Messages

Yes, they were setup correctly by dhcp

Hi all,
Thanks again for your assistance in helping me to get OpnSense up and running. 

I now have a new issue:

I entered the static ip's for the local net in DHCP4. Afterwards, machines on the local net could not get connected to the Inet.  The problem went away when I deleted the static ips. 

Any ideas to help

For the gateway part of the discussion - you should not need to set any gateway in your opnsense.  According to your picture the WAN side is configured via DHCP from the ISP/Cable modem it will get the default gateway from there. The LAN side does not need any gateway set as long as you have no other router in the LAN.
Just for my understanding:
You stated you can ping by name and ip internal AND external instances from your internal machines. So DNS and routing cannot be the problem. You also mentioned curl from CLI from the opnsense server works.
In your last reply you wrote something about wpad. Does this mean you have set up a web proxy? If I assume right please provide details for your proxy configuration.
As ping is icmp it is bypassing the proxy so it will work even when something is wrong with the proxy. Curl from the opnsense cli works it is probably not using the proxy.

We did it!!  Opnsense is now running and has been put into production!  Thanks to all of you for your guidance and instruction.  The opnsense server it running like a top.  Thank you for putting up with this knucklehead.   Both my test machine's browser (firefox) were set to: "auto detect proxy settings."  So, I changed that that to no proxy. 

I disabled the dns server running on my WinServer, and turned on relay on the unbound dns.  I set dns in the lan dhcp server to the dns servers provided by my ISP.  Left everything else default. 

Cheers and beers,
Frank

[Logic behind setting Forwarding Mode to ON]

Hi!

Try setting the "Enable Forwarding Mode" to Yes (Checked) in Unbound DNS (Services: Unbound DNS: General).

If not enough, disable Harden DNSSEC data (Services: Unbound DNS: Advanced).
If still not enough, disable DNSSEC completely (Services: Unbound DNS: General).

Logic behind setting Forwarding Mode to ON: during the wizard, you get asked which DNS servers you want to use, so you set something there, maybe your provider's DNS, or Google's, or OpenDNS's etc.
By default, Unbound is set without Forwarding Mode (Disabled), and so it should directly resolve using root DNS servers. For unknown reasons, this doesn't work, so enabling Forwarding Mode would force Unbound to resolve using your previously set public DNS.

Logic behind Hardened DNSSEC settings: Depending on your chosen DNS forwarding servers, many of these DNS forwarding services don't cope well with DNSSEC, so try disabling Hardened DNSSEC at first, and then, if needed, DNSSEC completely.

Hope it helps.
Cheers!

      Thanks for this info. I'm afraid I did not give you the correct net diagram previously.  I have attached a more accurate one here.   As you can see, I have a windows 2008r2 server on the network that among other things is set up as a DNS forwarder linking it to my ISP's provided external DNS servers.  Perhaps this is the problem?  On one test windows 10 client (not directly connected to OpnSen) when I run the network diagnostic tool, it tells me it can not find the DNS.  On another client, the diagnostic reports it can not connect to wpad."my.domain.name."  In both cases the diagnostic also reports that the network is configured correctly otherwise.  The network properties tool shows: :Connected to Internet."
     So, perhaps my internal dns and OpnSen dns are not playing well with each other. I tried your above suggestions without joy.  I even disabled Unbound dns on OpnSen.  Should I disable one or both, or should I configure OpnSen with only my internal dns as the dns to use along with the Unbound dns?  Any ideas? 
    This last attempt was the closest I got to getting OpnSen running.  BTW, I have opted not to test this with a client directly attached to the OpnSen server.  My Cisco switch (24 port, gigabit) is pure vanilla configed, with no vlan, qos, limiters, etc.  The IPCop server has no problem working with it. 
     So, it is pretty clear to me that the issue I am now having has to do with dns.  As I understand stateful firewalls, it only allows incoming packets from the inet to pass to the LAN that are in reply to requests made by clients on the LAN side.  All other incoming packets are dropped. 
     Success is only a few clicks away, I can taste it. :)

Cheers,
Frustrated, but not yet defeated, Frank

Although this states that a GW needs to be created it also states that this configuration point needs to be set to auto-detect in your case (single WAN interface). As I mentioned, I only got it working without an explicit Gateway configured though.

Hopefully you will finally get it up and running ;)

Okay, I am with you now, I was referring to the config wizard that comes up on the terminal at install, and  now I realize that you were referring to the config wizard in the GUI interface.  that is where I found the setting to which you referred.

Yesterday, I had it sort of working, but no luck with the browser.  I took the day off to get a break from it.   So, tomorrow morning I will see if it now will work.

Cheers,
Frank

Imho this should be set to yes, if you want your OPNsense to act as a DNS forwarder/responder.
What DNS settings do you have set under System > Settings > General?
[/quote]

I think that if a specific address is not entered for the WAN gateway, the default is none. Though I can't remember, though I should, I've gone through enough times :)  However, I thought it may be incorrect if I gave it the LAN gateway address. 

