This post is in the Tutorial section, puposedly labelled [NOOB] I hope it will help some of you to follow my newbe adventure through simple setup try and errors !
Hi,
After messing around for couple of days as I still couldn't get my WiFi router to work properly on LAN2, I decided to do a full reinstall
Backhoe lab table, screen+keayboard, reinstall from USB (the same first time)
Set up the four ETH (Wan, Lan1,2,3)
Set up full-traffic rules (to start) on all four interfaces
Now I have complete acces to the WiFi AP, but Not longer have any access to the outside !
Pings from laptop1 (on Lan1) Laptop2 (Lan2, direct and through WiFi AP) and Laptop3 (Lan3) nothing
Pings from OPNsense, nothing
I have a public address from my ISP though
NAT is left stock (auto) and FW are default too (except the added: "allow all to/from all for IPv4&v6)
I even tried with FW disabled, no avail
What's your first thought? (Besides annoying nwebe..)
For those who wonder, I posting from my cell ... :-\
NAT outbound is default:
WAN; source all LAN+ 127.0.0.0/8 to NAT address WAN dest.Port 500 with static address (auto created for ISAMP)
WAN; source all LAN+ 127.0.0.0/8 to NAT address WAN dest.Port * w/o static address (auto created)
I just switched to "hybrid" and created a manual one:
WAN, any source, any port, any, any, any NAT address, any NAT port, still no cnxion
I suggest start again and begin with a known good configuration. That is default selection of WAN and LAN will have the automatic rules that block all in unsolicited & allow all out, as if it was a consumer router.
Because from
QuoteSet up full-traffic rules (to start) on all four interfaces
Now I have complete acces to the WiFi AP, but Not longer have any access to the outside !
Nobody can guess what those rules are that then what follows
Quotenow I have complete acces to the WiFi AP, but Not longer have any access to the outside !
is impossible to guess.
As you are progressing in your learning and setup, may I suggest to start keeping a diagram of your setup. You can then share if you want when you ask and it'll be easier for you and everyone to figure out what needs to be done.
P.S. the AP should be like any other device. It connects to a port on your router somehow; directly or via a switch, and then it becomes part of that network and subject to its rules.
Quote from: cookiemonster on September 29, 2024, 12:20:53 AM
I suggest start again and begin with a known good configuration. That is default selection of WAN and LAN will have the automatic rules that block all in unsolicited & allow all out, as if it was a consumer router.
Because from
As you are progressing in your learning and setup, may I suggest to start keeping a diagram of your setup. You can then share if you want when you ask and it'll be easier for you and everyone to figure out what needs to be done.
P.S. the AP should be like any other device. It connects to a port on your router somehow; directly or via a switch, and then it becomes part of that network and subject to its rules.
TY
Apparently I wasn't clear enough, sorry
It's all default! No need to guess, I just reinstalled !
and let the auto-created rules play
And Even deactivated the FW (no change)
The only rule I created after re-enabling the FW were
A Nat allowing all to all
And for each interfaces à all-to-all (which I call full access) IN and OUT, both v4&v6
Meaning no restriction stall, besidides the auto-created ones
Can ping internally in every direction, even reach my WiFi router AP
And I have public address
But no cnxion
Where do I need to go to see the tentative traffic, to guess where is fails ?
The ping job I've left running is saying: "send: no route to host"
Are you behind isp gateway? Is DHCP enabled? Are you getting arp from WAN side entities?
Sent from my iPhone using Tapatalk
if you have static IPs do they all have fqdns and acme certs? If you are using your isp's static IP, maybe try and match their domain to yours and use dnsmasq with their servers if you have no need of nginx?
Sent from my iPhone using Tapatalk
I was hopping to not have to unplug everything and revert to were it was 2d ago,
So I got my Puutty ready and did a "factory default" through the OPNs menu ... it did get its 192.168.1.1 alright, and disabled about everything, including DHCP and SSH, so ... no way to reconnect to it, so I went to bed and now I'm waiting for my parent to wake up so I can access the technical room to get the RS39 out to the test bench ...
Quote from: pfScrub on September 29, 2024, 02:45:19 AM
Are you behind isp gateway? Is DHCP enabled? Are you getting arp from WAN side entities?
