OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: Medicineman25 on March 20, 2021, 10:25:07 pm
-
Having another weird issue where I have network -> opnsense -> router and I can access the router but not any internet. Seems to be some kind of DNS issue, even tho I have set dns ips in my local machine and also in opnsense. As the title states this is a fresh install and I haven't selected anything other than making the LAN net a 10.x.x.x subnet and my rouyer is 192.x.x.x
There are no blocking rules set yet and I can ping/access my router just fine, updates to opnsense work just fine as well, and the upstream gateway is set properly.
Any ideas?
-
Probably need to see more detail on your network topology and your rules on OPNsense etc. Maybe you need a route to the LAN set on your router? Remember also that OPNsense blocks by default unless allow rules are specified (although on the LAN there is usually an allowed to any rule included)
-
Are you sure you are having a DNS problem? I mean is IP routing to the Internet working?
As your router seems to have a WAN IP 192.x.x.x this could be an internal only IP 192.168.x.x that is not routed to the Internet/WAN by default. In this case you should disable this security setting in menu Interfaces : WAN in section Generic/Block private networks.
-
Are you sure you are having a DNS problem? I mean is IP routing to the Internet working?
As your router seems to have a WAN IP 192.x.x.x this could be an internal only IP 192.168.x.x that is not routed to the Internet/WAN by default. In this case you should disable this security setting in menu Interfaces : WAN in section Generic/Block private networks.
It's possible this is not a DNS issue. I have disabled blocking private networks but nothing has changed.
I have the following updates:
- I can ping from the firewall to any ip address FROM any interface (LAN & WAN) using Interfaces -> Diagnostics -> ping tool
- I cannot ping from the client machine on the LAN net to any ip addeess on the internet, the only addess I can ping is my home router
- I can perform a DNS lookup via Interfaces -> Diagnostics -> DNS lookup to any and all internetz however I cannot then access that ip address directly in the browser. If I try google's ip address directly in the browser i.e. 216.58.210.206 it simply hangs and returns "ERR_CONNECTION_TIME_OUT"
- I have turned off the firewall on my router no change
- tried turning off NAT in opnsense no change
- again, everything is open on firewall rules and there is nothing in the logs to suggest any blockages at all.
-
Probably need to see more detail on your network topology and your rules on OPNsense etc. Maybe you need a route to the LAN set on your router? Remember also that OPNsense blocks by default unless allow rules are specified (although on the LAN there is usually an allowed to any rule included)
LAN: 10.0.0.0/24
WAN: 192.168.1.0/24
GW: 192.168.1.254
This is a fresh install so LAN has default allow all. I even have default allow all on the WAN for the moment just as a sanity check.
Also I turned off firewall on router so no need to mess around with forwarding any traffic. Still nothing.
-
What IP address is assigned to the WAN NIC of OPNsense? And how?
With your setup you will probably need to do double NAT. There are routers rejecting routing to other internal IP addresses than the ones in their own LAN segment. (Which ist the WAN segment on your OPNsense but not the LAN segment of OPNsense).
What would I do?
Make sure its working with a notebook attached to your router.
Reset the configuration of OPNsense.
Just let the OPNsense Wizard do its work.
This SHOULD result in a working configuration.
-
What IP address is assigned to the WAN NIC of OPNsense? And how?
A: WAN NIC = 192.168.1.253 and it's static assigned... my next troubleshoot is to have this assigned via dhcp
With your setup you will probably need to do double NAT. There are routers rejecting routing to other internal IP addresses than the ones in their own LAN segment. (Which ist the WAN segment on your OPNsense but not the LAN segment of OPNsense).
A: yes I figured that double NAT'ing would be necessary as I can't turn my router into a bridge (I think that's the correct term, but it's been a while!)
What would I do?
Make sure its working with a notebook attached to your router.
A: sincere apologies I forgot to mention that internet is indeed working when connected directly to the router
Reset the configuration of OPNsense.
A: indeed that is my next step in this process
Just let the OPNsense Wizard do its work.
A: Roger.
This SHOULD result in a working configuration.
Will report back after lunch.
-
What IP address is assigned to the WAN NIC of OPNsense? And how?
With your setup you will probably need to do double NAT. There are routers rejecting routing to other internal IP addresses than the ones in their own LAN segment. (Which ist the WAN segment on your OPNsense but not the LAN segment of OPNsense).
What would I do?
Make sure its working with a notebook attached to your router.
Reset the configuration of OPNsense.
Just let the OPNsense Wizard do its work.
This SHOULD result in a working configuration.
