Messages

[IMPORTANT: The following parameters allow to access LAN from WAN. Use with caution.]

IMPORTANT: The following parameters allow to access LAN from WAN. Use with caution.

Here is the solution and my understanding:
   - Allow access from WAN:
      Interfaces / WAN: Uncheck "Block private networks" => Without this, OPNsense do not consider private/LAN adresses coming from the WAN. In my case, i have a 192.168.2.0/24 based network as WAN; so, if i don't want to be blocked, i need to uncheck
   - Access LAN from WAN:
      Need to set up a FW rule: WAN-pass-in-Protocol:IPv4*-Source:WAN Net-Destination:LAN Net
   - Make the computer/laptop on the WAN aware of the 10.0.0.0 network:
      Need to set up a route to the OPNsense WAN IP for accessing the LAN Network: route add -p 10.0.0.0 mask 255.255.255.0 192.168.2.134 (command for windows, done in a "cmd" windows launched with admin rights
   
Now the LAN is reacheable from the WAN.

   - Ping OPNsense WAN address:
      By default, OPNsense do not answer to a ping from WAN. I had difficulties to be sure if the IP was configured correctly. So, in order to have OPNsense answering a ping from WAN, i had a firewall rule: WAN-pass-in-Protocol IPv4 IMCP-Source:WAN Net-Destination:WAN Address (Wan address represent the WAN address of OPNsense)
   - Access OPNsense GUI from WAN:
      If you want a computer to access the OPNsense GUI from the WAN, setup the following rule: WAN-pass-in-Protocol:IPv4 TCP-Source:IP of your computer-Destination:This firewall-Port:443(HTTPS)

Hope it helps.

Hmm, ok. I'm out. I don't understand what you want or did.

In fact, the main problem was coming from the route; my low knowledge on network make me mix the "route" (you've asked me to create) and the gateway of the computer (what i've changed). And the command you've proposed needed to be launched with admin rights.
So, your advices were good. Thank you.

I will post the solution as conclusion.

I've tried to explain and give as much detail as i can. Sorry if it's still not clear enough.

The devices on the 10.0.0.0/24 subnet (LAN side of OPNSense) have Internet; with the default factory of OPNSense; this is not an issue or something i want to solve. Regarding my question on the NAT Outbound, it was only a question in order to undestand the way OPNsense worked.

What i want to do is access from my laptop (located on the 192.168.2.0/24 subnet (the "WAN" side of OPNsense)) to the devices located on the "LAN" side of OPNsense (10.0.0.0/24 subnet).
I understand it's not usual, i should have no device between my ADSL Modem and OPNsense (on the 192.168.2.0/24 subnet), but i'm configuring it, and, for a moment, i have this need. The target will be to have all my devices on the LAN side of OPNsense. And i need this access to all the devices i have on the LAN and for the main protocols (ping, HTTP, HTTPS, SSH).

Hope it's more clear. Thanks for your time.

The devices "behind" OPNSense have already access to Internet. No issue with that with the default/factory configuration of OPNSense.
I would like to access from my laptop, located "between the modem and OPNSense", on the 192.168.2.0/24 subnet, to access devices "behind" OPNSense, on the 10.0.0.0/24.

The modem is an Bell HUB 3000 Modem that provide internet to the house. It acts as router and provide 192.168.2.0/24 subnet to the whole house (RJ45 and Wifi).
I'm just setting up the OPNSense firewall; for the moment, major part of my devices are on this subnet (192.168.2.0/24)(the laptop is still on this subnet); progressively, once the OPNSense will be parametered correctly, i will migrate my devices to the "LAN" side of the OPNSence (10.0.0.0/24).
At this time, i will see if i can "bridge" the modem but i don't think this option is available on this model. But, this will be in some weeks... Now, i would like to be more familiar with OPNSense and it's not the case since i'm not even able to grant access of my devices on the 192.168.2.0/24 to the 10.0.0.0/24....

"Be sure OPNsense does no NAT" ==> What i have to do in OPNSense ?
"disable the block private networks option on OPNsense wan interface" ==> Done (it was already the case)
"What route uses your laptop?" ==> The laptop has 192.168.2.134 as gateway.

Here are the IP (wifi) parameter of my laptop:
   IP: 192.136.2.24
   Subnet mask: 255.255.255.0
   Default gateway: 192.168.2.134
   DNS: 192.168.2.134 and 8.8.8.8

Here are the OPNSence parameters:
Interface LAN:
   10.0.0.1/32
   DHCP 10.0.0.0/24
Interface WAN:
   192.168.2.134/32
   Gateway "AutoDetect" (Set to 192.168.2.1 during OPNSense installation)
   "Block private networks" unchecked
Firewall LAN: 1 rule:
   pass-in-Protocol:IPv4*-Source:LAN Net-Port:*-Destination:* (Default OPNSense rule)
Firewall WAN:
   pass-in-Protocol:IPv4*-Source:WAN Net-Port:*-Destination:LAN Net
NAT:
   Port Forward: Interface:LAN-Proto:TCP-Source:*-Destination:LAN Adress-Ports:80,443 (Default OPNSense Anti-Lockout Rule)
   Outbound: Automatic

(OPNSense has been rebooted with these parameters)

Result:
   -  Subnet 10.0.0.0/24 access internet correctly. One question: If i disable NAT Outbound, there is no more internet; i've understood that with "Block private networks" unchecked, there was no need to NAT. Then, why i need NAT Outbound in order to give access to Internet from the LAN ?
   - My laptop still don't have access to 10.0.0.0/24 (ping, HTTP or HTTPS). No progress unfortunately.

Thanks for helping me.
I call WAN the WAN side of OPNSense (the part of the network called WAN in the description of my configuration; the 192.168.2.0/24 subnet).
The box is a Bell DSL-modem giving access to Internet and providing DHCP on the 192.168.2.0/24 subnet.
I have a laptop on this subnet 192.168.2.0/24 and what to allow it to access to computers on the 10.0.0.0/24. Access means i would like to ping them, to access via SSH, HTTP, HTTPS. If i understand your answer, i need to set up a VPN in order to access to the whole 10.0.0.0/24 subnet. I thought there was an OPNSence configuration allowing to do that more easily.

Hi all, i have an extremely simple question: How to access LAN from WAN ?
I'm setting up OPNSense firewall; it's freshly installed on a Proxmox server, with 2 RJ45 interfaces bridged.
By default, the FW rule allow my LAN computers to access WAN and internet. Perfect.
I'm setting up my LAN (10.0.0.x) and; for a moment, i need to access my whole LAN from my WAN (all IP and all protocols, ping).
May you explain me how to do ?

Here is my configuration:
Internet<----->[PublicIP]Box[192.168.2.1]<-----WAN(DHCP from Box)----->[192.168.2.134]OPNSense[10.0.0.1])<-----LAN(DHCP from OPNSense)----->Computers, etc...

I've seen example on the forum/net, forum FAQ/Tutorial, and done the following without success:
- "Block private networks" unchecked on the WAN Interface
- Disable NAT (NAT/Outbound set to manual or disable)
- Set up a FW WAN rule (pass-in-Protocol:IPv4*-Source:WAN net-Port:*-Destination:*)
- Set up the gateway of the computer I use to 192.168.2.134 (WAN IP of OPNsense)

Thanks for your help.