Sent from my iPhone using Tapatalk
The FW box (RS39) was plugged straight to the ISP MoDem (hence me saying I get the Public IP) and the WiFi router was plugged to LAN2 192.168.102.101 in AP/Bridge (no DHCP, fixe 192.168.102.102/24)
Now back to square one, the Cisco router is plugged to the ISP MoDem, with DHCP on,
The RS39 is plugged to LAN1 192.168.102.107 of the WiFi router
Laptop1 is plugged to RS39 LAN1 192.168.101.101 and get 192.168.101.102 and access the GUI no problem
DNS are temp. Set to 8.8.8.8 and 8.8.4.4, nothing esle has been changed (no "allow all" rule in the FW)
But the old router, which previously was accessing the internet without much problem, is not longer accessing it ... that would explain it all, but I'm now in a much bigger problem if I fried the house internet !
Back to RS39, ISP mdm plugged to WAN, laptop1 plugged to LAN1
GUI access ok,
No public address
Restart the modem
I have a 192.168.100.1 WAN IP, that's not right
Restart
Ok, now I have a public address
RS39 ping ggl: 217packets 0% loss
Quote from: pfScrub on September 29, 2024, 02:46:59 AM
if you have static IPs do they all have fqdns and acme certs? If you are using your isp's static IP, maybe try and match their domain to yours and use dnsmasq with their servers if you have no need of nginx?
Sent from my iPhone using Tapatalk
Even though it seems to be always the same public IP, I've left the WAN to DHCP
Since ping is fonctionnal, now starting to tweak and add rules
Set DNS to my server of choice,
Re-ping,
Set "allow all" rules in FW for both (floating) WAN and LAN1
Will see ...
That's weird !
Even before changing the DNS and such,
I've opted the "Enables local gathering of statistics." in Reporting:Settings and hop ! Internet came up all the sudden !
Before that, I've set a floating rule "allow all" (from all to all, IPv4&v6) from/to all ports) but it didn't bring the internet
So now, LAN1 has access to Internet, time to bring back LAN2 and LAN3
BUT before that: Update and add plugins ...
Update done, now running 24.7.5-amd64 and lost internet again
I still have a WAN public IP, but no internet traffic and ping (from the box) shows some packet lost
But i still have access to update and plugins download, so the box has access to the outside, just not (no longer) LAN1 after updating 27.7.4 => 27.7.5
Edit: ssh to console to option 13 revert, but the oldest of the 18 still has the update in, so I guess I have to unpluge it all and go back to the workbench to reset again ?
Unless you have an other idea ?
Show your rules on LAN1 and your outbound NAT configuration, please.
Quote from: Patrick M. Hausen on September 29, 2024, 03:11:27 PM
Show your rules on LAN1 and your outbound NAT configuration, please.
Sure ! As soon as i have access to Internet ...
As I just re-plugged the FW box back to its rack, after another full reset from direct access consol on the workbench
GUI access ok, now back to initial setup wizard ....
Back to where I was,
DNS set temporarly to 8888, 4444, and only a floating (all to all) access rule
But this time, not even a ping groing through
Back to the bench for full reset ...
If my system is so reluctant to upgrade from 24.7.4 to 24.7.5 i'm already scared about the coming 25.1 !
And lucky me i didn't update my WiFi router to dd-wrt yet, I would be completely lost !
Thank you all for bearing with me, I trully appreciate your efforts !
Show us that rule and the NAT configuration - how would you expect anyone to help?
Quote from: Patrick M. Hausen on September 29, 2024, 06:07:55 PM
Show us that rule and the NAT configuration - how would you expect anyone to help?
I'm on it, but for as long as I don't have internet, there is little I can do, unless taking a picture of the screen with my phone (as my only current cnxion is with this)
Don't you have a local connection to the UI? Do a screen shot, then restore connectivity.
Why are you trying to use floating rules to permit Internet access? Default is "allow all" on LAN. Just clone and adjust that one for your other internal interfaces.
Ok, full reset on the bench again,
Plugged it back, no setup wizard
DNS to 8888 and 4444 (let overide by ISP), enable resolver, not DNSESEC (no idea what that is)
Next
IPv4 config: DHCP, all standard
Next
LAN1 q92.168.101.101/24
Next
Root password
Next
Reload
Dashboard: dhcp4 server running, dhcp6 server stopped, iperf perfo test stopped,
WAN_GW 192.168.100.1, then after 2min public address ok, (unplug/replug MoDem)
No internet
Ping ggle from the box: 335packet, 0% loss
Adding floating rule "all to all", all interface, ipv4&ipv6, in&out, to any destination, any port, any protocol
I see the installed plugins are still here, so the reset from the consol was not a full one ?
