OPNsense Forum
English Forums => General Discussion => Topic started by: mflammia on August 30, 2020, 02:35:04 am
-
Hi,
This has really stumped me, as for all tense and purposes this should work?
Have done several fresh installs, running on VMWare 6.5.0.
Have spent countless hours and read every article I can find on the subject trying to find the cause.
At this time Opnsense has two interfaces:
em0 is the WAN (address 80.4.x.x) Online, active and getting IP via DHCP (Virgin Fibre, router in modem mode)
em1 is the LAN, Online and has a static IP
If i check Opnsense for updates it is able to reach the internet and pull updates and upgrade.
In order to get this to work I had to set the WAN interface checkbox for 'upstream gateway' this moved the LAN interface that was saying 'active' to the WAN interface now having active next to it.
I addition set the outbound NAT to manual with the interface 'LAN', Source 'any' and the NAT address as the WAN address. Had a little change when doing this in that some pings would then reach 8.8.8.8 when first rebooting as described further on.
I've seen references on the net about about disabling DNSSEC, and disabling monitoring gateway address, none have worked.
The firewall rules are as they are out the box allowing anything from the LAN out, this all seems to be ok with nothing blocking in the monitoring.
I've disabled IPV6 as not using it as this time.
I've defaulted the config, rebuilt several times, but no matter what I do I just can't get traffic to pass through the firewall.
When I've rebooted the firewall their has been instances where 3 to 20 pings have reached 8.8.8.8 or the WAN interface (80.4.x.x), which neither I cannot reach normally from the LAN. It has even at one point seemed to ping 8.8.8.8 with 1 in about every 4, but not been able to replicate it.
Really would like to use Opnsense, but I'm totally at a loss here as to what is happening as clearly both LAN and WAN interfaces are working, but just can't pass traffic through Opnsense.
Really appreciate any help.
Many thanks in advance.
-
What is the Interfaces Overview page showing for both the LAN and WAN connections. Please oscure any ip information.
Have you set the default gateway to Auto in the lan config. In system settings general have you over ridden the DNS servers?
Sounds like a NAT and FW rule issue.
Set it to Hybrid and save. It will put a default rule in place and leave your manual rule.
Also check the system configuration history and have a look at what you changed!
Cheers
Spart
-
Hi Spart,
Thanks for posting a reply.
Checked the things you mentioned and the LAN is set to Auto-Detect. Regarding DNS, i've added a bunch of images that I hope will answer that.
At this time it seems from the LAN I am able to ping the WAN interface but not the default gateway. I plugged in my old firewall and confirmed I should be able to ping the upstream DG.
I've tried a few variations of the NAT rule, but you will see an image of how it is currently configured.
It doesn't make sense to me why I can't ping the upstream DG as there should be no rule or route required to reach it?
Anyway, I feel I'm pretty close to getting it working and hopefully you will see the issue.
I've obscured all the public address and not the private addresses.
Many thanks for your support.
-
Just adding the other two images
-
Looks like there is no default rule from your local lan to the WAN. The ones configured are all pointing at the loopback network.
You also look like you are pointing the default gateway to the LAN side of the OPNSense.
I may be wrong.
The other thing to do is backup the config, reset and then config a simple Wan connection to Virgin DHCP etc. and a simple llan interface set NAT to hybrid create auto rules.
See if the default OOTB works. Then build from there.
Cheers
Spart
-
Well something odd happened.... i come back to my PC about an hour later and noticed that everything seemed to be pinging?
I made no changes in that time, but I did set the LAN gateway to auto-detect previously (as you advised), so maybe something needed some time to sort itself out?
I've rebooted the firewall and all still seems good, so see if it holds.
The only issue I have at the moment and the bit you maybe be mentioning about the DG's is that I have other networks, predominantly 192.168.200.0/24, that I have a route configured on the firewall pointing back to 192.168.0.254, which is the internal LAN DG. This subnet is impartant as it houses the internal DNS, Domain severs etc.
At this time I cannot ping out from 192.168.200.0./24 to the internet, even though their is a route on the firewall allowing the route back via the internal LAN DG (192.168.0.1).
I changed this route DG on the firewall for that subnet to the WAN DG just to test, but made no difference.
In the screenshots there is a specific rule allowing subnet 192.168.200.0/24 out.
It seems like a routing issue, but I can't tell or see anything wrong with the config.
Cheers.