Scratching my head over this one. Newly installed firewall, after rules added to restrict outgoing LAN traffic to a few ports, denies everything outgoing on the default deny rule - and continues to do so when an allow all rule is added back in at the top. The only LAN rule that is "working as expected" is the anti-lockout rule. Rules added to the WAN interface work as expected.
What circumstances could result in this scenario? All input welcome!
Is there a rule to allow LAN subnet traffic to access services such as DNS from OPNsense or allow such queries to an external DNS server?
How is outbound NAT configured?
Is a gateway specified in the rule(s) that allow LAN subnet traffic through to the WAN?
Thanks for your response :)
DNS is being provided via the Unbound service and that works fine -oddly, as during testing the specific DNS rule was disabled, so presumably it's the allow all rule that is allowing DNS queries to the firewall; suggests that issue is with traffic through the firewall from LAN devices.
Outbound NAT is set to Automatic.
None of the LAN rules set a gateway; there's 2 gateways configured, one to route to an internal separate subnet and the default one to the ISP router. The only active LAN rules right now are IPv4 and IPv6 allow to any (as well as the built-in anti-lockout and of course Deny All!)
Additional info: if I modify the LAN "allow any" rule to be TCP only, the DNS queries are not allowed, and resume if I set it to TCP/UDP; so the issue must be in some sort of internal routing rule - traffic *to* the firewall on LAN interface is being managed by the "allow any" rule as expected, just traffic through that is being denied.
...reset to factory or start from scratch with a fresh install. Anything else looks like a complete waste of time... ;-)
<250 mile drive later...>
A factory reset sounds like an option, except I'll lose connection to the device which is the other end of a long drive (not left the site unconnected, using a spare IP for its WAN connection). What's the next best option?
<internal frustration after having composed a post and now having to recompose after clicking the wrong button in my browser>
I would suggest setting a gateway in the LAN firewall rule(s) intended to permit traffic through the WAN connection.
I would also suggest careful review of the automatic outbound NAT rules. I remember making a pained and confused expression when I first looked at the automatically generated outbound NAT rules, right before I wiped them out and manually created my own outbound NAT rules.
Here is an example from my primary LAN subnet on my home router. Sorry for the small print, I had to zoom out to screenshot it all at once.
(http://nothingunreal.com/dump/FirewallLANtoWAN.PNG)
(http://nothingunreal.com/dump/OutboundNAT.PNG)
I have separate rules for IPv6 traffic and other stuff but this should give you a good starting reference for something that works.
A quick somewhst delayed note to say thanks and the adding of the specific gateway resolved the issue. 8)