LAN1 rules (https://ibb.co/wN8Wn8f)
Quote from: Patrick M. Hausen on September 29, 2024, 06:26:51 PM
Don't you have a local connection to the UI? Do a screen shot, then restore connectivity.
Why are you trying to use floating rules to permit Internet access? Default is "allow all" on LAN. Just clone and adjust that one for your other internal interfaces.
Because i don't know why I don't have internet while it should be working from default (as I just did a reset from console) but if it's not necessary, I'll be happy to delete
Unless as I suspect the "reset to default" doesn't actually reset to default, and I'm due to a 11th reinstall ?
I have to take care of my brother, I'll be back in 5hrs
LAN1 has Internet ! (I'm writing from Laptop1)
And As I went to "update" I see that I'm stil;l running 24.7.5, so the factory reset didn't do much of a reset ... but here I am, now
I will add LAN2 and LAn3 later this evening ... finger crossed
Are you really intending to create and manage three separate networks or do you just want to use all available ports on the box?
Quote from: Patrick M. Hausen on September 29, 2024, 07:47:11 PM
Are you really intending to create and manage three separate networks or do you just want to use all available ports on the box?
I'm intending to use the 4 ETH to use full capability of the box
LAN1, IGC0, 192.168.101.101/24 For the front office switch1
LAN2, IGC2, 192.168.102.101/24 for the Cisco WiFi (AP 192.168.102.102, no DHCP)
LAN3, IGC3, 192.168.103.101/24 for the back office swicth2
All three will be on in parallel,
Some will go through VPN, some have their own VPN
Some will connect to the others, some won't
Most wil have access to 192.168.102.115 and 192.168.103.115 (printer)
OK, so with LAN working, assign IP addresses to the other interfaces, clone and adapt the allow rule on LAN by default - should "just work".
And definitely not kill your Internet connection via LAN.
If your Internet is dead, you obviously did something different. And to help we would need to know what exactly it is that you did, i.e. see the rules or any other things you configured.
Good morning,
LAN1 still has internet with the auto-generated rules (nothing more)
LAN2 now has the 2 (all rule IN) copied from LAN1 still not Internet (Laptop2 doesn't get IP)
LAN3 now has the 2 (all rule IN) copied from LAN1 still not Internet (Laptop3 doesn't get IP)
NAT is by default
Not sure what I have to copy from LAN1 to get LAN2&3 some IPs, knowing the Interface are both /24
Quote from: MarieSophieSG on September 30, 2024, 01:01:42 PM
LAN2 now has the 2 (all rule IN) copied from LAN1 still not Internet (Laptop2 doesn't get IP)
LAN3 now has the 2 (all rule IN) copied from LAN1 still not Internet (Laptop3 doesn't get IP)
Enable and configure the DHCP service on both of these interfaces, perhaps? ;)
Services > ISC DHCPv4
Quote from: Patrick M. Hausen on September 30, 2024, 01:08:42 PM
Quote from: MarieSophieSG on September 30, 2024, 01:01:42 PM
LAN2 now has the 2 (all rule IN) copied from LAN1 still not Internet (Laptop2 doesn't get IP)
LAN3 now has the 2 (all rule IN) copied from LAN1 still not Internet (Laptop3 doesn't get IP)
Enable and configure the DHCP service on both of these interfaces, perhaps? ;)
Services > ISC DHCPv4
Oh yeah that rings me some bell, setting the IP/24 is not enough, one has to go to DHCP and set the service up as well ... I'm on it ! (Laptop2 is now unplugged from LAN2 and plugged to LAN1 as I have to work ....)
Bingo !
I totally forgot to add the DHCP lease on top of setting up the interface /24
IGC0_ETH1_Switch1 (front office) 192.168.101.101/24 DHCP 192.168.101.102-192.168.101.122
IGC2_ETH3_Cisco (front office) 192.168.102.101/24 DHCP 192.168.102.102-192.168.102.122
IGC3_ETH4_Switch2 (back office) 192.168.103.101/24 DHCP 192.168.103.102-192.168.103.122
I know can access the WiFi router (AP, no DHCP) on 192.168.102.102 from 192.168.101.107
Getting closer !!
Now time for a full backup before I start messing around again ....
