Messages

I apologize for the delay, ended up in meetings all day yesterday. Here is the link to get it:

https://www.dropbox.com/s/xasw9wz8vmdv7yf/OPNSense_19_1_4.zip?dl=0

It will expire in 15 days. I did the following:

Gen 2 VM (Secure Boot Off)
2x vCPU
3GB of RAM
32GB of HDD (SCSI 0:0)
2x vNIC

Installed 19.1.4 (image I had laying around) using Guided Install method and GPT/UEFI for disk. Default login.
I did test it by putting an IP on the LAN interface and hooking it up to my test network. It passed traffic and worked. I then reset it all to factory defaults using the console menu.

Hopefully that helps!

What version of Hyper-V are you running? I have installed OPNSense on 2012 R2, 2016, and 2019. That all said, I did have the issue when installing 19.1 on Hyper-V 2019 where it would get stuck at selecting the install destination, but the CTRL-C would get it through that.

A thought would be to add an IDE controller and attach a HDD to that to see if that allows it through. I have other non-OPNSense BSD versions like the IDE controller better than the SCSI.

Lastly, I can build an OPNSense VM on Hyper-V, export it, and give you a link to see if it is just the install or OPNSense as a whole on your particular setup.

Edited for duplication and unfortunately I am too newb to know how to delete. But, also, what hardware you running hyper-V on?

[LAN]

OPNSense 19.1.8
Virtual Machine
     2 vCPU
     8 GB RAM
     3 vNIC
     100 GB vDisk

Currently have OPNSense running in a dev environment with the following setup

vNIC = LAN (172.16.1.10)
vNIC = ISP 1 (DHCP)
vNIC = ISP 2 (DHCP)

                                        ISP 1 (Primary)
                                       /
Switch - LAN - OPNSense
                                       \
                                   ISP 2 (Fail over)

LAN consists of 3 subnets, with 2 of them routing to the first subnet for internet

               Subnet 1 (Layer 3 Switch, 172.16.1.1)
               172.16.1.0/24
              /                      \
Subnet 2                        Subnet 3
172.16.2.0/24            172.16.3.0/24

ISP 1 and 2 are setup in a fail over group with ISP 1 as the Primary. I have a static route set for 172.16.0.0/16 to go to 172.16.1.1.

Issue = Subnets 2 and 3 can't get internet. Subnet 1 (directly attached to the LAN interface on Firewall) gets internet.

Everything works fine for any host on the 172.16.1.x subnet. ISP failover is great, internet speeds are awesome, and NAT translations work. If the host is on either 172.16.2.x or 3.x, it will not get internet. It can ping the LAN interface of the FW and can even access the Web GUI. Routing appears to be fine. When I look at the logs, it shows traffic going out via the "Allow LAN to Any" rule, and I can see the traffic going out the ISP and coming back to Firewall, but stops there. Example:

Ping 4.2.2.1 from 172.16.2.104
See it cross Switch 2 (172.16.2.1, default route for network)
See it cross Switch 1 (172.16.1.1, default route for network)
See it go through Firewall via Allow LAN to Any (In LAN, out ISP 1)
See it hit a switch I put in between cable modem and firewall going out
See it come back through same switch
Don't see it come through the firewall.

If I do the same thing from 172.16.1.123, I can see it go all the way through and get successful replies on the Ping command.

Seems like to me it is a firewall rule. I looked things up though, and it looks like I am doing things right. I have a rule that looks like:

LAN
Proto         Source                   Port         Destination          Port          Gateway         Type
IPv4*         172.16.0.0/16         *                   *                    *            ISP_Failover      Allow

ISP 1 and 2 just have the default rules in them though in testing things I did add a NAT Translation on both which did work, but it was to a host on Subnet 1. And again, anything on Subnet 1 can get to the internet, so to my rationale it is having to do with the fact that the traffic does not originate on a subnet that the Firewall is directly connected to. I figured by specifically specifying 172.16.x.x in the rule it should allow it regardless of directly connected. Is there somewhere else I need to add those networks to allow it through the firewall? Or do I need to do something on the ISP 1 and 2 zones to allow it to NAT those?

Thanks for any input!