OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: malchir on April 22, 2019, 07:57:45 PM

Title: OPNSense behind ISP Modem; all traffic blocked
Post by: malchir on April 22, 2019, 07:57:45 PM
Hello all,

I have the following setup:

Internet -- ISP modem -- OPNSense -- l3 switch

ISP modem - OPNSense subnet : 192.168.178.0/24 (.1 <-> .252)
OPNSense -- L3 Switch 10.34.10.0/24
L3 Switch - 10.34.0.0/16 (several VLANs).

I've added FW rules to allow 10.34.0.0/16 (added routing and gateway too) to any but traffic gets blocked by "Default Rule". I've made it more specific by adding /24 subnet rules but traffic stays blocked. I've searched through OPNSense and PFSense posts but I cannot get a right answer why something pretty obvious gets blocked. Am I missing NAT rules (it's double NAT, yeah not perfect but it works)? I've disabled blocking RFC1918 en bogon networks.

At the moment I use an ASA 5505 and that works but as soon as I switch the default route to the OPNSense FW (on the L3 switch) the logs fill up with block spam.

I must be overlooking something but I do not see it at the moment.

With kind regards,

Marcel Tempelman.

Title: Re: OPNSense behind ISP Modem; all traffic blocked
Post by: bartjsmit on April 22, 2019, 08:59:48 PM
Are you allowing RFC 1918 on your WAN interface? Interfaces, WAN, make sure 'Block private networks' is unticked.

Bart...
Title: Re: OPNSense behind ISP Modem; all traffic blocked
Post by: Maurice on April 22, 2019, 09:26:53 PM
If you want OPNsense to perform NAT for subnets other than those of its LAN interfaces, you need to add manual outbound NAT rules.
Title: Re: OPNSense behind ISP Modem; all traffic blocked
Post by: malchir on April 23, 2019, 07:26:40 PM
Thx Maurice ! That was what fixed it. I was still using the automatic setting. Just added a NAT rule for my 10.34.0.0/16 subnet and it worked !

with kind regards,

Marcel Tempelman