I have a nano pc box with 4 interfaces. I have installed opensense ( OPNsense 20.1.4-amd64 FreeBSD 11.2-RELEASE-p18-HBSD OpenSSL 1.1.1f 31 Mar 2020 ) allowed it to set up the auto rules and choosen the interfaces to be used for specific purposes, but i have configured the interfaces currently as below to illustrate my confusion in this.
My test have confirmed that when i connect WAN to my internet router, it gets a DHCP lease ok, and i can access internet from any of the three interfaces. so that part works.
My issues that i've been wrestling with for the past few days are:
1. i can't control if a device connects to interface 172_16_1_x it gets a 172.16.3.x address.. i can't figure out how to stop this
2. i cannot ping or access a device when i connect laptop to interface 172.16.1.x and ping 172.16.3.11 from 172.16.1.10 ( although testing on the firewall diags allows me to ping the ip from the 172.16.1.x interface. i've tried other combinations of interfaces and all exhibit the same condition ) i've tried setting the relevent interfaces to /24 /16 /8 and adjusting the dhcp scopes to match to allow for subnet access between the interfaces, but it dosn't work.
3. i cannot find a description of the differece between _net and _address as a suffix in my interface fw rules dropdowns. Address is singular addresses.. like 172.16.3.11 and net is 172.16.3.0/24 ?
4. by default, wan does not allow incoming traffic which is good, are there or is there a list of current accepted best practice rules that i can insert into a backup i can then use to restore to cut out a lot of clicking and selecting and applying ? seems a bit of a long route around to create a rule for each and every port and service type if its out there already and can be spliced in somehow.
5. my current wifi router is an asus ea6500 and its current dhcp scope is 10.1.1.0/24 and when i change this to 172.16.4.0/25 i get massive problems in terms of access and the router resets itself to a random 10.x.x.x range upon reboot... this i find odd behaviour as when i disconnect the opnsense from the router, it allows the 172.16.4.0/24 range to persist.... which leads me to think my config in the opnsense is somehow interferring with the setup/boot process of the wifi router. i'll see about getting wire shark onto one of the wifi router interfaces and seeing what is actually going on here. any experiences with similar here ?
4 interfaces
172_16_1_x
172_16_2_x
172_16_3_x
WAN
172_16_1_x
DHCP enabled
GW 172.16.1.1
DHCP range 172.16.1.10 - 172.16.1.245
DHCP subnet mask 255.255.255.0
172_16_2_x
DHCP enabled
GW 172.16.2.1
DHCP range 172.16.2.10 - 172.16.2.245
DHCP subnet mask 255.255.255.0
172_16_3_x
DHCP enabled
GW 172.16.3.1
DHCP range 172.16.3.10 - 172.16.3.245
DHCP subnet mask 255.255.255.0
PFtop
QuotepfTop: Up Rule 1-87/87, View: rules
RULE ACTION DIR LOG Q IF PR K PKTS BYTES STATES MAX INFO
0 Block In Log !igb1 0 0 * drop inet from 172.16.0.0/16 to any
1 Block In Log !igb2 0 0 * drop inet from 172.16.0.0/16 to any
2 Block In Log !igb3 0 0 * drop inet from 172.16.0.0/16 to any
3 Block In Log 0 0 * drop inet from 172.16.1.1/32 to any
4 Block In Log 0 0 * drop inet from 172.16.2.1/32 to any
5 Block In Log 0 0 * drop inet from 172.16.3.1/32 to any
6 Block In Log igb1 0 0 * drop inet6 from fe80::290:27ff:fee4:7621/128 to any
7 Block In Log igb2 0 0 * drop inet6 from fe80::290:27ff:fee4:7622/128 to any
8 Block In Log igb3 0 0 * drop inet6 from fe80::290:27ff:fee4:7623/128 to any
9 Block In Log igb0 0 0 * drop inet6 from fe80::c256:27ff:febe:cd5d/128 to any
10 Pass In Log Q lo0 K 0 0 * inet6 all flags S/SA
11 Block In Log Q 0 0 * drop inet6 all
12 Block In Log 0 0 * drop inet all
13 Block In Log 0 0 * drop inet6 all
14 Pass In Log Q ipv6-icmp K 0 0 * inet6 all
15 Pass In Log Q ipv6-icmp K 0 0 * inet6 all
16 Pass In Log Q ipv6-icmp K 0 0 * inet6 all
17 Pass In Log Q ipv6-icmp K 0 0 * inet6 all
18 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to fe80::/10
19 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to ff02::/16
20 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to fe80::/10
21 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to ff02::/16
22 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to fe80::/10
