OPNsense Forum

English Forums => General Discussion => Topic started by: bmail on January 10, 2020, 07:58:36 pm

Title: Network question
Post by: bmail on January 10, 2020, 07:58:36 pm

Hello,

Not directly related with Opnsense, but a strange behaviour on my network.
Perhaps someone could help me to understand what's the issue:

I use Opnsense with 3 intefaces (LAN, WAN, and WLAN). WLAN is a wired interface connected to the WAN port of a wifi router Asus.
Wifi router is configured as router (not AP) for wifi devices (android phones for example), with DHCP .

So: WLAN (opnsense): 10.1.2.100
WAN of wifi router: 10.1.2.99 with default gateway 10.1.2.100
LAN of wifi router: 10.1.55.100/24
WIFI devices with DHCP: 10.1.55.6x/24

Wifi devices have access to internet via opnsense, but sometimes, I see weird log on opnsense:

Action: block
interface: WLAN
Source: 10.1.55.6x
Destination: very often a google ip (216.58.2018.100 for example)

For WLAN interface, I have some rules as :
Accept WLAN net    *    Ce Pare-feu    53 (DNS)    *    *
Accept  WLAN net    *    *    443 (HTTPS)    *    *
and so on....

And the last:
Block *    *    *    *    *    *

I can't undestand why, WLAN receive and block (naturally) packets from wifi devices (10.1.55.6x). WLAN should not see them.

If somebody can explain to me this fact ....

Thanks a lot in advance.

Title: Re: Network question
Post by: siga75 on January 11, 2020, 09:33:57 am

why you say WLAN should not see those packets?

in any case, packets are often blocked because they are not SYN flagged, it could be an old connection for which PF already expired the status

Title: Re: Network question
Post by: bmail on January 11, 2020, 10:09:52 am

Hello,

Thanks for your answer.
I thought it was strange because the wifi router IS a router, with NAT.
My opnsense rules allow trafic from WLAN net (10.1.2.100/24) , so in fact, one ip adress: the one the wifi router (10.1.2.99). It works perfectly like this.
But, I thought that WLAN interface of opnsense could'nt see device behind the wifi router as it's not the same network (10.1.55.0/24).

Perhaps I should configure the router as AP ? It could be more simple, rather than doing another NAT ?

Title: Re: Network question
Post by: siga75 on January 11, 2020, 10:34:19 am

oh, OK, I got it now :)

well, I don't see any reason to use NAT, but you can still use it as a router if you want for whatever reason a different network to be routed (it depends on what does you router conf allow, you have no limits if you configure openWRT on it)

if you use it as AP then DHCP will be served by OPNsense

Title: Re: Network question
Post by: bmail on January 11, 2020, 11:20:59 am

Yes, I think I'm going to transform the wifi router into AP. I don't really need to make NAT for wifi devices.

But, definitely, I don't understand why (sometimes) I see wifi devices's ip on WLAN interface on Opnsense, while these devices are behind a router which must achieve NAT !
Wifi router is an ASUS with Merlin firmware.
And this behaviour is not permanent, hopefully ! And always towards google ip. Strange, no ?

Anyway, thanks for your advice.