OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: Raketenforscher on May 12, 2018, 11:57:32 am

Title: default deny rout blocking LAN+WLAN bridge
Post by: Raketenforscher on May 12, 2018, 11:57:32 am
This is a translation of my post https://forum.opnsense.org/index.php?topic=8675.msg38536 to increase the chance of support.

Hello everybody,

I'm the new guy. And I'm trying to switch from IPfire to OPNsense. One reason, among others, is the ability to configure network bridges via GUI in OPNsense.

I attempt to combine LAN and WIFI (WLAN) interfaces to a bridge, so I can use the bridge für DHCP, firewall rules etc. My config so far:

- enabled
- no IPv4 address

- enabled
- Access Point Mode
- no IPv4 address

- Bridge: LAN+WLAN
- IP-address

- INTERN: bridge0 (LAN+WLAN)
- LAN: re0
- WAN: re1
- WLAN: run0_wlan1

- enable
- Subnet
- Range bis

- DHCPv4 was disabled during initial configuration, but suddenly disappeared totally from the DHCP section in the main menu. Thinking about it, I guess because I disabled the static IP adress lateron, maybe?

Static Mappings
- Notebook, cable:
-- IP
-- DNS (Pi-Hole, local DNS-Server w/ static IP)
-- Gateway

- Tablet, WLAN
-- IP
-- rest same as Notebook

1) TCPv4, Source INTERN net, SourcePort *, Dest *, DestPort 80+443, GW *
2) UDPv4, Source INTERN net, SourcePort *, Dest *, DestPort 53, GW *

none, just Anti-Lockout Rule


Now the problem:

Using the Notebook, I can access the internet with no problems.

Using the WIFI-Tablet, I can not. IP-Address, GW and DNS are correctly supplied by the DHCP Server. I can access the FW using IP, which is the static IP Address of the INTERN bridge (see above)

Trying to access other destinations, live view log reads as follows:

Interface WLAN - Source - Dest - Default Deny Route

Basically, I got the idea: The tablet is trying to access the DNS-Server via the interface WLAN, which has no rules defined, therefore being blocked by default deny rule.

But why does the tablet use the WLAN interface an not the INTERN bridge? That's why I created the bridge in the first place, so that all clients are in the same subnet, can communicate to each other freely, and I can define rules for both LAN+WLAN at the same time by using the INTERN bridge. Which would be pointless if I had to define rules for WLAN interface as well.
Title: Re: default deny rout blocking LAN+WLAN bridge
Post by: guest15389 on May 14, 2018, 03:33:50 pm
Check the last post here: