So. I apologize in advance I am new to networking but trying to get up to speed.
I installed opnsense and used the wizard to (try to) setup my box, apart from specifying DNS providers (1.1.1.1 and 8.8.8.8) I tried using the defaults (oh and changed the paswd). I then tried to access the interwebs and... not much. I tried places like github, duckduckgo and cnn but I get the error "site can not be reached" but, I can access google.com and nextdns.io?
I am sure its obvious but I'd super appreciate if some kind/patient soul could point out what I might be doing wrong?
PS is there an (un)official IRC channel or matrix room where all the opnsense gurus hang out?
What does your setup look like? Can you provide a diagram? How and where are you testing?
Since you're new to all of this, you shouldn't change anything until after you make sure you have initial connectivity. The defaults should be fine for that.
Thank you (so much) for your (patient) response!
So sorry, yeah i didnt give much background.
I have the 2 port protectli FW2B (https://protectli.com/vault-2-port/)
I have opnsense 23.1.11_2amd installed
my setup is connected to an AT&T modem (https://usermanual.wiki/Humax/BGW320-4522445.pdf)
right now the diagram is pretty simple its just my fiber modem -> opnsense/protectli box -> ubuntu laptop (I plan on branching out more soon by adding in my NAS, a switch, adding tailscale with mulvad etc)
As for the defaults. I was actually able to connect to the internet and started tinkering (without a backup as i thought I would just revert to the factory defaults) messed up some settings so just reset it to the defaults... and that was apparently a bad idea as it seems Protectli made some changes when they installed it but that was not backed up or made a default so when i reset it that switched the ports and I was no longer able to access the internet.
I contacted protectli and they told me about the switched ports (wan is now lan and visa versa) but didnt mention anything else, when I asked they directed me to essentially what worked out to be RTFM (which I have tried to do but have not made much headway).
When you go through the initial install it will ask you if you want it to automatically assign interfaces or not. I usually have a specific order I want so I do it manually.
The easiest way to manually configure the ports is to unplug all of the network cables from the machine. Then when you select manual assignment it will ask you to plug in the WAN. This will auto detect the interface so you won't need to try and guess the correct name. Then you'll repeat the process for the LAN. Note, it may be LAN first. It's been a while since I did an install.
Once you have it installed, download and save a copy of your config. That way you can restore it if you need to reinstall. OPNSense has the ability to revert changes via the config history in the UI but that won't save you if you bork it too badly.
After that, I would just leave things at the defaults and get used to it for a while. Once you start becoming familiar with OPNSense, you can start attempting changes. But always remember to backup your config first, and only change one thing at a time until you're sure that there's no fallout. I would recommend a week between changes so you can isolate what each change affects and if anything breaks.
Thanks for that. I will give the ports arranging a try, at the moment just physically putting the lan wire in the wan port and visa versa is working (albiet wonky).
I still can't figure out the actual connecting to the internet? I can access google and nextdns but it seems most other sites I can not access? This is after I used the wizard, and only set the DNS servers (google and cloudflare) and I didnt touch any of the other settings during the wizard setup. When I first started (before setting factory defaults) I was able to access any website so I am miffed as to what setting that was turned on/off in the default settings that is now only letting me access a very few sites? (protectli ceased to be helpful after responding to the ports issue)
Is there anything in particular that would prevent me from accessing most websites, but still allow me to access google and nextdns?
It's hard to tell why you're having issues without seeing your config. That's why I suggested not changing anything to start with.
If you want to try diagnosing this, do a reinstall and then note every single step and action that you take. That way we can understand the state you end up with. There are multiple places and ways to configure DNS so just saying that you set those doesn't provide enough information.
Quote from: stumpy on October 22, 2023, 02:10:01 PM
Thanks for that. I will give the ports arranging a try, at the moment just physically putting the lan wire in the wan port and visa versa is working (albiet wonky).
OPNsense has LAN on the first and WAN on the second interface by default.
pfSense has WAN on the first and LAN on the second interface by default. They changed the order for some reason.
The print on the case of a Protectli device is just that: print. It's the wrong way round for a default OPNsense installation. If you are triggered by such things, you can re-oder the interfaces to match the labels as instructed by CJ.
I don't care because all interfaces are VLANs on top of a lagg interface, anyway, here.
