FIXED:
See 2nd post
So im trying to set up OPNsense with 3 LANs, a gateway, a vpn, and 4 physical interfaces.
bce0 - WAN : DHCP from cable modem : will soon be upgrading to gigabit internet, currently just 300/75
bce1 - LAN : 10.10.1.1/24 : TV's, Roku's, "Smart" devices, gaming devices, WIFI 1
bce2 - PIA : 10.10.2.1/24 : Servers, Desktops, Laptops, Cell Phones, WIFI 2
bce3 - MAN : 10.10.0.1/24 : Switches, IPMI (ILO, DRAC, BMC), UPCs, Tape Library
I want every device accessible to each other but.....
-The devices on the PIA lan should only be able to access the internet via the PIA VPN
-LAN - WAN
-MAN - no internet access,
I can get the interfaces configured and DHCP working on all the networks, but when it comes to the firewall im completely useless. I've been using pfSense guides and just general poking around to get this far. Opnsense's firewall is a lot different than pfSense's, and ive always just let the firewall do it own thing in the past with a simple 2 interfaces 1 WAN, 1 LAN config, with NAT.
So starting with a factory reset then the guided setup. Here is what I've done:
-add the 2 other interfaces and configured DHCP for them
-Copied/modified the default allow all rules to all the LAN's
-when that failed to allow a ping from one lan to another I tried adding allow rules in both directions on all lans, still no ping
haven't touched anything else? What should I do next? I can get internet on all LAN's and can ping the other LAN interfaces but I cant ping any clients in the LANs.
LAN : CAN reach the internet and ping opnsense MAN and PIA interfaces. CANNOT ping any computer on MAN or PIA
MAN : CAN reach the internet and ping opnsense LAN and PIA Interfaces. CANNOT ping any computer on LAN or PIA
PIA : CAN reach the internet and ping opnsense LAN and MAN interfaces. CANNOT ping any computer on LAN or MAN
I feel like all my firewall rules are redundant except the copied default rule? What am I missing? I havent had a more complicated setup than a Netgear or Linksys WIFI router? So im a bit out of my dept.
Current firewall rules:
LAN
Firewall: Rules: LAN
Add
Proto Source Port Destination Port Gateway Schedule Description
* * * LAN Address 443, 80 * Anti-Lockout Rule
IPv4 * LAN net * * * * Default allow LAN to any rule
IPv4 * LAN net * PIA net * *
IPv4 * PIA net * LAN net * *
IPv4 * LAN net * MAN net * *
IPv4 * MAN net * LAN net * *
PIA
Firewall: Rules: PIA
Add
Proto Source Port Destination Port Gateway Schedule Description
IPv4 * PIA net * * * * Default allow PIA to any rule
IPv4 * PIA net * LAN net * Null4
IPv4 * LAN net * PIA net * Null4
IPv4 * PIA net * MAN net * *
IPv4 * MAN net * PIA net * *
MAN
Firewall: Rules: MAN
Add
Proto Source Port Destination Port Gateway Schedule Description
IPv4 * MAN net * * * * Default allow WAN to any rule
IPv4 * MAN net * LAN net * *
IPv4 * LAN net * MAN net * *
IPv4 * MAN net * PIA net * *
IPv4 * PIA net * MAN net * *
WAN
Firewall: Rules: WAN
Add
Proto Source Port Destination Port Gateway Schedule Description
* RFC 1918 networks * * * * Block private networks
* Reserved/not assigned by IANA * * * * Block bogon networks
Nevermind.......It was the windows firewall......i removed the extra firewall entries and everything works with default pass all entries.
Can i use a "floating" entry to allow all on all interfaces.....then restrict things with deny entries?.....New to firewalls and networking, i could always get by with one subnet in the past. Adding PIA to the mix has complicated things.