OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: incirrata on December 20, 2017, 11:35:13 pm

Title: Only DHCP on WAN interface
Post by: incirrata on December 20, 2017, 11:35:13 pm
I'm trying to set up OPNsense for the first time on a Netgate XG-1541 1U. This box has two gigabit interfaces, igb0 and igb1. Here's how I set it up initially:

I was able to access the web interface over the firewall's LAN no problem. My spare desktop connected to the WAN interface did get the IP I specified in its static mapping, but could not ping out, could not get files over TFTP (including PXE booting), and according to Wireshark just asks who has whatever I set as the DNS address (in this case .254) over and over. I even added a WAN firewall rule to allow all to all.

At first I thought there might be a hardware problem with igb1, so I switched them; igb0 was WAN and igb1 was LAN. I also tried setting static IP vs DHCP and connecting to edge firewall vs spare desktop on both. No matter what I tried, only LAN worked - WAN was never able to send more than DHCP lease to the spare desktop, and anything connected to WAN (no matter igb0 or igb1) could reach the firewall.

Other than the static/DHCP settings and user accounts, I haven't changed anything from stock OPNsense defaults. Is OPNsense just incompatible with this hardware for some weird reason? Is there some hidden setting or rules trickery required to get WAN working? What am I missing, and how can I fix this so that I can connect to both the wider network AND a spare desktop or switch with many desktops connected? Eventually I would like this to replace my edge firewall - will I need to change it somehow to do that?
Title: Re: Only DHCP on WAN interface
Post by: thowe on December 21, 2017, 05:11:47 am
I suppose you want to drive an internal test installation. This is what I normally do with a new firewall.

Normally I let the WAN interface of the new firewall under test to get a normal internal IP from my network via DHCP. The current productive firewall is set automatically as the next hop gateway on the WAN side.

For the LAN side I manually set a free internal IP that is not in the DHCP range to avoid collisions with another host in my LAN. The gateway on the LAN is left blank. DHCP is switched off while testing. Before transitioning the new firewall into production after tests, I will have to reenable the DHCP server on the LAN side.

To access the OPNsense GUI, you connect from your LAN to the manually set IP on the LAN interface of your box under test.

Alternatively, you could attach only your spare PC to the LAN side and let your new box span a seperate test LAN with another IP range. And let it provide an ip to the connected spare PC via the enabled DHCP server at this simulated LAN side. This allows testing of the DHCP as well.

Regarding your current test setup: To me it looks to be the the other way round. Inverted. It is not the normal case to provide an IP to a host in WAN and have the gateway to Internet on the LAN side. In my opinion you should turn it around.

I am sure this way your nice hardware will make a great OPNsense firewall. 😀

Just ask if my explenations are unclear. It's not that easy to describe...

Title: Re: Only DHCP on WAN interface
Post by: incirrata on December 21, 2017, 05:19:10 pm
Thanks for your reply, thowe! I've set igb1 to WAN getting an IP from the edge firewall via DHCP, but now I can't reach the firewall at all from the network. The message "arprequest: cannot find matching address" keeps appearing in the OPNsense console and the firewall log is an endless stream of packets to/from 0.nl.pool.ntp.org.[my domain].com.

I also set igb0 to LAN with a static IP ( and my spare desktop to static IP (disabled DHCP and no gateway). I was able to briefly reach the firewall web interface for about a minute before the firewall became unreachable. According to wireshark on the desktop, it just keeps ARP'ing "Who has Tell" over and over. The firewall log also started showing the following message:

rule 10/0(match): block in on igb0: (tos 0x0, ttl 64, id53014, offset 0, flags [DF], proto UDP (17), length 44) > UDP, length 16

So with this configuration, I cannot reach the firewall WAN from the network and cannot reach the firewall LAN despite being connected directly to it.
Title: Re: Only DHCP on WAN interface
Post by: franco on December 21, 2017, 05:29:47 pm
"arprequest: cannot find matching address" means something is wrong with our gateway / subnet designation.

Easiest solution if DHCP doesn't work on WAN: Set a static IP and an upstream gateway and it should work...

Title: Re: Only DHCP on WAN interface
Post by: incirrata on December 21, 2017, 06:24:03 pm
Hi Franco, thanks for your help! I  set the WAN static IP and gateway manually. I used the same IP as it was getting via DHCP, so I think my edge firewall is not passing the gateway correctly via DHCP. I no longer get "arprequest: cannot find matching address" messages  and can ping other desktops connected to my network and external addresses like Google from the OPNsense console!

I also figured out the reason I could not reach the LAN for more than a minute: it was dropping its static IP for some reason. Setting the WAN interface to a static IP as above seems to have fixed this. I can now reach the web GUI from my spare desktop over LAN!

However, I still cannot reach the internet from the desktop connected to the LAN interface, and I cannot reach back to the firewall from other hosts on my own network (in other words, I can ping hosts on my network from the OPNsense console but cannot ping OPNsense from the same host).