23 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to ff02::/16
24 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to fe80::/10
25 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to ff02::/16
26 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to fe80::/10
27 Pass Out Log Q ipv6-icmp K 0 0 * inet6 from (self) to ff02::/16
28 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to fe80::/10
29 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to ff02::/16
30 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to fe80::/10
31 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to ff02::/16
32 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to fe80::/10
33 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to ff02::/16
34 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to fe80::/10
35 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to ff02::/16
36 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to fe80::/10
37 Pass In Log Q ipv6-icmp K 0 0 * inet6 from fe80::/10 to ff02::/16
38 Pass In Log Q ipv6-icmp K 0 0 * inet6 from ff02::/16 to fe80::/10
39 Pass In Log Q ipv6-icmp K 0 0 * inet6 from ff02::/16 to fe80::/10
40 Pass In Log Q ipv6-icmp K 0 0 * inet6 from ff02::/16 to fe80::/10
41 Pass In Log Q ipv6-icmp K 0 0 * inet6 from ff02::/16 to fe80::/10
42 Pass In Log Q ipv6-icmp K 0 0 * inet6 from ff02::/16 to fe80::/10
43 Block In Log Q tcp 0 0 * drop inet from any port = 0 to any
44 Block In Log Q udp 0 0 * drop inet from any port = 0 to any
45 Block In Log Q tcp 0 0 * drop inet6 from any port = 0 to any
46 Block In Log Q udp 0 0 * drop inet6 from any port = 0 to any
47 Block In Log Q tcp 0 0 * drop inet from any to any port = 0
48 Block In Log Q udp 0 0 * drop inet from any to any port = 0
49 Block In Log Q tcp 0 0 * drop inet6 from any to any port = 0
50 Block In Log Q udp 0 0 * drop inet6 from any to any port = 0
51 Block In Log Q carp 0 0 * drop from (self) to any
52 Pass Any Log Q carp K 0 0 * all
53 Block In Log Q tcp 0 0 * drop from to (self) port = ssh
54 Block In Log Q tcp 0 0 * drop from to (self) port = https
55 Block In Log Q 0 0 * drop from to any
56 Block In Log Q igb0 0 0 * drop inet from to any
57 Block In Log Q igb0 0 0 * drop inet from 10.0.0.0/8 to any
58 Block In Log Q igb0 0 0 * drop inet from 127.0.0.0/8 to any
59 Block In Log Q igb0 0 0 * drop inet from 100.64.0.0/10 to any
60 Block In Log Q igb0 0 0 * drop inet from 172.16.0.0/12 to any
61 Block In Log Q igb0 0 0 * drop inet from 192.168.0.0/16 to any
62 Block In Log Q igb0 0 0 * drop inet6 from fc00::/7 to any
63 Pass In Log Q igb1 udp K 0 0 * inet from any port = bootpc to 255.255.255.255/32 port = bootps
64 Pass In Log Q igb1 udp K 0 0 * from any port = bootpc to (self) port = bootps
65 Pass Out Log Q igb1 udp K 0 0 * from (self) port = bootps to any port = bootpc
66 Pass In Log Q igb2 udp K 0 0 * inet from any port = bootpc to 255.255.255.255/32 port = bootps
67 Pass In Log Q igb2 udp K 0 0 * from any port = bootpc to (self) port = bootps
68 Pass Out Log Q igb2 udp K 0 0 * from (self) port = bootps to any port = bootpc
69 Pass In Log Q igb3 udp K 0 0 * inet from any port = bootpc to 255.255.255.255/32 port = bootps
70 Pass In Log Q igb3 udp K 0 0 * from any port = bootpc to (self) port = bootps
71 Pass Out Log Q igb3 udp K 0 0 * from (self) port = bootps to any port = bootpc
72 Pass In Log igb0 udp K 0 0 * from any port = bootps to any port = bootpc
73 Pass Out Log igb0 udp K 0 0 * from any port = bootpc to any port = bootps
74 Pass In Log Q lo0 K 648 59368 * all flags S/SA
75 Pass Out Log K 648 59368 * all flags S/SA allow-opts
76 Pass In Log Q igb1 tcp K 0 0 * from any to (self) port = http flags S/SA
77 Pass In Log Q igb1 tcp K 1638 1578982 * from any to (self) port = https flags S/SA
78 Pass Any Log Q igb1 K 6 468 * inet from (igb1) to (igb1) flags S/SA
79 Pass Any Log Q igb2 K 0 0 * inet from (igb2) to (igb2) flags S/SA
80 Pass Any Log Q igb3 K 107 8351 * inet from (igb3) to (igb3) flags S/SA
81 Block In Q igb0 0 0 * drop inet all
82 Block In Q igb0 0 0 * drop inet6 all
83 Pass In Q igb1 K 0 0 * inet from (igb1) to any flags S/SA
84 Pass In Q igb1 K 0 0 * inet6 from (igb1) to any flags S/SA
85 Pass Out Q igb3 K 0 0 * inet from (igb1) to (igb3) flags S/SA
86 Pass In Q igb3 K 0 0 * inet from (igb1) to (igb3) flags S/SA