OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: bulldog3346 on October 14, 2018, 08:10:20 pm
-
I am brand new to Opnsense. Replacing IPCop used for 2 years. I followed the install wizard. Wan using dhcp server of my cable modem (Charter-Spectrum), has an ip and all other necessary configuration. Lan has a static ip, though I have enabled dhcp on the lan for all other clients. My testing client is able to obtain an ip and dns and gateway information. I am able to ping the wan dns servers, and other addresses on the web by ip and by name. However, I am not able to open any websites from the testing lan client. I have set up rules for http and https from lan to wan and from wan to lan without any luck. I have installed version 18.7 with latest updates on a dell pe 1950 with 2 zeon quad 2.6Ghz processors, 8GB RAM, 2 Intel gigabit nics, set to auto negotiate on both. I would greatly appreciate any help to fix this issue. The machine that IPCop is running on is beginning to fail, so it is critical to get the opnsense machine in production. Thanks in advance - Frank
-
Well normally the rules that get generated automatically allow to reach anything from LAN..
Are you able to ping and resolve different sites directly from the OPNsense host?
-
Change your NAT-OUTBOUND
to
Hybrid outbound NAT rule generation
(automatically generated rules are applied after manual rules)
-
I change the NAT outbound to hybird but still no joy. Should I reset to factory and try again?
-
Yes, I can ping and resolve different site directly from the opnsense server.
-
I have re-installed and reset to factory defaults to reconfigure using the configd wizard. http and https will not be routed across the lan-wan gateway. I am at a loss. While I like many of the features of opnsense, it is not working for me. I really could use some help.
-
Hello,
You don't need rules from wan to lan if you only have clients on lan side.
bmail
-
If you can ping extern hosts by IP and DNS but are not able to reach websites via HTTP/S, than this kind of traffic might get blocked/dropped somehow.
When you approve the question from Evil_Sense then I would look into the Firewall logs when you try to access an external website from a local client in the LAN and see how your firewall handles this.
Greetings, David
-
Hi there,
I faced the same challenge when I went from ipcop to opnsense about 3 years ago. As opnsense is a stateful firewall (other than ipcop), the rule logic is somewhat different from ipcop. What could help you a lot is this article:
https://forum.opnsense.org/index.php?topic=4436.0 (https://forum.opnsense.org/index.php?topic=4436.0)
Its in German, hope you can read it ....
BR br
-
If you can ping extern hosts by IP and DNS but are not able to reach websites via HTTP/S, than this kind of traffic might get blocked/dropped somehow.
When you approve the question from Evil_Sense then I would look into the Firewall logs when you try to access an external website from a local client in the LAN and see how your firewall handles this.
Greetings, David
Yes, I can ping by fqdn and ip from the client side, but can't open websites. Your help would be greatly appreciated.
Frank
-
https://forum.opnsense.org/index.php?topic=4436.0 (https://forum.opnsense.org/index.php?topic=4436.0)
Its in German, hope you can read it ....
BR br
Frank/
BR br
This was very helpful!! This now makes more sense to me. I will tackle this again tomorrow morning. I have more hope now that I will be successful.
BTW: I studied German in college and was somewhat fluent afterwards. But, that was 40 years ago. So, google.translate came to the rescue
Cheers,
Frank
-
Yes, I can ping by fqdn and ip from the client side, but can't open websites. Your help would be greatly appreciated.
Frank
As I mentioned check your logs. Any denied traffic should be listed there (requires logging of your firewall rules -> enable this option for each rule if any doubt which one to take).
Second, list your rules here for further help.
Third, you do not have any further services running (e.g. Proxy)?
-
Bulldog3346 -> Fatmouse69
As I mentioned check you logs. Any denied traffic should be listed there (requires logging of your firewall rules -> enable this option for each rule if any doubt which one to take).
Second, list your rules here for further help.
Third, you do not have any further services running (e.g. Proxy)?
Thanks for the offer. At the moment, I have to reinstall OpS as something seems to have gotten stomped on from the several resets to factory settings. However, the rules I tried that did not work was LAN -> WAN allow port 80 and 443 to WAN and WAN -> to LAN allow 80 and 443 to LAN. I did check
Cheers,
Frank
-
Bulldog3346 -> bringha
https://forum.opnsense.org/index.php?topic=4436.0 (https://forum.opnsense.org/index.php?topic=4436.0)
Its in German, hope you can read it ....