Original backup is about 1.7GB, but when I do a manual BU it's only 13MB, is it normal ?
Quote from: MarieSophieSG on September 30, 2024, 01:29:41 PM
Original backup is about 1.7GB, but when I do a manual BU it's only 13MB, is it normal ?
I don't understand. Navigate to System > Configuration > Backups and download the configuration. With "Do not backup RRD data" checked typical size is way under a megabyte.
Configuration is all you need - reinstall, restore config, done.
What are you using to backup?
Quote from: Patrick M. Hausen on September 30, 2024, 01:48:15 PM
Quote from: MarieSophieSG on September 30, 2024, 01:29:41 PM
Original backup is about 1.7GB, but when I do a manual BU it's only 13MB, is it normal ?
I don't understand. Navigate to System > Configuration > Backups and download the configuration. With "Do not backup RRD data" checked typical size is way under a megabyte.
Configuration is all you need - reinstall, restore config, done.
What are you using to backup?
Oh ! yes, of course, silly me .... only the config file, not the entire system ! haha ...
OK, so it's -obvioulsy- absolutely normal to have a much much smaller file than the original one
Thank you !
Yet again .. as I do the B-U locally, if I reinstall, there won't be any B-U available anymore, these would only work in case of Default-Reset, and then restore B-U
Quote from: MarieSophieSG on September 30, 2024, 08:42:58 PM
Oh ! yes, of course, silly me .... only the config file, not the entire system ! haha ...
OK, so it's -obvioulsy- absolutely normal to have a much much smaller file than the original one
Thank you !
I doubt there will ever be a 1.7G config backup file, so what *did* you backup?
Quote from: MarieSophieSG on September 30, 2024, 08:42:58 PM
Yet again .. as I do the B-U locally, if I reinstall, there won't be any B-U available anymore, these would only work in case of Default-Reset, and then restore B-U
And again I do not understand - the point of the config backup is to download it from the firewall and place it on your laptop or your file server or a USB drive stored in the safe, whatever. Then if the boot drive of OPNsense fails or you mess up badly: reinstall, connect laptop to LAN, find UI at 192.168.1.1, import config, done.
Quote from: Patrick M. Hausen on September 30, 2024, 08:56:33 PM
Quote from: MarieSophieSG on September 30, 2024, 08:42:58 PM
Oh ! yes, of course, silly me .... only the config file, not the entire system ! haha ...
OK, so it's -obvioulsy- absolutely normal to have a much much smaller file than the original one
Thank you !
I doubt there will ever be a 1.7G config backup file, so what *did* you backup?
My mistake, it's not a backup (as named in the GUI) but a snapshot.
First one "RN", mounted and active is 1,7GB,
Second one (manual) is 12,9MB
Third one is (manual) is 87,4MB
Quote from: MarieSophieSG on September 30, 2024, 08:42:58 PM
Yet again .. as I do the B-U locally, if I reinstall, there won't be any B-U available anymore, these would only work in case of Default-Reset, and then restore B-U
And again I do not understand - the point of the config backup is to download it from the firewall and place it on your laptop or your file server or a USB drive stored in the safe, whatever. Then if the boot drive of OPNsense fails or you mess up badly: reinstall, connect laptop to LAN, find UI at 192.168.1.1, import config, done.
[/quote]
Yes, once again you are absolutely right, I just didn't get to this, I have the BU set to keep several records as I keep messing around and often need to revert locally, but I haven't go as far as download it ... now it's done, I have the latest on my Laptop1, and as soon on my Laptop3 (just in case)
Sorry for the confusion :-[
One last post on this thread (I hope !)
All LAN are stock, FW rules stock (copied from LAN1) DHCP on, etc ...
LAN1 has access to the internet, LAN2 and LAN3 don't.
LAN1 192.168.101.101/24; DHCP 192.168.101.102-122
Laptop1 static 192.168.101.102
LAN2 192.168.102.101/24; DHCP 192.168.102.102-122
Cisco WiFi AP (bridge) static 192.168.102.102, no DHCP
Three devices connected, they all get an IP from 192.168.102.103-122 range, but no internet
LAN3 192.168.102.101/24; DHCP 192.168.103.102-122
Laptop3 static 192.168.103.102 but no internet
What am I missing again ? should I do a bridge between all three LAN (that's how I got them Internet last time I think ?)
Or a port forwarding or a special NAT or something ?
