OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: hushcoden on July 31, 2021, 06:55:14 pm
-
Eventually I was able to do fresh install of 21.7 on my APU2 (WAN + 2 LAN ports), but I can't access Internet from the 2nd LAN port: how do I troubleshoot this?
Tia.
-
If both LAN ports are in the same subnet, you can bridge the interfaces. Otherwise you need to enable that second LAN interface, give it an ip address in the correct range, and add appropriate access and routing.
-
Thanks, I did set up the ports on two different subnets and it seems the issue was that the 'default allow LAN2 to any rule' was not there, and after I added that rule I have now access to the Internet, so my question is: why on the default LAN OPNsense has that rule and on the 2nd LAN I had to put it manually?
Also, is there any other rules I have to enter?
Thanks.
-
Thanks, I did set up the ports on two different subnets and it seems the issue was that the 'default allow LAN2 to any rule' was not there, and after I added that rule I have now access to the Internet, so my question is: why on the default LAN OPNsense has that rule and on the 2nd LAN I had to put it manually?
Also, is there any other rules I have to enter?
Thanks.
Because "Allow ANY ANY" is awfully unsafe and is only there for LAN to make it work out of the box. Delete this rule on ALL interface and start to allow specifically the things you REALLY need t omake your different networks functional....
-
Thanks, I did set up the ports on two different subnets and it seems the issue was that the 'default allow LAN2 to any rule' was not there, and after I added that rule I have now access to the Internet, so my question is: why on the default LAN OPNsense has that rule and on the 2nd LAN I had to put it manually?
Also, is there any other rules I have to enter?
Thanks.
Because "Allow ANY ANY" is awfully unsafe and is only there for LAN to make it work out of the box. Delete this rule on ALL interface and start to allow specifically the things you REALLY need t omake your different networks functional....
Thanks, and please keep in mind we are quite a few users here not really networking-savvy, so many things that are obvious for techies like you, they are quite tricky for me to understand ;)
All I need is to have the devices on the LAN to connect to the Internet (and being able to access the modem GUI - I opened another thread for this).
Of course, I want to build a secure network at home and that's why I started to learn about firewalls and OPNsense, so any advice is more than welcome, i.e. what rule(s) should I replace the standard 'ANY' with ?
Would you share your rules?
Thanks.
-
Spoiler: I'm not a techie at all, this is my hobby only... ;-)
Try to learn the principle, even if you (at first) try to find/follow "simple" recipies matching your needs. :-)
RE: rules
What do you need for which client?
DNS: to the opensense
NTP: opensense or the NTP servers you configure
Then:
Internet? (port 80/443)
eMail ? (SMTPs/IMAPs normally or others?)
And then:
XMPP, messengers other protocols you need. Decide on case-by case evaluation.
Any devices you don't want to decide this with this high granularity: own interface, e.g. for IOT, guest, Android/Apple trash...
-
After some learning :P I decided to customise the rules in my home network: can someone kindly let me know if I have set up everything for browsing the Internet + emails (plus a few services)?
Tia.
-
I can answer myself, I don't have access to Internet: in the live view of the firewall log I see all red where everything matching one rule, Default deny rule :-X
Anybody willing to guide me here?
Tia.
-
In the time that passed, did you solve your problem yet hushcoden? It likely has to do with outbound NAT.
If the default deny rule hits, its often because in Firewall -> NAT -> Outbound the main setting is very restrictive, in that your manual rules are not evaluated. Pragmatically that can be set to "Hybrid", such that "Automatic rules are added, but additional manual rules can be added as well."
See here: https://docs.opnsense.org/manual/nat.html#outbound