BR br
I had a chance to read and re-read the above conversation. However, I am still unclear on what side, WAN/LAN, some of these rules are written. If the LAN, by default, allows everything to go to the WAN side, and the WAN side by default allows nothing to pass to the LAN side, shouldn't the HTTP and HTTPS allow rules, and any other protocol needed to go to from the WAN to LAN, be written on the WAN gateway side and not the LAN as described in the conversation in the above link.
Wouldn't make more sense to write rules on the WAN side to allow the protocols port 80, 443, 53, mail protocol ports, and any others needed on the LAN side.
Or, are there hidden default rules on the LAN side coded in - to 1. allow everything out of the LAN to the WAN 2. Block everything coming into the LAN from the WAN. Would that explain writing the rules on LAN side. However, isn't necessary to write complimentary and converse rules on the WAN side to allow the various protocols to pass traffic to the LAN. This is what I first attempted to do, but I still could not open websites with a browser (firefox) from a LAN client, though I could ping the same websites, by name, with dns resolving the addresses to ping.
I agree with Stefan on the German board that someone should write a white paper explaining the architecture of Opnsense and how the firewall really works. As well as, how to write rules to allow the various ip protocols to pass into and out of the firewall. Opnsense for Dummies, for dummies like me :).
Cheers
Frank
-
Since it's a statefull firewall the default configuration allows to access anything from LAN (like browsing etc.).
Think of it like a normal Consumer NAT router.
To be able to access a web or mail server from outside (WAN) that resides behind the Firewall, you would need the respective ports to be forwarded (NAT forwarding).
-
Thanks for the offer. At the moment, I have to reinstall OpS as something seems to have gotten stomped on from the several resets to factory settings. However, the rules I tried that did not work was LAN -> WAN allow port 80 and 443 to WAN and WAN -> to LAN allow 80 and 443 to LAN. I did check
I am curious if reinstalling has changed anything. You should be set up now with a fresh OPNsense without any further custom rules and imho this should work for you ootb.
-
Since it's a statefull firewall the default configuration allows to access anything from LAN (like browsing etc.).
Think of it like a normal Consumer NAT router.
To be able to access a web or mail server from outside (WAN) that resides behind the Firewall, you would need the respective ports to be forwarded (NAT forwarding).
Bulldog3346 -> Evil_Sense
Thank you, this too was helpful. You may have opened the door of understanding.
Frank
-
[quote author=Fatmouse69 link=topic=9947.msg45825#msg45825 date=154022687
I am curious if reinstalling has changed anything. You should be set up now with a fresh OPNsense without any further custom rules and imho this should work for you ootb.
[/quote]
Unfortunately, same result, ping by name works, http,https no go. Gonna try again shortly.
Frank
-
I think we need start one step back ....
Can you provide a drawing of your network config, what is connected to what and IP network addresses you have used on your interfaces, modem, client, ....
Br br
-
I think we need start one step back ....
Can you provide a drawing of your network config, what is connected to what and IP network addresses you have used on your interfaces, modem, client, ....
Br br
Here is a diagram of my network, it's pretty basic as you can see.
Frank
-
Could you try to attach your test device directly to the OPNsense Firewall to rule out the cisco switch?
-
... and before: What is the network address in the WAN DHCP network ....
Br br
-
... and before: What is the network address in the WAN DHCP network ....
Br br
WAN DHCP gets various addresses e.g., 24.x.x.x, 69.x.x.x 75.x.x.x so can't give you a specific one
-
you can also do a very basic check at the opnsense firewall itself. Ssh into it, go to the shell and enter
curl https://google.com. When you get that response:<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML> the Wan side of your firewall is working. The next step then should be to eliminate all other hardware between the firewall and your test device as already suggested.
-
WAN DHCP gets various addresses e.g., 24.x.x.x, 69.x.x.x 75.x.x.x so can't give you a specific one
Just to be clear: The WAN Port of your opnsense gets an address out of one of these networks?
Br br
-
WAN DHCP gets various addresses e.g., 24.x.x.x, 69.x.x.x 75.x.x.x so can't give you a specific one
Just to be clear: The WAN Port of your opnsense gets an address out of one of these networks?
Br br
Yes, that is correct.
-
WAN DHCP gets various addresses e.g., 24.x.x.x, 69.x.x.x 75.x.x.x so can't give you a specific one
Just to be clear: The WAN Port of your opnsense gets an address out of one of these networks?
