Hi folks,
so I'm kinda stumped.
I installed OPNsense 24.7, and set it up.
I run WAN behind an UDM-Pro, this OPNsense basically is the firewall running on my at home proxmox that has all the VMs that are exposed to the WAN. Traffic gets separated at UDM level.
To access the management GUI Ive added OPT1 interface with an IP in my local LAN, and allowed traffic to the GUI port and This Firewall from my management computers IP addresses.
(in the beginning to access the GUI i used this from OPNsense CLI:
echo '
pass in quick on vtnet0 proto tcp from 10.101.111.0/24 to any port 443 keep state
' >> /usr/local/etc/firewall_rules.conf
pfctl -f /usr/local/etc/firewall_rules.conf
Of course i know that dosnt stick through a reboot, so after i got access to the GUI, i added a nice OPT1 Rule to fix it.
So fare all works as expected. OPNsense has wan access, runs updates, etc.pp. local clients get ips, routs and DNS proper.
I have persistent access to GUI from my local LAN.
Non of the traffic goes ways it should not.
But then, I get an issue with clients in LAN (not OPT1) having access to WAN. WAN is a RFC1918 IP. (10.99.99.0/30, gateway&dns 10.99.99.1, OPNsense 10.99.99.2, brodcast .3)
So every time OPNsense gets a new client, or it reboots, I need to toggle the RFC 1918 in WAN so the client gets access to WAN. To be precise, Im not quite sure what triggers it, but when I check it, safe it, uncheck it and safe it again, my clients have the WAN access back.
Almost as if it always falls back to block RFC1918 traffic for each new IP it hands out. Very baffling.
Funny thing is:
By accident i installed v23 first, had the same issue, updated (all the way to 25.7, no tests in between), same issue, installed 25.7 from iso, same issue, updated to latest stable, same issue.
So what am I missing here?
recap:
my WAN 10.99.99.0/30 with DHCP handing out 10.99.99.2 to OPNsense and delivering routeing and DNS proper.
my LAN 10.99.10.0/24 with dhcp running for .100-.149
my OPT1 network is 10.101.111.0/24 and opt1 is 10.101.111.82, traffic allowed (for ease of setup right now) form interface OPT1 from OPT1 network to This Firewall ports any/any
and yes, I tried static ip for my WAN and LAN, same issue.
my OPNsense can ping upstream, no problem, all 3 interfaces, and real WAN (google, yahoo etc.pp)
my clients can only ping LAN side of OPNsense. yes they get proper IP, route and DNS.
current clients are Grommunio and an ubuntu desktop, ubuntu desktop just because I had such trouble with the network setup, i wanted to test a basically fail-safe system and that confirmed my issues I had with Grommunio.
Any hints what Im doing wrong?
Thanks
Manne
nice, now that I wrote that forums thread, I cant even make it work with toggling that RFC1918 switch anymore....
it feels like nothing i do has any effect, expect when I kill the rule that's allowing me to access the GUI from my OPT 1 network, that has and instant effect.
this clearly indicates I'm missing something here.
What is "clients" ? VMs on the same proxmox bridge as opnsense lan (10.99.10.0/24) ?
Does outbound nat is configured as expected ?
Do you see any response to your packet in firewall log file ? If you see response dropped with "state violation" you might have asymetric routing issue (packets leaving opnsense on wan but response routed back on OPT1 by your UDM (or proxmox) for some reason).
All your networks are rfc1918 so leave "Block private networks" unchecked in all interfaces. Instead of losing your time on a checkbox you can check current ruleset in /tmp/rules.debug. Start running some packet capture on opnsense/proxmox/udm to troubleshoot this : are packets entering on opnsense lan interface ? Are they leaving opnsense on wan interface ? Do you see them on proxmox side ? on UDM side ? Have you any response on wan interface ?
Quote from: mannebk on October 10, 2025, 12:46:06 AMI installed OPNsense 24.7, and set it up.
24.7?
This is a 25.7 Series forum.
And what is a /usr/local/etc/firewall_rules.conf ?
Cheers,
Franco