Quote from: CJ on October 22, 2023, 04:22:22 PM
It's hard to tell why you're having issues without seeing your config. That's why I suggested not changing anything to start with.
Good advice, but unfortunately I had already changed things before posting - hence my being in this mess. I originally didnt think that the idea of "just reverting back to the default settings" was a bad/unreasonable idea, but it seems that was indeed not a great idea.
Quote
If you want to try diagnosing this, do a reinstall and then note every single step and action that you take. That way we can understand the state you end up with. There are multiple places and ways to configure DNS so just saying that you set those doesn't provide enough information.
if there is a way I could post my config settings I'd be happy to do so, logs perhaps?
Though, I literally just used the wizard option (system -> wizard), on the first page "general setup" I only set the primary dns server (1.1.1.1) and secondary server (8.8.8.8 ), left the defaults - ie: override dns checked, enable resolver checked, enable dnssec support UNchecked, harden DNSSEC data UNchecked; on the next page "time server information" left the default opnsense time servers, and the time zone set to UTC; for the "configure WAN interface" page I left everything as was, that is everything blank except the default ipv4 config type (which was DHCP, and I left it as DHCP), and I left block RFC1918 private networks checked, and block bogon networks checked. For the "configure LAN interface" page I left the defaults of LAN IP Address 192.168.1.1 and the subnet mask as 24, and the "set root password" page as blank (Joking! I did set that to a uniq paswd). The clicked "reload config" thats it.
I was not familiar with all those settings but had initially assumed that the defaults would suffice.
I also just tried cloudflare.com and that worked, so it seems that at least some DNS providers work - and so far no non-DNS-providers are accessible.
You can download the config from System -> Configuration -> Backups and then upload it here, but make sure you scrub the various hashes, keys, etc from it before doing so.
When you mention defaults, do you mean that you went to System -> Configuration -> Defaults and clicked yes?
Also, the reason I recommend just using the install defaults is because that helps eliminate any issues with Cloudflare or Google DNS. Once you have things running you can always add them later, which will additionally help make your changes atomic.
Quote from: CJ on October 23, 2023, 01:51:36 PM
You can download the config from System -> Configuration -> Backups and then upload it here, but make sure you scrub the various hashes, keys, etc from it before doing so.
Done!
https://pastebin.com/HrtBqYN2
Quote
When you mention defaults, do you mean that you went to System -> Configuration -> Defaults and clicked yes?
Well I guess both that (sys->config->defaults->yes) I do that then after resetting to defaults it takes me to the wizard
Quote
Also, the reason I recommend just using the install defaults is because that helps eliminate any issues with Cloudflare or Google DNS. Once you have things running you can always add them later, which will additionally help make your changes atomic.
well I did try to set the defaults and skipped the wizard. Interesting results. I double checked the DNS settings (sys->settings->general) and when i skipped the wizard the DNS enteries were empty, no 1.1.1.1 and no 8.8.8.8 and I was still able to access google, cloudflare, nextdns and
pastebin?! (but not cnn reddit lifehacker among others). (even less than) No clue about what the issue is.
Quote from: stumpy on October 19, 2023, 06:25:01 PM
Thank you (so much) for your (patient) response!
So sorry, yeah i didnt give much background.
I have the 2 port protectli FW2B (https://protectli.com/vault-2-port/)
I have opnsense 23.1.11_2amd installed
my setup is connected to an AT&T modem (https://usermanual.wiki/Humax/BGW320-4522445.pdf)
right now the diagram is pretty simple its just my fiber modem -> opnsense/protectli box -> ubuntu laptop (I plan on branching out more soon by adding in my NAS, a switch, adding tailscale with mulvad etc)
As for the defaults. I was actually able to connect to the internet and started tinkering (without a backup as i thought I would just revert to the factory defaults) messed up some settings so just reset it to the defaults... and that was apparently a bad idea as it seems Protectli made some changes when they installed it but that was not backed up or made a default so when i reset it that switched the ports and I was no longer able to access the internet.
I contacted protectli and they told me about the switched ports (wan is now lan and visa versa) but didnt mention anything else, when I asked they directed me to essentially what worked out to be RTFM (which I have tried to do but have not made much headway).
The linked modem seems to be a Humax gateway. I wonder if you don't have a "just a modem" but a device like that one where depending on the interface used to connect to the OPN, it's still doing some router functions.
