OPNsense Forum

Hi together,

I have a 4 port OPNsense mit a WAN, LAN, DMZ and an additional port for a Management Network which shall have access to the Internet over the Port OPT2 (named WLAN here, see rules). The firewall rules on this interface are as attached.

Connected to this port OPT2 is a server with the address 192.168.88.11, Gateway is 192.168.88.1, the gateway to the internet is 192.168.2.1. The server has 2 interfaces, the primary interface eno1 is connected to LAN (gateway 192.168.1.1), the alternate interface eno4 to the network 192.168.88.0. Consequently I have added on the server with iproute2 a second routing table (mng) and have added the necessary rules there:

controller# ip rule list
0: from all lookup local
32764: from all to 192.168.88.11 lookup mng
32765: from 192.168.88.11 lookup mng
32766: from all lookup main
32767: from all lookup default


In this second routing table I have configured:

controller# ip route list table mng
default via 192.168.88.1 dev eno4
192.168.88.0/24 dev eno4  scope link  src 192.168.88.11

So: what works:
LAN works normal.
I can ping another server in the network 192.168.88.0.
I can ping the gateway:

controller# ping -I eno4 192.168.88.1
PING 192.168.88.1 (192.168.88.1) from 192.168.88.11 eno4: 56(84) bytes of data.
64 bytes from 192.168.88.1: icmp_seq=1 ttl=64 time=1061 ms
64 bytes from 192.168.88.1: icmp_seq=2 ttl=64 time=52.2 ms
64 bytes from 192.168.88.1: icmp_seq=3 ttl=64 time=59.7 ms
64 bytes from 192.168.88.1: icmp_seq=4 ttl=64 time=1059 ms
64 bytes from 192.168.88.1: icmp_seq=5 ttl=64 time=83.2 ms
64 bytes from 192.168.88.1: icmp_seq=6 ttl=64 time=90.8 ms

(Remarkable the large variety and duration of the ping ...), but I can't reach the WAN address:

controller# ping -I eno4 192.168.2.101
PING 192.168.2.101 (192.168.2.101) from 192.168.88.11 eno4: 56(84) bytes of data.
From 192.168.88.11 icmp_seq=1 Destination Host Unreachable

Obviously, there is a missing route in the opnsense between the gateway 192.168.88.1 and the WAN. Evidence for this is when executing on the server:

controller # ip neigh show
104.68.210.119 dev eno4  FAILED
192.168.88.31 dev eno4 lladdr 00:25:kk:mm:rr:a1 STALE
192.168.2.1 dev eno4  FAILED
104.108.187.66 dev eno4  FAILED
192.168.88.1 dev eno4 lladdr 00:17:ww:ff:ww:1c STALE
192.168.1.83 dev eno1 lladdr ac:87:ww:ff:nn:rr REACHABLE
192.168.2.101 dev eno4  FAILED
192.168.1.1 dev eno1 lladdr 00:17:nn:aa:bb:1a STALE
(...)

(Don't ask me why even LAN connections are stale  8)); BUT, a trace route command to an address in the internet shows

controller# traceroute -i eno4 www.nokia.com
traceroute to www.nokia.com (104.68.210.119), 30 hops max, 60 byte packets
1  192.168.88.1 (192.168.88.1)  57.456 ms  59.551 ms  59.545 ms
2  192.168.2.1 (192.168.2.1)  59.573 ms  59.611 ms  59.592 ms
3  217.0.117.111 (217.0.117.111)  59.684 ms  59.668 ms  59.659 ms
4  (...)
8  a104-68-210-119.deploy.static.akamaitechnologies.com (104.68.210.119)  187.744 ms  187.735 ms  187.724 ms

something really confusing here .... :o :-\

I don't understand why with the given firewall rules the WAN net cannot be reached. How can I fix that?

Does anybody has an idea?

Looking forward to your reply.

Br br