Ok so... I've now done all of this. I reflashed the card, put it back in the APU2, booted up and went through the wizard as normal. I didn't change a single thing except for adding google DNS servers to WAN, LAN is set at 192.168.1.1, WAN is dhcp, and now I can't even access my router @ 192.168.1.254. It still marks as up and still able to fetch upgrades from the internet but accessing router from LAN just gives address unreachable. Cannot ping router either.
Trying to access internet still gives DNS reso fail.
I turned off blocking bogon and private networks, and tried turning off NAT. Nothing.
-
Ok. Getting better... ;-)
I think it will not work like this: You can not have the same IP range on both NICs (WAN, LAN) without special subnet calculations.
I would select another range for the LAN side. E.g. 192.168.2.x or the 10.x.x.x you had before.
-
Ok. Getting better... ;-)
I think it will not work like this: You can not have the same IP range on both NICs (WAN, LAN) without special subnet calculations.
I would select another range for the LAN side. E.g. 192.168.2.x or the 10.x.x.x you had before.
That's what I thought originally, so I've set that as LAN 10.x.x.x/24 and WAN 192.x.x.x/24.
It appears the popular option for a sub LAN behind a NAT router, is to turn off NAT in the subnet appliance and apply static routes but that doesn't seem to work either. I've turned off NAT and made the following static route:
Network: 192.168.1.0/24
Gateway: WAN_DHCP - 192.168.1.254
Description: WAN
This does not work. Cannot access router or internet. I'm at a loss for what to do here, this shouldn't be this hard. I remember having minor struggles with routing the first time I attempted this many years ago but this is getting ridiculous.
-
Well. I am a bit lost here. ;)
I have similar setups running, even with some APU2 (and virtual instances on Proxmox). What I have and is working perfectly:
myNetwork---------LAN|OPNsense(NAT)|WAN-----------LAN|Router(NAT)|WAN----------Provider
10.1.1.0/24 10.1.1.1 192.168.1.100 192.168.1.1 some IP
The Gateway of OPNsense is (automatically via DHCP) set to 192.168.1.1.
On OPNsense I have (manually) configured two DNS servers (e.g. OpenDNS or Google).
DHCP server on LAN of OPNsense sets Clients in myNetwork to use the Unbound DNS server running on OPNsense (10.1.1.1 as DNS server on clients). Undbound forwards to the normal DNS resolvers configured for OPNsense.
Supposed your router would do some kind of DNS blocking, one could try to set 192.168.1.1 as DNS forwarder on OPNsense. Could be done manually or should also be set automatically using DHCP from your router.
I would say, that this is a kind of standard setup that always worked for me.
-
Well. I am a bit lost here. ;)
I have similar setups running, even with some APU2 (and virtual instances on Proxmox). What I have and is working perfectly:
myNetwork---------LAN|OPNsense(NAT)|WAN-----------LAN|Router(NAT)|WAN----------Provider
10.1.1.0/24 10.1.1.1 192.168.1.100 192.168.1.1 some IP
The Gateway of OPNsense is (automatically via DHCP) set to 192.168.1.1.
On OPNsense I have (manually) configured two DNS servers (e.g. OpenDNS or Google).
DHCP server on LAN of OPNsense sets Clients in myNetwork to use the Unbound DNS server running on OPNsense (10.1.1.1 as DNS server on clients). Undbound forwards to the normal DNS resolvers configured for OPNsense.
Supposed your router would do some kind of DNS blocking, one could try to set 192.168.1.1 as DNS forwarder on OPNsense. Could be done manually or should also be set automatically using DHCP from your router.
I would say, that this is a kind of standard setup that always worked for me.
Haha yes we will figure this out together, I am only a little frustrated 8)
Ok so I have set the unbound DNS "Enable Forwarding Mode" and pushed some buttons... all of a sudden it works but not with dhcp for some reason. I turned things off, even unbound, then power cycled the box and it still worked.
Flashed a new image to another mSata and inserted to investigate, no idea why it started working which tbh is only slightly more annoying than it not working at all haha
Will report what I find.
EDIT: false alarm, not sure what I did but I've retraced my steps and cannot get it working again. Clearly I am on the right track here. Will keep going and report back.
-
Solved.
I regret to inform that opnsense wasn't the only issue I was facing, yet I didn't know until very late last night.... it appears there was something broken in my Arch Linux network stack. I suspect ExpressVpn has something to do with blocking traffic even when the service was suspended.
The abovementioned settings on UnboundDNS in Forwarding Mode seem to work just fine.
Thank you for your help and patience!
.
-
Thank you for the final good news. All's well that ends well.
This shows again that it becomes difficult to find problems when too many parts are changeable at the same time. Then you don't really know where problems come from. :D
Have fun and success with OPNsense! If the problem is solved, I'm happy about some karma and you can prefix the title with [SOLVED].