Quote from: stumpy on October 23, 2023, 03:44:53 PM
Quote from: CJ on October 23, 2023, 01:51:36 PM
You can download the config from System -> Configuration -> Backups and then upload it here, but make sure you scrub the various hashes, keys, etc from it before doing so.
Done!
https://pastebin.com/HrtBqYN2
You didn't scrub your config before posting it. You'll definitely need to reinstall now and use different credentials.
Quote from: cookiemonster on October 23, 2023, 06:24:52 PM
The linked modem seems to be a Humax gateway. I wonder if you don't have a "just a modem" but a device like that one where depending on the interface used to connect to the OPN, it's still doing some router functions.
That shouldn't cause any of the symptoms the OP is describing, though. At most they'd just be double NAT.
@stumpy Are you using ipv6? Try these steps.
System -> Settings -> General
Check prefer IPv4
Remove the DNS server entries
Check allow DNS to be overridden
Services -> Unbound DNS -> Query Forwarding
Check Use System Nameservers
Also, how are you testing access to websites? From OPNSense or a computer connected to the LAN port?
Quote from: CJ on October 24, 2023, 02:04:24 PM
Quote from: stumpy on October 23, 2023, 03:44:53 PM
Quote from: CJ on October 23, 2023, 01:51:36 PM
You can download the config from System -> Configuration -> Backups and then upload it here, but make sure you scrub the various hashes, keys, etc from it before doing so.
Done!
https://pastebin.com/HrtBqYN2
You didn't scrub your config before posting it. You'll definitely need to reinstall now and use different credentials.
I actually left the "default" login/password so its not the login password that I would use, or are you referring to something else?
Quote
Quote from: cookiemonster on October 23, 2023, 06:24:52 PM
The linked modem seems to be a Humax gateway. I wonder if you don't have a "just a modem" but a device like that one where depending on the interface used to connect to the OPN, it's still doing some router functions.
That shouldn't cause any of the symptoms the OP is describing, though. At most they'd just be double NAT.
Quote from: CJ on October 24, 2023, 02:28:41 PM
@stumpy Are you using ipv6? Try these steps.
System -> Settings -> General
Check prefer IPv4
Remove the DNS server entries
Check allow DNS to be overridden
Services -> Unbound DNS -> Query Forwarding
Check Use System Nameservers
Also, how are you testing access to websites? From OPNSense or a computer connected to the LAN port?
Thanks, will check when i get home.
As for how I check, I've been checking using the computer that is connected to the LAN port (for what its worth, the same computer I access the opnsense webgui from)
Quote from: CJ on October 24, 2023, 02:04:24 PM
That shouldn't cause any of the symptoms the OP is describing, though. At most they'd just be double NAT.
Unless the WAN network uses 192.168.1.0/24 - then all sorts of undefined behavior can happen.
@stumpy what are the IP addresses of your WAN and LAN interfaces, respectively?
Quote from: Patrick M. Hausen on October 24, 2023, 04:40:34 PM
Quote from: CJ on October 24, 2023, 02:04:24 PM
That shouldn't cause any of the symptoms the OP is describing, though. At most they'd just be double NAT.
Unless the WAN network uses 192.168.1.0/24 - then all sorts of undefined behavior can happen.
Ah, valid. I forget about those edge cases as I would never think to do that.
Quote from: Patrick M. Hausen on October 24, 2023, 04:40:34 PM
@stumpy what are the IP addresses of your WAN and LAN interfaces, respectively?
Based on their pastebin and comments they're using the default 192.168.1.0/24 range for LAN.
Quote from: stumpy on October 24, 2023, 04:34:32 PM
I actually left the "default" login/password so its not the login password that I would use, or are you referring to something else?
Quote
In the future you should just delete password and cert entries from configs. That way you're covered regardless.
Quote from: stumpy on October 24, 2023, 04:36:35 PM
Thanks, will check when i get home.
As for how I check, I've been checking using the computer that is connected to the LAN port (for what its worth, the same computer I access the opnsense webgui from)
Next time check the Firewall -> Log Files -> Live View screen and see what it shows. That will provide more information.
Also, use the Interfaces -> Diagnostics -> DNS Lookup page to test some domains and provide the results.