>\n\n\n\n