Messages

Hi,

I can ping 10.10.10.1 successfully; but cannot ping 10.10.10.21

All the configuration parameters are default. It's really strange.

Regards.

Your ping to 10.10.10.1 is probably a rule set to allow to "This Firewall." The "This Firewall" alias encompasses all firewall interface addresses. Can you post the firewall rule on LAN that should allow this ping? 

I am not familiar with the Wizard defaults.  I tried using Wizard and it seemed broken.

this is the only rule ive made on the vlan interface this is very new to me

192.168.1.193/24 will route to all address between 192.168.1.0 - 192.168.1.255. 

Set the "24" to "32":

192.168.1.193/32 - This will route only to the address shown.

Are there any firewall rules on the (untagged) parent interface? These can also affect VLAN traffic.

I have heard this before, and I cannot reproduce this; parent interface rules don't seem to apply to it's VLANs, thankfully.

I am getting hundreds of these messages in my General Log.  This is not an address space that i use, and my WAN is a public IP that is nothing like this. 

2021-04-25T22:48:03   dhclient[77590]   DHCPREQUEST on igb0 to 172.19.57.123 port 67   
2021-04-25T22:47:49   dhclient[77590]   DHCPREQUEST on igb0 to 172.19.57.123 port 67   
2021-04-25T22:47:04   dhclient[77590]   DHCPREQUEST on igb0 to 172.19.57.123 port 67

igb0 is connected to the cable modem and has a public IP.

Does anyone know what is happening?

You may want to disable the block local networks checkbox on the WAN interface.

Also, your WAN address should not be in the ranges of your LAN ports. This can cause issues with firewall rules and routing.

Just to be on the safe side here: rules from LAN will likely override VLANs by design of pf(4). You should never use untagged and tagged together on the same interface unless you have no choice and set up your rules accordingly.

??? This is a first for me, but I'm new to OPNSense. 

So my Unifi Controller sits on Untagged VLAN1. If I give it gateway access to the internet with OPNSense, will this rule also pass traffic on my IoT VLAN to the internet as well?

I have a pretty simple floating rule to pass all ICMP traffic with no gateway selection.

I can see in the log when the traffic arrives and it gets passed.

I can see a ping from a host to 1.1.1.1 on the LAN interface.  I see nothing on the WAN interface.

Unbound traffic is flowing and DNS is resolving from the LAN net.

Outbound NAT rules are automatic.

Private/BOGONs are not blocked on the WAN. 

Any ideas?

I was experimenting with Suricata.  When I tried to turn it off, the Apply Button hung up.  After that, I have a VLAN with a DHCP server and simple routing rules to the internet.  This interface quit responding.  I tried the following.

1. Simplify the routing rules even further.
2. I checked the interface traffic with tcpdump.  I can see the packets coming in (ICMP host to 1.1.1.1) to the interface, routing to the WAN, packets coming back from 1.1.1.1; but nothing gets routed back to the interface.  The VLAN interface does not send any packets out, it only receives them. 
3. Rebooting

Is it possible that Suricata made some changes with netmap, and those did not get reversed properly when I disabled it? 

Can I run a CLI command manually disable Suricata?

The guide posted is decent however, the custom options are sloppy and won't result in a fully functioning setup.
...

Thanks for this suggestion.  I reached out to the author of the guide, and they updated it with your suggestions. 

I'm glad you fixed it.  Using the Gateway Field enforces policy based routing and ignores default routing rules. I'm new to this as well, and this is the most confusing part of OPNSense thus far. The Firewall Section of the documentation was worth a read multiple times.

For other readers, a note in the documentation ("When using policy based routing, don't forget to exclude local traffic which shouldn't be forwarded. You can do so by creating a rule with a higher priority, using a default gateway.") is essential to know.

I am experiencing this problem.

However, it seems that when I hit apply, the little animated ellipse shows up. If I leave it alone in this state for a while until it returns, then it works.  If I select away to a different menu item it breaks it.

I believe the following line does enable DoT:

forward-addr: 1.1.1.1@853   #CloudFlare

Port 853 is typically set for DoT.

https://developers.cloudflare.com/1.1.1.1/dns-over-tls

Sorry, "Gateway" (not WAN) is what I was asking about.

The WAN setting is closer to the bottom when you edit the rule.  If you have selected anything but "default" then the router may not route to internal networks.

I use Quad 9 but all the same.  You can use this guide to set up Unbound DNS on OPNSense:

https://sahlitech.com/opnsense-setup-unbound-dns/

Just comment the servers you don't want to use and add the ones you do. It's not as slick as PIHole but it's cleaner to have it in the same box.