I'm in the process of installing Opnsense on a Sohpos XG 115 and have it setup in a lab environment until I get all my vlans and rules working well enough that I can swap it into production. Just to give a general idea of my environment, I have the firewall box setup so the WAN port is going to one of my vlans of my existing prod network, and the LAN port is setup as a trunk to a switch I'm using temporarily so I can plug a laptop into it and test the vlans etc, and do initial config.
I originally accidentally installed the legacy 24.1 and when I performed the upgrade it trashed the whole install and I lost access to everything even from the laptop. I was able to get back in by creating a temporary admin interface on a 3rd port then found that all my vlans were not assigned anymore. When I came to the forum that's when I realized I was on 24.1 when I checked my version to check what forum to post in and saw that 24.1 was considered legacy.
So I reinstalled and put 24.7 and now back to configuring vlans etc. I had a backup from the initial config on 24.1 so I restored it.
I also setup a rule so I can access admin interface from WAN, which obviously would be a bad idea if it was facing the internet but it's setup on my network temporarily. This was working before I restored the backup but now I cannot access the WAN interface at all, I can't even ping it, despite adding firewall rules. I also can't leave the WAN interface from the firewall. It's almost like the WAN is not doing anything at all. It shows up that it picked up an IP from my DHCP server but I can't do anything at all from there.
I also removed the checkbox to block bogon networks, as I thought maybe that was causing problems. (I will put that back once it's in prod).
Any other ideas on how to troubleshoot this? I want to make sure I can pass traffic through the WAN interface before I put this in production and it would also be nice to be able to configure rules from the WAN interface as I can do it from my PC instead of standing at the laptop on the workbench.
Disable reply-to - Firewall > Settings > Advanced.
That didn't seem to help, BUT I can ping the "internet" (if it was normally connected to internet) gateway from laptop, while before I couldn't, so it did do something.
I also did a port forward to the laptop running a SSH server and can't connect to that either from my network (the internet as far as the new firewall is concerned)
If I use the function within Opnsense I can in fact connect to the laptop's port.
Quote from: Red Squirrel on August 09, 2024, 10:38:32 PM
I also did a port forward to the laptop running a SSH server and can't connect to that either from my network (the internet as far as the new firewall is concerned)
You need to let your current router know that there are some networks behind your OPNsense WAN (which happens to be hanging on some VLAN). Set up routes for them - otherwise, you won't have much success reaching anything port-forwarded from OPNsense.
Quote from: Red Squirrel on August 09, 2024, 10:38:32 PM
If I use the function within Opnsense I can in fact connect to the laptop's port.
Yeah, sure, OPNsense knows that the laptop is on its LAN. The upstream router doesn't.
Why would that matter though, won't my network just see it as one device? Ex: the WAN IP. Everything behind the NAT is irrelevant to it, if I forward a port it's just connecting to the WAN IP as far as it's concerned.
This was working originally but when I restored the backup that's when it stopped working. Just not sure what happened to cause it.
I might move some patch cords around at my rack to see if I can connect it straight to the internet temporarily just to rule out my network causing weird issues. The firewall is not at the rack yet, as I don't have any form of console access there.
Sadly, our crystal balls are in a repair shop. I upgraded and suddenly it all got broken, then I've been messing with it for a while, couldn't get in at all, finally got in via some mysterious third port - and destroyed VLANs on the way -is not a useful starting point for diagnosing anything.
Perhaps some network diagram and information about your OPNsense interfaces setup would be a starting point.
It's a fresh install, except I restored a backup of all my vlans, after restoring the backups I can't communicate out the WAN interface. That backup state worked before, it only stopped when the install got trashed after I tried to upgrade it, so I reinstalled.
I'm more looking for clues on how I can troubleshoot this, is there any places I can look that can tell me where traffic is being blocked? The firewall log at the console moves too fast because it keeps querying DNS, NTP etc. but I don't think the traffic is making it as far as being blocked since I did a ping -f to see if it would show up in the console and be easier to see in all the noise and that didn't show up.
There is filtering available for the firewall logs. You can run packet captures on any interface as well.
It was working and it does not any more - we already know that. Cannot work with that.
Ok I managed to find the GUI firewall log and filter out all the noise and I'm seeing stuff now. Getting "default deny / state violation rule" if I try to get to the admin interface or to a forwarded port. Nothing for ping though even though ping is being blocked, but I'm not worried about that for now.
Think I'm just going to go ahead and hook it up straight to the internet (after disabling admin interface on wan) to at least rule out my network/lab environment. If I can get online then I know it has to do with the double NAT or other factors messing things up. How do I do a DHCP release on the WAN interface? I can't seem to find that option. I will need to do that before I reconnect my production router otherwise I won't get my internet back when I switch back. Has to do with way my ISP is setup.