OPNsense Forum
English Forums => General Discussion => Topic started by: mediahost on February 13, 2021, 09:03:52 am
-
Hello,
I have a pretty straight forward setup but for some reason cannot get my LAN clients to reach the internet either via ping or DNS name.
The Setup:
OpnSense 21.1
Two interfaces WAN / LAN
WAN has a static public IP and I can ping, update, etc from the firewall out to the LAN. I can also ping my LAN gateway and clients within the LAN from the firewall.
I can't however from my LAN clients ping or reach the internet. I can ping the WAN gateway but nothing beyond the gateway.
NAT is set to manual with no automatic rule creation. My WAN and LAN firewall rules are included. I am pretty sure I am missing something on my rulesets, any advice would be much appreciated.
-
You probably want to read the docs because I think you are misunderstanding how the firewall rules work. See https://docs.opnsense.org/manual/firewall.html
Particularly the parts on the default rules, how states work, and the direction of traffic matching
Essentially you want a rule that applies to traffic coming into the LAN interface, with a source of LAN net and a destination of any, to allow traffic out from the LAN to the internet
A number of your existing rules can probably go, which you will no doubt realise when you better understand how the firewall rules work
-
Yes as mentioned your rulest is not correct.
To reach the internet from you LAN the OPNsense basic configuration is correct. No need to change NAT to manual or change the default rules.
From the rules you showed it seems you should first start learning how pf or firewalls are working.
Try to review the default rules and understand what they do and maybe check out the documentation like Greenlan mentioned.
-
Thanks very much for the feedback, so I studied the docs and found my problem. I also reset all states and then rebooted the firewall, there had been many incorrect attempts to fix this.
So to recap I removed all the rules I had created all over the place, LAN, WAN Floating. Reset the states and then rebooted the firewall.
I then added two rules, one on the WAN - Outbound - Source LAN Net - Destination this Firewall.
Then on the LAN side added LAN - Inbound - Source Any - Destination Any
I can now ping and browse out from my LAN clients.
Thanks again!
-
The first rule is odd, and unnecessary given the automatic floating rule to allow everything from the firewall.
The second rule can be limited to LAN net as the source.
Again, though, it is not clear why you need to do any of this. Out of the box OPNsense comes with rules that allow external access from the LAN net.
-
In general you only need a rule on the interface the traffic arrives on the firewall.
In your case the LAN interface.
The firewall does not need rules on the outgoing interface.
If you want to make traffic flow only create rules on the interface the traffic hits the firewall and then decide what the firewall should do. No need to add rules on the outgoing interface, for your case.