I get the following error message when I try to update my OS connected to OPNsense but not when I'm off the firewall. I've tried analysing the firewall traffic to to identify the false positives and try to allow list them but have struggled. How can I get this connection to work? Here is the update output:
Updating fedora-41-xfce
Refreshing package info
Errors during downloading metadata for repository 'google-chrome':
- Curl error (28): Timeout was reached for http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata/repomd.xml [Operation too slow. Less than 1000 bytes/sec transferred the last 30 seconds]
Failed to download metadata for repo 'google-chrome': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
You can filter the live view down to the source (IP of your machine to be updated) and curl that URL by hand.
You should be able to correlate that to a pass or block entry in the live view (ensure the default rules are set to log).
I identified my local and external IPs by entering <ip addr show> in the terminal and then made some test web searches but that external IP doesn't show up in OPNsense's firewall live view. My topography is Modem > ISP router > firewall > personal router. (I know that the ISP's router is unnecessary here but that's the one that my roommate uses).
- How can I find my IP in the firewall traffic?
- How can I unblock <http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata/repomod.xml>?
When you're running commands, it can't hurt to specify on which machine you ran them...
Using OPN behind your roommate's router should be fine. I do that too on my test/spare OPN instance.
But that should result in: Modem <-> ISPRouter <-> OPN <-> Fedora
From your Fedora box (when it fails to get updates), curl http://dl.google.com/linux/chrome/rpm/stable/x86_64/repodata/repomd.xml in a terminal.
In the live view, you should first see an IN entry on the LAN interface with source = FedoraIP and destination = dl.google.com'IP (dest port = 80).
If that passes through, it should be followed by an OUT entry on the WAN interface with source = OPN_WAN_IP and destination = dl.google.com'IP (dest port = 80).
You can run that command from OPN directly (via ssh or in the terminal). In this case, you'll only see the OUT portion, obviously.
With -v, the output will contain the IP address used for the destination. You can filter on that if necessary.
You said updates work "off the firewall". I assume that means Modem <-> ISPRouter <-> Fedora
Once you're in the configuration that fails, investigate systematically (either from Fedora until it works, or from OPN until it no longer works).
I assumed OPN itself has basic connectivity. Use Interfaces > Diagnostics to ping 8.8.8.8 and DNS lookup dl.google.com
I also assumed less than 1000 bytes/sec meant 0. That file is pretty small (1356 bytes)...