Br br
For example, the current IPCop's WAN address is: 75.128.246.112/23
-
Next, please check whether you have under System->routes all the routes you require to get traffic at the right places
Then, please check whether your DNS is configured correctly and is accessible from the clients
All that as suggested by others with ONE client directly connected to the LAN interfaces of the sense ....
Br br
-
you can also do a very basic check at the opnsense firewall itself. Ssh into it, go to the shell and enter curl https://google.com. When you get that response:<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML> the Wan side of your firewall is working. The next step then should be to eliminate all other hardware between the firewall and your test device as already suggested.
I tried a re-install today. I didn't directly connect my test client to the firewall, I'll try that tomorrow. However, I was able to successfully do the above test from the Ops server. However, I was not able to ping clients on LAN. Nor, was I able to open the Web GUI from a test client on the LAN. I must be doing something wrong when configuring the LAN interface from the menu. When ask to give the address of the gateway for the WAN, I entered the ip address of the LAN interface, I then answered no to the question to use the LAN gateway address for DNS. Are these responses correct? Why am I not able to ping the LAN from the Server, or ping the server from a LAN client now? I will try to connect a client directly to the Ops server tomorrow. I will not be defeated!!
-
Hi bulldog,
When ask to give the address of the gateway for the WAN, I entered the ip address of the LAN interface (...)
the gateway of your OPNsense WAN interface should not be its LAN interface. When you only have one WAN interface then set this option to Auto-detect (default).
(...) I then answered no to the question to use the LAN gateway address for DNS.
Imho this should be set to yes, if you want your OPNsense to act as a DNS forwarder/responder.
What DNS settings do you have set under System > Settings > General?
Kind regards, David
-
Imho this should be set to yes, if you want your OPNsense to act as a DNS forwarder/responder.
What DNS settings do you have set under System > Settings > General?
[/quote]
I think that if a specific address is not entered for the WAN gateway, the default is none. Though I can't remember, though I should, I've gone through enough times :) However, I thought it may be incorrect if I gave it the LAN gateway address.
I will say yes to the question, Opnsense as DNS. In System> Settings> general, I gave the DNS addresses of the servers provided by my inet provider. I will give it another go. Thanks for these insights.
Cheers,
Frank
-
I think that if a specific address is not entered for the WAN gateway, the default is none.
I have a rather similar setup than you and for my case, setting a GW explicitely did not work. Only if I disabled it I was able to establish an Internet connection for clients in my LAN. Moreover and independently of that, the documentation of OPNsense (when you click the info icon of your WAN interface IPv4 Upstream Gateway section) says:
If this interface is a muti-WAN interface, select an existing gateway from the list or add a new one using the button above. For single WAN interfaces a gateway must be created but set to auto-detect. For a LAN a gateway is not necessary to be set up.
Although this states that a GW needs to be created it also states that this configuration point needs to be set to auto-detect in your case (single WAN interface). As I mentioned, I only got it working without an explicit Gateway configured though.
Hopefully you will finally get it up and running ;)
-
Although this states that a GW needs to be created it also states that this configuration point needs to be set to auto-detect in your case (single WAN interface). As I mentioned, I only got it working without an explicit Gateway configured though.
Hopefully you will finally get it up and running ;)
Okay, I am with you now, I was referring to the config wizard that comes up on the terminal at install, and now I realize that you were referring to the config wizard in the GUI interface. that is where I found the setting to which you referred.
Yesterday, I had it sort of working, but no luck with the browser. I took the day off to get a break from it. So, tomorrow morning I will see if it now will work.
Cheers,
Frank
-
Hi!
Try setting the "Enable Forwarding Mode" to Yes (Checked) in Unbound DNS (Services: Unbound DNS: General).
If not enough, disable Harden DNSSEC data (Services: Unbound DNS: Advanced).
If still not enough, disable DNSSEC completely (Services: Unbound DNS: General).
Logic behind setting Forwarding Mode to ON: during the wizard, you get asked which DNS servers you want to use, so you set something there, maybe your provider's DNS, or Google's, or OpenDNS's etc.
By default, Unbound is set without Forwarding Mode (Disabled), and so it should directly resolve using root DNS servers. For unknown reasons, this doesn't work, so enabling Forwarding Mode would force Unbound to resolve using your previously set public DNS.
Logic behind Hardened DNSSEC settings: Depending on your chosen DNS forwarding servers, many of these DNS forwarding services don't cope well with DNSSEC, so try disabling Hardened DNSSEC at first, and then, if needed, DNSSEC completely.
