Messages

I think I know why this is happening.

In pfsense, after a complete set up, I noticed that under the "Firewall/Nat/Outbound" menu, the automatic NAT rules are being updated to reflect the newly added static routes, as follow:

- first entry:
interface: WAN
Source: 127.0.0.0/8 ::1/128 192.168.1.0/24 192.168.20.0/24 192.168.30.0/24 192.168.40.0/24 192.168.10.0/24
Source Port: *
Destination:  *
Destination Port: 500
NAT Address:   WAN address
NAT Port:   *
Static Port: v (check mark)
Description: Auto created rule for ISAKMP

- second entry
interface: WAN
Source: 127.0.0.0/8 ::1/128 192.168.1.0/24 192.168.20.0/24 192.168.30.0/24 192.168.40.0/24 192.168.10.0/24
Source Port: *
Destination:  *
Destination Port: *
NAT Address:   WAN address
NAT Port:   *
Static Port: some cross path sign
Description: Auto created rule

The important bit in all this info is the "Source" networks: they are being updated to reflect the newly added network rules in the LAN rules section. A NAT for each of the networks.

In opnsense, after I added the firewall rules for the LAN interface, the automatic NAT tab has not been updated. This would correlate what I've seen in the live view firewall log, where the VLAN30/wifi network requests were showing up as originating on the firewall itself and not from the internal LAN/VLAN. In other words, the opnsense is not executing the NAT for any of the VLANs, except for the native VLAN10.

So the real question is: is this a bug or are there anymore steps that I should've performed after implementing the firewall rules?
Thank you in advance.

Just to take this out of the way: clean install means that the my opnsense firewall is running on the latest stable version (as of 27-May-2018) and has the latest updates applied.

Howdy,

My internal network has 5 VLANs:
192.168.1.0/24 - management VLAN
192.168.10.0/24 - main VLAN - opnsense has its LAN IP in this one.
192.168.20.0/24 - storage VLAN
192.168.30.0/24 - wifi VLAN
192.168.40.0/24 - telephony VLAN

The opnsense firewall has its internal LAN IP set to 192.168.10.1, so it's in the .10.0/24 (aka main VLAN) and, as such, all the devices on that VLAN are able to connect to the internet with no problem - right after the clean install of opnsense, with no additional firewall rules.

Now the tricky part: for the rest of the VLANs (at least in pfsense) I used to create a GW pointing to the switch's main IP (192.168.10.254) and add static routes to instruct the pfsense to send the replies for those VLAN networks through the newly added GW IP (192.168.10.254 one). The last step, would be to add firewall rules on the LAN interface and allow the traffic to and from the said VLANs. After these steps all the devices in the network are capable to reach the interwebz.

In opnsense, the same reproducible set up does not work. I've tried twice a clean install and the above steps and verify my logic, to no avail. What steps function flawlessly in pfsense, produce no good result in opnsense.

What strikes me is that the firewall live view log says that the Wifi VLAN requests are showing as if they are originating from the firewall itself and not from the internal network.

What am I missing here? Is the firewall set up different in OPNSense vs what it was in pfsense?
I'd like very much to use opnsense so I could put to work the QoS prioritization wizard.

[...]
So take it or leave it. I still love using OPNsense, I hope that isn't lost. I'm just saying that if I didn't know it was good, I never would sit through the installation and there are many short fused people like me in the world. You'd be forgiven for not wanting more of us around; I understand.

No, no, no. Let's get something straight. You're not short fused and definitely your experience with the install on disk process is not singular.

I mean heck, first time when I installed it, having the pfsense work flow in mind, it took me a while to understand why the f. my settings are not preserved after rebooting the opnsense firewall. Just to realize I kept running in a live cd environment.

This needs to change asap, it's poor programming.