OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: ajzimme on March 02, 2017, 09:00:42 pm

Title: LAN Firewall settings
Post by: ajzimme on March 02, 2017, 09:00:42 pm
Hello, I have setup a Lab and am using Opnsense for the firewall. Everything works fine except for internet.
I set it up explicitly to only have access to certain computers on our other LAN. < - Ok so far.
And I set the lab lan to only have access to the fw, and WAN.
The problem is, the WAN won't work unless I allow it to access everything...I tried allow pass LABLAN -> WAN NET and it won't work! But when I do allow pass LABLAN -> * I'm able to ping google just fine.
The Opnsense sits right on the WAN, so it's not having to go thru our other LAN for internet. Its DNS is within the LABLAN itself, and of course all machines in the LABLAN have access to the firewall.
Is there anything else I should add to describe my problem?
Thanks.
(http://oi66.tinypic.com/29570wg.jpg)
(http://oi65.tinypic.com/2j31ymh.jpg)
Title: Re: LAN Firewall settings
Post by: Animosity022 on March 02, 2017, 09:55:20 pm
Without seeing any IPs, do you have a NAT Rule setup to get that new LAN out to the Internet?

If you check Firewall->NAT->Outbound, I would expect to see something there.

Other than that, do you see anything in the Firewall logs in terms of something being blocked?
Title: Re: LAN Firewall settings
Post by: ajzimme on March 02, 2017, 10:38:13 pm
I guess not!
The LAN listed in the jpg is our LAN, not the LAB one.

(https://image.ibb.co/g2QaWF/2017_03_02_14_02_32_Outbound_NAT_Firewall_OPNsense_petztest.png)

I updated the image, so now I added similar rules for outbound NAT, I'm not sure why I would have to do that, but either way, it still doesn't work- without me allowing LABLAN out to *, it will not have access to the WAN.
Title: Re: LAN Firewall settings
Post by: Animosity022 on March 02, 2017, 11:34:12 pm
I kinda think of it like the SSL VPN Instructions. They go through adding and validating the rules are there for another 'network'  to connect.

https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

Step 2 shows the firewall rules.

To get out to the internet, I'm assuming your lab lan is private as well so you need the Outbound NAT rule.

(http://i.imgur.com/yEZNnKp.png)
Bottom on there is the OpenVPN network back out through.
The second to bottom is my normal private lan back out.
Title: Re: LAN Firewall settings
Post by: ajzimme on March 03, 2017, 04:47:58 pm
I don't mean to be dense. But I'm extremely confused now. Haha.

I don't have a VPN setup. I have a WAN, and two different LANs.

(https://image.ibb.co/dU6JJv/2017_03_03_07_44_42_System_Routing_Table.png)
Title: Re: LAN Firewall settings
Post by: Animosity022 on March 03, 2017, 06:13:57 pm
If you can post your Outbound NAT screen like I did, that would be helpful now.

If you can access everything internally and just not out to the Internet, I think you are missing a NAT as your routing should be ok then.
Title: Re: LAN Firewall settings
Post by: ajzimme on March 03, 2017, 06:45:52 pm
This is my outbound NAT sir.
https://forum.opnsense.org/index.php?topic=4681.msg18125#msg18125

:)
Title: Re: LAN Firewall settings
Post by: Animosity022 on March 03, 2017, 07:04:14 pm
I'm trying to follow as some of the internal IP info is blurred out.

Your LABLAN looks to be 192.168.10.0/24.

You only have part of the screen, I can't tell if your rules at Automatic/Hybrid/Manual or None.

You need a NAT Out with the Source 192.168.10.0/24 Interface WAN like the last 2 lines in my NAT Outbound output.

You need to translate your internal IP schemes through the firewall to NAT'ed addresses.

So the rule would look like:
Interface: WAN
Source: 192.168.10.0/24
NAT Address: WAN Address
Everything else *s

I have static checked because I have XBox traffic that requires it, but I don't think you'd need that. I don't have it setup on my other interface.
Title: Re: LAN Firewall settings
Post by: ajzimme on March 03, 2017, 07:50:48 pm
I tried that and it didn't work.
(https://image.ibb.co/gaVj8v/2017_03_03_10_49_03_Outbound_NAT_Firewall_OPNsense_petztest.png)
Title: Re: LAN Firewall settings
Post by: ajzimme on March 04, 2017, 12:01:57 am
I ended up just giving up, and creating an alias with every IP on our network (excluding the ones I want it to have access to) and blocking them.
Sad.
Title: Re: LAN Firewall settings
Post by: remd on June 19, 2017, 05:43:40 pm
Bump
I have two issues, one of them is similar.
The first one is DNS resolution, it was working and it isn't anymore (probably some rule as it was working, but I haven't found out which one), then from the second fw behind the first one, will only work if I allow to Any, as described here.
Does anyone have an idea ?