Hope it helps.
Cheers!
-
Hi!
Try setting the "Enable Forwarding Mode" to Yes (Checked) in Unbound DNS (Services: Unbound DNS: General).
If not enough, disable Harden DNSSEC data (Services: Unbound DNS: Advanced).
If still not enough, disable DNSSEC completely (Services: Unbound DNS: General).
Logic behind setting Forwarding Mode to ON: during the wizard, you get asked which DNS servers you want to use, so you set something there, maybe your provider's DNS, or Google's, or OpenDNS's etc.
By default, Unbound is set without Forwarding Mode (Disabled), and so it should directly resolve using root DNS servers. For unknown reasons, this doesn't work, so enabling Forwarding Mode would force Unbound to resolve using your previously set public DNS.
Logic behind Hardened DNSSEC settings: Depending on your chosen DNS forwarding servers, many of these DNS forwarding services don't cope well with DNSSEC, so try disabling Hardened DNSSEC at first, and then, if needed, DNSSEC completely.
Hope it helps.
Cheers!
Thanks for this info. I'm afraid I did not give you the correct net diagram previously. I have attached a more accurate one here. As you can see, I have a windows 2008r2 server on the network that among other things is set up as a DNS forwarder linking it to my ISP's provided external DNS servers. Perhaps this is the problem? On one test windows 10 client (not directly connected to OpnSen) when I run the network diagnostic tool, it tells me it can not find the DNS. On another client, the diagnostic reports it can not connect to wpad."my.domain.name." In both cases the diagnostic also reports that the network is configured correctly otherwise. The network properties tool shows: :Connected to Internet."
So, perhaps my internal dns and OpnSen dns are not playing well with each other. I tried your above suggestions without joy. I even disabled Unbound dns on OpnSen. Should I disable one or both, or should I configure OpnSen with only my internal dns as the dns to use along with the Unbound dns? Any ideas?
This last attempt was the closest I got to getting OpnSen running. BTW, I have opted not to test this with a client directly attached to the OpnSen server. My Cisco switch (24 port, gigabit) is pure vanilla configed, with no vlan, qos, limiters, etc. The IPCop server has no problem working with it.
So, it is pretty clear to me that the issue I am now having has to do with dns. As I understand stateful firewalls, it only allows incoming packets from the inet to pass to the LAN that are in reply to requests made by clients on the LAN side. All other incoming packets are dropped.
Success is only a few clicks away, I can taste it. :)
Cheers,
Frustrated, but not yet defeated, Frank
-
For the gateway part of the discussion - you should not need to set any gateway in your opnsense. According to your picture the WAN side is configured via DHCP from the ISP/Cable modem it will get the default gateway from there. The LAN side does not need any gateway set as long as you have no other router in the LAN.
Just for my understanding:
You stated you can ping by name and ip internal AND external instances from your internal machines. So DNS and routing cannot be the problem. You also mentioned curl from CLI from the opnsense server works.
In your last reply you wrote something about wpad. Does this mean you have set up a web proxy? If I assume right please provide details for your proxy configuration.
As ping is icmp it is bypassing the proxy so it will work even when something is wrong with the proxy. Curl from the opnsense cli works it is probably not using the proxy.
-
For the gateway part of the discussion - you should not need to set any gateway in your opnsense. According to your picture the WAN side is configured via DHCP from the ISP/Cable modem it will get the default gateway from there. The LAN side does not need any gateway set as long as you have no other router in the LAN.
Just for my understanding:
You stated you can ping by name and ip internal AND external instances from your internal machines. So DNS and routing cannot be the problem. You also mentioned curl from CLI from the opnsense server works.
In your last reply you wrote something about wpad. Does this mean you have set up a web proxy? If I assume right please provide details for your proxy configuration.
As ping is icmp it is bypassing the proxy so it will work even when something is wrong with the proxy. Curl from the opnsense cli works it is probably not using the proxy.
We did it!! Opnsense is now running and has been put into production! Thanks to all of you for your guidance and instruction. The opnsense server it running like a top. Thank you for putting up with this knucklehead. Both my test machine's browser (firefox) were set to: "auto detect proxy settings." So, I changed that that to no proxy.
I disabled the dns server running on my WinServer, and turned on relay on the unbound dns. I set dns in the lan dhcp server to the dns servers provided by my ISP. Left everything else default.
Cheers and beers,
Frank