I will say yes to the question, Opnsense as DNS.  In System> Settings> general, I gave the DNS addresses of the servers provided by my inet provider.  I will give it another go.  Thanks for these insights.

Cheers,
Frank

you can also do a very basic check at the opnsense firewall itself. Ssh into it, go to the shell and enter

Code Select Expand

curl https://google.com. When you get that response:

Code Select Expand

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML> the Wan side of your firewall is working. The next step then should be to eliminate  all other hardware between the firewall and your test device as already suggested.

I tried a re-install today.  I didn't directly connect my test client to the firewall, I'll try that tomorrow.  However, I was able to successfully do the above test from the Ops server.  However, I was not able to ping clients on LAN.  Nor, was I able to open the Web GUI from a test client on the LAN.  I must be doing something wrong when configuring the LAN interface from the menu.  When ask to give the address of the gateway for the WAN, I entered the ip address of the LAN interface, I then answered no to the question to use the LAN gateway address for DNS.  Are these responses correct?  Why am I not able to ping the LAN from the Server, or ping the server from a LAN client now?   I will try to connect a client directly to the Ops server tomorrow.  I will not be defeated!!

WAN DHCP gets various addresses e.g., 24.x.x.x, 69.x.x.x 75.x.x.x so can't give you a specific one

Just to be clear: The WAN Port of your opnsense gets an address out of one of these networks?

Br br

For example, the current IPCop's WAN address is: 75.128.246.112/23

WAN DHCP gets various addresses e.g., 24.x.x.x, 69.x.x.x 75.x.x.x so can't give you a specific one

Just to be clear: The WAN Port of your opnsense gets an address out of one of these networks?

Br br

Yes, that is correct.

... and before: What is the network address in the WAN DHCP network ....

Br br

WAN DHCP gets various addresses e.g., 24.x.x.x, 69.x.x.x 75.x.x.x so can't give you a specific one

I think we need start one step back ....

Can you provide a drawing of your network config, what is connected to what and IP network addresses you have used on your interfaces, modem, client, ....

Br br

Here is a diagram of my network, it's pretty basic as you can see.

Frank

[quote author=Fatmouse69 link=topic=9947.msg45825#msg45825 date=154022687

I am curious if reinstalling has changed anything. You should be set up now with a fresh OPNsense without any further custom rules and imho this should work for you ootb.
[/quote]

Unfortunately, same result, ping by name works, http,https no go.  Gonna try again shortly.

Frank

Since it's a statefull firewall the default configuration allows to access anything from LAN (like browsing etc.).

Think of it like a normal Consumer NAT router.

To be able to access a web or mail server from outside (WAN) that resides behind the Firewall, you would need the respective ports to be forwarded (NAT forwarding).

Bulldog3346 -> Evil_Sense

Thank you, this too was helpful.  You may have opened the door of understanding.

Frank

Bulldog3346 -> bringha

https://forum.opnsense.org/index.php?topic=4436.0

Its in German, hope you can read it ....

BR br

I had a chance to read and re-read the above conversation.  However, I am still unclear on what side, WAN/LAN, some of these rules are written.  If the LAN, by default, allows everything to go to the WAN side, and the WAN side by default allows nothing to pass to the LAN side, shouldn't the HTTP and HTTPS allow rules, and any other protocol needed to go to from the WAN to LAN, be written on the WAN gateway side and not the LAN as described in the conversation in the above link. 

Wouldn't make more sense to write rules on the WAN side to allow the  protocols port 80, 443, 53, mail protocol ports, and any others needed on the LAN side.

Or, are there hidden default rules on the LAN side coded in - to 1. allow everything out of the LAN to the WAN   2. Block everything coming into the LAN from the WAN. Would that explain writing the rules on LAN side.  However, isn't necessary to write complimentary and converse rules on the WAN side to allow the various protocols to pass traffic to the LAN.  This is what I first attempted to do, but I still could not open websites with a browser (firefox) from a LAN client, though I could ping the same websites, by name, with dns resolving the addresses to ping.

I agree with Stefan on the German board that someone should write a white paper explaining the architecture of Opnsense and how the firewall really works.  As well as, how to write rules to allow the various ip protocols to pass into and out of the firewall.   Opnsense for Dummies, for dummies like me :).

Cheers
Frank

Bulldog3346 -> Fatmouse69

As I mentioned check you logs. Any denied traffic should be listed there (requires logging of your firewall rules -> enable this option for each rule if any doubt which one to take).
Second, list your rules here for further help.
Third, you do not have any further services running (e.g. Proxy)?

Thanks for the offer.  At the moment, I have to reinstall OpS as something seems to have gotten stomped on from the several resets to factory settings.  However, the rules I tried that did not work was LAN -> WAN allow port 80 and 443 to WAN and WAN -> to LAN allow 80 and 443 to LAN.  I did check

Cheers,
Frank