OPNsense Forum
English Forums => 23.7 Legacy Series => Topic started by: fbtanner3 on September 14, 2023, 09:31:15 pm
-
So I have deployed an OPNsense firewall and am running into an issue. The only traffic rule I have allowing traffic out is the default one that is LAN to Any wildcard. My subnet is 10.8.0.0/16.
The issue is that nothing on my 10.8.1.0 subnet can reach the Internet. No traffic at all (http/https/dns/whatever). However, the traffic on the rest of the 10.8.0.0 subnets can reach the Internet just fine.
Does anyone have any ideas? I'm stumped. I'd think that the CIDR being a /16 would allow anything out that starts with a 10.8, but apparently I am missing something. For curiosity, the LAN IP of the firewall is 10.8.0.1/16.
Thank you.
-
Hi fbtanner,
I guess we need more details on your configuration. However, if your OPN's LAN IF has 10.8.0.1/16, there is no such thing as a 10.8.1.0/?? subnet. The only network you have is 10.8/16.
My first guess is that you have configured 10.8.x.0/24 networks on your hosts which will not work as expected.
Any 10.8.x.0/24 where x!=0 will not have a route to your OPN box.
-
I called it "subnet" for ease of explanation. My entire network is utilizing a 10.8.x.x address space. Different things are on 10.8.0.x, 10.8.1.x, 10.8.2.x etc. All of my hosts are configured /16. Only the ones on the 10.8.1.x space are having the issue. All of my spaces, 10.8.2x, 10.8.3.x, 10.8.4.x, 10.8.5.x, and 10.8.200.x can get to the Internet just fine. It's just the 10.8.1.x space having the issue. I have nothing configured with a /24.
-
Sounds like you're missing a NAT rule for that vlan
-
I don't have any NAT rules set up, beyond the default rules from the installation of OPNsense. This seems to work for everything else. Why would it not work for those? They're on the same /16 network.
-
These are my NAT and firewall rules. Default generated from install.
-
Can you access https://1.1.1.1 from that subnet ?
-
Ok. So this is going to add to the weirdness.
While I was waiting for any responses, I did the latest upgrade that just came out. Now I can get to the Internet from boxes on the 10.8.1.x address space. Including the 1.1.1.1 Cloudflare site.
Any ideas why that "fixed it"? If not I will just chalk it up to "magic".
EDITED TO ADD: This has, literally, been non-functional since early August when I replaced my old Zyxel firewall with this one.
-
As a general rule it's best to be on the latest version, issues could have been fixed already as it seems to be the case here as well.
Without a better understanding of what the actual issue was, I'll scratch this down as fixed due to the recent work in the Interface/DHCP/GW space.
One last comment about your setup: Dumping everything in a /16 network with a default allow any outbound rule is the absolute minimum security wise. Proper VLAN segmentation, securing DNS and NTP would be some great avenues to explore - there's plenty of docs and videos that you can tap into.
-
I was on the latest version when I installed it and up until this new version came out last week I was still on the newest version. It wasn't a "newest version" issue. The newest version has been out less than a week and this problem had been an issue since early August.
I am aware that the basic rule that is on the install is "the bare minimum". It's not a permanent solution. It is there until I get a better handle on the way the rules work. I come from an IPTables/Cisco ASA/Checkpoint FW1 background, so I have to learn the way OPNsense does things before I start getting granular. You know... Crawl, walk, run.
As far as DNS and NTP, I an running my own NTP server that uses GPS for time sync. That said, I still need to figure out how to point OPNsense to it. My internal DNS points to my internal PiHole, which then points to external DNS.
I appreciate the input.
-
You'll need two port forward rules for your current setup:
1) Source Any, Dest Any Dest IP 53, Proto TCP/UDP - redirect to Pihole IP port 53
- would be better to provision PiHole in DHCP and use Unbound with DoT as upstream for Pihole instead. Dnsmasq is fine for internal traffic but I wouldn't let it on the internet as it's not DoT/DoH capable
2) Source Any, Dest Any Dest IP 123, Proto UDP - redirect to GPS clock IP port 123
- confirm with chronyc clients -v if using Chrony
-
I'm not using DHCP from the OPNsense firewall. The firewall is just a firewall. I'm using DHCP and internal DNS on my domain controllers. The PiHole is set up as the forwarder from the internal DNS. The PiHole points to Google DNS for outside lookups. Basically it's a DNS proxy between internal and external.
My Windows machines are using domain time for time, my PDC Emulator uses the NTP server for its time, so time is all synched to NTP based on the transitive properties of domain time on the Windows boxes. All of my Linux boxes and network devices, I am manually pointing to the NTP server. The only one not currently getting time from the internal NTP server is the OPNsense box.