I initially installed OPNsense and configured a whole bunch of stuff, thinking it would be easy to switch over from my old router after I got most of the configurations the way I wanted them. When I couldn't get outbound internet connectivity to work from LAN when it works fine from OPNsense itself, I tried reinstalling and doing bare minimum config. Same exact problem. This bare minimum config is what I'm working with now-- just know this is the second install with the same problem.
Tried searching forums and Reddit. Some people have similar issues but ended up being behind another router-- I am not, mine connects directly to the ISP. Others were doing virtualization-- I am not, this is bare metal. Details:
- I can connect to the OPNsense UI from LAN
- From OPNsense, I can ping/curl anything on the internet (both IP addresses and DNS names)
- I cannot ping or curl anything on the internet from LAN
- I can access anything on the LAN from anything else on the LAN
- I haven't touched any firewall rules, routes, or anything
- I haven't installed any packages or enabled any other services beyond default
- Yes, the default allow LAN to any IPv4 rule is in place as it should be.
- I have attempted rebooting
- This is as basic an installation as it can get plus configuration for static LAN IP on the LAN interface, ISC DHCPv4 set up to serve on the LAN, and root password having been changed.
Under System > Gateways > Configuration, WAN_DHCP is active and has a gateway IP address given to it by the ISP (which changes upon reboots, so I know it's not totally bogus). LAN_GW is active and has the static local IP I gave the system. WAN_DHCP6 is active but has no gateway IP address. I'm not really concerned about IPv6 right now, though supposedly my ISP supports it; if I can get v4 outbound from the LAN working, I'll be happy.
I tried marking WAN_DHCP an Upstream Gateway, no dice.
I can follow traffc under Firewall > Log Files > Live View and see my tests from LAN are not being blocked by firewall-- they all pass.
It's like OPNsense won't route LAN traffic through the gateway. I haven't tried manually adding any kind of static route-- I understand OPNsense should be handling that dynamically. Surely I don't need to craft static routes to force traffic destined for any public space through WAN_DHCP?
Hardware Specs:
OPNsense running on bare metal (a Supermicro box)
Connects directly to ISP via igb0
Connects to LAN via igb1
LAN backbone consists of two Unifi switches
Thanks for your consideration.
There shouldn't be any "LAN_GW". Please describe your idea of "bare minimum config". It sounds like you're trying too hard...
Well, I dunno, LAN_GW is something that OPNsense set up on its own. I didn't create LAN_GW. I set up igb0 (WAN) and igb1 (LAN) interfaces from the console using the live USB installer, installed OPNsense, changed the default root password from the console, set the static IP address of ig1 (LAN) from the console, set up LAN DCHP from the console. Then I connected to the GUI from a machine on the LAN to check everything out and test with results as I've described.
After that, I tried disabling the WAN_DHCP6 gateway and then tried making WAN_DHCP "Upstream Gateway" as described. That's all.
All this said, I took a hint and tried disabling LAN_GW, and now internet connectivity from LAN is working fine. So thanks for pointing that bit out.
At this point I think I must have misunderstood one of the configuration options when setting up from console. It was probably part of when I set up the igb1 static IP config or similar on the console. It asks for gateway address, and I entered the static IP of the OPNsense box itself because that's the gateway for the LAN; this is the same IP set as the gateway address for LAN_GW. It must have set up LAN_GW based on this input I gave it there. This is probably a configuration needed when there's another upstream router on the private network, which is of course not the case for me.
At any rate, it's working fine now. Now I can make a snapshot of the current config and flesh out the others again. Thanks much.