I'm sure it's once again something obvious, right in my face, but I just can't find it and I'm afraid to break my LAN1 cnxion again ...
No bridge unless you want them all to become a single interface - which you said you don't.
Can you check if the devices in e.g. LAN2 get the proper netmask and default gateway in addition to their IP address?
Assuming both are correct (255.255.255.0 and 192.168.102.101, respectively), next check if they have 192.168.102.101 as their DNS server.
If that is correct, too, from one of the devices try:
- ping 192.168.102.101
- dig/nslookup/whatever they use google.com
Last show that cloned firewall rule for LAN2, please.
Once again, TY for saving me before the mess ... no bridge !
These are Wireless only device, mostly Android, I'm not sure how to perform most of the cmd required, but as I disconnect and "forget" network and reopen WiFi and let them "discover" network and re-connect and it asks me a password and get the IP.
But the blackberry (LAN2 through WiFi AP) has 150Mbps on the 5GHz
IP : 192.168.102.104
GW: 192.168.102.101
SubMask 255.255.255.0
DNS: 192.168.102.101
and an IPV6 address
Everything looks normal
Laptop3 on the LAN2 (WiFi) has 300Mbps
IP : 192.168.102.105
GW: 192.168.102.101
SubMask 255.255.255.0
DNS: 192.168.102.101
and an IPV6 address
Everything looks normal
Can ping 192.168.102.102 (router), but not 192.168.102.101 (LAN2)
nslookup 8.8.8.8 timed out
Server unknown
address 192.168.103.101
Laptop3 on LAN3
IP : 192.168.103.102
GW: 192.168.103.101
SubMask 255.255.255.0
DNS: 192.168.103.101
and an IPV6 address
Everything looks normal
Can not ping 192.168.103.101 (nor any other IP of the network)
nslookup 8.8.8.8 timed out
Server unknown
address 192.168.103.101
There are automatic rules in place enabling DHCP and SLAAC so address acquisition works. If the laptop on LAN2 and LAN3 cannot even ping your firewall's addresses in these LANs, it's probably the firewall rules.
So please share them. Screen shots. Thank you.
IGC0 ETH1 LAN1 (https://ibb.co/3B8HgbT) (Front Switch)
IGC2 ETH3 LAN2 (https://ibb.co/FhQ4tQ3) (WiFi)
IGC3 ETH4 LAN3 (https://ibb.co/C53gcNJ) (Back switch)
You have the source network from LAN1/igc0 in the rules for LAN2 and LAN3 - you need to change these source definitions to the objects matching these interfaces ...
Quote from: Patrick M. Hausen on September 30, 2024, 11:53:38 PM
You have the source network from LAN1/igc0 in the rules for LAN2 and LAN3 - you need to change these source definitions to the objects matching these interfaces ...
Tadaaahhh !!
Such a tiny detail so easy to forget/oversee ...
For those who read this thread because being in the same situation:
By default, OPNsense does everything needed for WAN and LAN one (Default rules)
Including the very important "Allow all" (https://ibb.co/KyMvkg3) at the bottom of the list, after the "automatically generated rules"
When you enable another interface LAN2, you have to give it an IP (for the interface) which is NOT in the same range LAN1 is
i.e: If your LAN1 was set to 192.168.
1.1/24
Then your LAN2 can NOT be 192.168.
1.2/24 (as then both would have the same DHCP pool)
=> it must be 192.168.
2.1/24
Once you have set this IP, you have to enable DHCP for this interface (search DHCP in the search bar oe go to "services" then "ISC DHCPv4" (https://ibb.co/KyMvkg3) and select your interface) i.e: 192.168.2.1-192.168.2.10
Then you have to copy the last two rules at the bottom of the list of LAN1 (assuming LAN1 is working)
In these two rules, you have to change the source as the copy from LAN1 doesn't adapt automatically to the new interface.
The corrected rule must have same interface (ie: LAN2 => LAN2) in the "Interface" section and in the "source" section. choose the "net" one, not the "address" one
In Firewall, Rules, LANx (https://ibb.co/CPpWP5y) (or OPTx, or whatever the name you gave it)
My tablet, printer, phone (LAn2, WiFi) and Laptop3 and Laptop4 and printer (LAN3, switch2) are all connected,
Wow, such a grant help, thank you, thank you ! especially @Patrick
Thank you for the run-up conclusion of this post, I was about to ask the same question !