Text only | Text with Images

OPNsense Forum

English Forums => 25.1, 25.4 Production Series => Topic started by: Prominent5335 on April 22, 2025, 01:34:08 AM

Title: IPS Blocking your OPNsense
Post by: Prominent5335 on April 22, 2025, 01:34:08 AM
I just moved to a new IPS.
If I connect a computer or a switch to their router, everything (all my computers) works.
But if I connect my OPNSense Router to one of the ports of the IPS router (IP: 192.168.1.254) and try to connect through it, it does not work.
Had my internal network on the same network range. So I thought that there was an routing interference somehow. So I switched OPNSense internal IP:s to the 10.10.10.x range.
Still got the same issue.

Can anyone give any suggestions on how to troubleshoot it?

My thought's is that it might be that they are blocking DNS resolutions to other provider on the Internet except to their (that is my suspicion, as Windows troubleshooting is complaing about DNS caching issue),
Title: Re: IPS Blocking your OPNsense
Post by: EricPerl on April 22, 2025, 07:23:46 AM
If the WAN of OPN is on a private network (given the RFC1918 IP), then you need to uncheck 'block private networks' and 'block bogons' on Interfaces > WAN.
Save and apply.

You indeed can't have overlapping ranges on interfaces.
After you applied that changed, devices on LAN needs to get new IPs.
It will happen over time. You can accelerate by unplugging the network cable for a moment (or disable/enable interfaces on the devices).

Troubleshoot from OPN first. Verify it got IP on WAN. Check connectivity via Interfaces > Diagnostics > Ping. Then DNS in the same area.
When that's fine, move on to basic test on your windows client on the LAN.
Title: Re: IPS Blocking your OPNsense
Post by: meyergru on April 22, 2025, 09:05:15 AM
Plus, in a router-behind-router configuration, you will either have to:

1. Be able to install a router to the network behind your OpnSense (10.10.10.x) in your ISP router. Otherwise, it does not know where to send the packets back to your clients.

2. Or, configure outbound NAT on your OpnSense to "hide" the 10.10.10.x client network behind its ISP-network IP (192.168.1.254).

The first method often is infeasible, the second has drawbacks once you want to open ports for services (you must open them on both routers to work). That is why router-behind-router setups are discouraged: They are complex to manage.
Title: Re: IPS Blocking your OPNsense
Post by: Prominent5335 on April 22, 2025, 11:36:03 AM
It worked after following your suggestions:
Changing IP-range of my OPNSense router for the LAN network.
Disabling the "Block private networks" and "Block bogon networks" on the WAN interface.
Thank you all for your quick and swift answers.
Text only | Text with Images