OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: Raketenforscher on May 12, 2018, 11:57:32 am

Title: default deny rout blocking LAN+WLAN bridge
Post by: Raketenforscher on May 12, 2018, 11:57:32 am

This is a translation of my post https://forum.opnsense.org/index.php?topic=8675.msg38536 to increase the chance of support.


Hello everybody,

I'm the new guy. And I'm trying to switch from IPfire to OPNsense. One reason, among others, is the ability to configure network bridges via GUI in OPNsense.

I attempt to combine LAN and WIFI (WLAN) interfaces to a bridge, so I can use the bridge für DHCP, firewall rules etc. My config so far:

Interfaces
-----------
LAN
- enabled
- no IPv4 address

WLAN
- enabled
- Access Point Mode
- no IPv4 address

INTERN
- Bridge: LAN+WLAN
- IP-address 192.168.1.1/24

Assignments
- INTERN: bridge0 (LAN+WLAN)
- LAN: re0
- WAN: re1
- WLAN: run0_wlan1


DHCPv4
---------
INTERN
- enable
- Subnet 192.168.1.0/24
- Range 192.168.1.200 bis 192.168.1.250

LAN
- DHCPv4 was disabled during initial configuration, but suddenly disappeared totally from the DHCP section in the main menu. Thinking about it, I guess because I disabled the static IP adress lateron, maybe?

Static Mappings
- Notebook, cable:
-- IP 192.168.1.10
-- DNS 192.168.1.2+192.168.1.2 (Pi-Hole, local DNS-Server w/ static IP)
-- Gateway 192.168.1.1

- Tablet, WLAN
-- IP 192.168.1.20
-- rest same as Notebook


FIREWALL RULES
-------------------
INTERN
1) TCPv4, Source INTERN net, SourcePort *, Dest *, DestPort 80+443, GW *
2) UDPv4, Source INTERN net, SourcePort *, Dest *, DestPort 53, GW *

LAN
none, just Anti-Lockout Rule

WLAN
none

Now the problem:

Using the Notebook, I can access the internet with no problems.

Using the WIFI-Tablet, I can not. IP-Address, GW and DNS are correctly supplied by the DHCP Server. I can access the FW using IP 192.168.1.1, which is the static IP Address of the INTERN bridge (see above)

Trying to access other destinations, live view log reads as follows:

Interface WLAN - Source 192.168.1.20 - Dest 192.168.1.2:53 - Default Deny Route

Basically, I got the idea: The tablet 192.168.1.20 is trying to access the DNS-Server 192.168.1.2 via the interface WLAN, which has no rules defined, therefore being blocked by default deny rule.

But why does the tablet use the WLAN interface an not the INTERN bridge? That's why I created the bridge in the first place, so that all clients are in the same subnet, can communicate to each other freely, and I can define rules for both LAN+WLAN at the same time by using the INTERN bridge. Which would be pointless if I had to define rules for WLAN interface as well.

Title: Re: default deny rout blocking LAN+WLAN bridge
Post by: guest15389 on May 14, 2018, 03:33:50 pm

Check the last post here:

https://forum.opnsense.org/index.php?topic=2981.msg29374#msg29374