Hello,
I installed OPNsense on a Dell R620 (2×2697v2 CPU, 256 GB RAM, 1 TB SSD) in a datacenter rack.
The network topology is:
Uplink → OPNsense → Switch → Other devices
When I move devices (VDS/servers) behind the OPNsense gateway, they cannot connect at all.
Access is completely blocked by the firewall.
blockDefault deny / state violation rule
My interface configuration is as follows:
WAN: 188.x.x.130
LAN: 185.x.x.254
I have two different /24 subnets.
I cannot access the VDS servers that are routed through the OPNsense gateway.
Is there anyone who can help, or share the correct / recommended setup diagram for this scenario?
Are you trying to connect from WAN/Uplink to the servers on LAN? You need to create rules for that. The default of a new OPNsense is to block everything on WAN. Also you probably want to disable NAT.
Quote from: Patrick M. Hausen on January 28, 2026, 08:24:30 PMAre you trying to connect from WAN/Uplink to the servers on LAN? You need to create rules for that. The default of a new OPNsense is to block everything on WAN. Also you probably want to disable NAT.
Thanks for the response.
Yes, I am trying to access the servers behind OPNsense from the WAN/uplink side (public network).
However, this is a datacenter routed setup, not a typical home firewall scenario.
I have two routed /24 public subnets provided by my upstream, not a private LAN.
WAN: 188.x.x.130/24
LAN: 185.x.x.254/24 (public subnet, routed to WAN IP by upstream)
My goal is pure routing with firewalling, not port forwarding.
Regarding NAT:
I actually do not want NAT if it's not required. The upstream router already routes the 185.x.x.0/24 subnet to my WAN IP, so this should work with NAT disabled and proper firewall rules.
I guessed as much, already. Perfectly understood. I run DCs myself.
You simply need to manually
- disable NAT - Firewall: NAT: Outbound: "Disable outbound NAT rule generation"
- create a firewall rule on WAN permitting access to your servers
The default setup of a new installation is tailored to a home/SMB setup for Internet access with NAT. And everything you do not explicitly allow is forbidden by default. So without an allow rule on WAN no access.
HTH,
Patrick
Quote from: Patrick M. Hausen on January 28, 2026, 08:46:58 PMI guessed as much, already. Perfectly understood. I run DCs myself.
You simply need to manually
- disable NAT - Firewall: NAT: Outbound: "Disable outbound NAT rule generation"
- create a firewall rule on WAN permitting access to your servers
The default setup of a new installation is tailored to a home/SMB setup for Internet access with NAT. And everything you do not explicitly allow is forbidden by default. So without an allow rule on WAN no access.
HTH,
Patrick
I've tried many configurations now (NAT disabled, explicit WAN and LAN rules in place), but I still can't resolve the issue.
One important detail about my rack setup:
I have two separate uplinks from the datacenter
Uplink #1 goes directly to the switch
Uplink #2 goes directly to the OPNsense WAN
OPNsense LAN is also connected to the same switch
So effectively, the switch has two uplinks:
one directly to the datacenter/core
one through OPNsense
This means the servers behind the switch may have two possible paths to the internet:
directly via the switch uplink
or via OPNsense
Could this dual-uplink / asymmetric routing design be the root cause of the state violation and 100% packet loss I'm seeing, even with correct firewall rules and NAT disabled?
If so, am I correct that the proper design should be:
a single uplink only into OPNsense (WAN), and
the switch should be connected only to the OPNsense LAN, with no direct uplink of its own?
I want to make sure all traffic is forced symmetrically through the firewall.
Thanks in advance.
Quote from: zigana on January 28, 2026, 09:17:54 PMCould this dual-uplink / asymmetric routing design be the root cause of the state violation and 100% packet loss I'm seeing, even with correct firewall rules and NAT disabled?
If so, am I correct that the proper design should be:
a single uplink only into OPNsense (WAN), and
the switch should be connected only to the OPNsense LAN, with no direct uplink of its own?
I want to make sure all traffic is forced symmetrically through the firewall.
Yes of course. Asymmetric routing is to be avoided. Exactly like that - force all traffic through OPNsense by network topology. Make sure your servers have OPNsense as their default gateway. Without NAT also make sure the gateway OPNsense uses has a static route for the server network pointing to OPNsense's WAN address.