"
I installed a new OPNsense 23.7.8 install about two weeks ago. It was working with a DHCP WAN in a private network and tested well. I packed it up and drove a little over 100 miles to our remote site and installed it. I could ping 8.8.8.8 from the WAN, but not from the two LAN ports I setup and had working previously. After messing with it for a couple of hours I figured I screwed it up by not "creating" it as a proper static WAN firewall from the outset.
So I pulled out my config notes and made a copy of the config and then reset the firewall back to factory defaults. I then set it up from my notes and had the exact same problem. I spent another 2 hours troubleshooting the firewall settings looking for the smoking gun that would point to why the firewall wouldn't pass traffic from either LAN out to the WAN, although the live view log said it did. Finally, I had to work around the new firewall and leave for the day, but setup a remote connection to it through our existing WAN.
Fast forward two weeks and hundreds of tickets later, I was able to resume my quest to make the new firewall work. I started by taking a backup of the non-working config. Then using my setup notes I stepped through the Wizard and the individual interfaces. All looked well, but the system wouldn't forward from the LAN to the WAN, although the log says it does.
So, I hit the forums and found a couple of notes where others have had the same issue after upgrades.
Here are the links to the two posts that brought me to the following conclusion.
https://forum.opnsense.org/index.php?topic=36688.msg179833#msg179833
https://forum.opnsense.org/index.php?topic=36688.msg179900#msg179900
To get it to "work" in my install, I did the following steps. In the background on a command prompt I had continuous ping running to 8.8.8.8 from the client out to one of the LAN ports.:
I say "magically", because this is computer science not alchemy. So, there is a real reason for this. First, I verified the Interfaces --> Diagnostics --> ping worked from each interface to 8.8.8.8 and of course it did. So I went back to the config and pulled up the original config I started with yesterday and used notepad ++ to compare it to my working config. The difference is there is no filter rule section in the non-working config for states. Why? I don't know. I feel it should have been created when the default rule was created.
If you are missing this section in your non-working config please see the steps above. Apparently, something didn't trigger correctly in the config setup script.
If you are in charge of maintaining the script that controls this function please review the settings and if there is a way to trigger this without the gyrations of manipulating the already checked "Upstream Gateway" box then lets link to the documentation.
Now I can drive another 200 miles round trip to complete my install that should already be working.
Thanks,
JC
So I pulled out my config notes and made a copy of the config and then reset the firewall back to factory defaults. I then set it up from my notes and had the exact same problem. I spent another 2 hours troubleshooting the firewall settings looking for the smoking gun that would point to why the firewall wouldn't pass traffic from either LAN out to the WAN, although the live view log said it did. Finally, I had to work around the new firewall and leave for the day, but setup a remote connection to it through our existing WAN.
Fast forward two weeks and hundreds of tickets later, I was able to resume my quest to make the new firewall work. I started by taking a backup of the non-working config. Then using my setup notes I stepped through the Wizard and the individual interfaces. All looked well, but the system wouldn't forward from the LAN to the WAN, although the log says it does.
So, I hit the forums and found a couple of notes where others have had the same issue after upgrades.
Here are the links to the two posts that brought me to the following conclusion.
https://forum.opnsense.org/index.php?topic=36688.msg179833#msg179833
https://forum.opnsense.org/index.php?topic=36688.msg179900#msg179900
To get it to "work" in my install, I did the following steps. In the background on a command prompt I had continuous ping running to 8.8.8.8 from the client out to one of the LAN ports.:
- Go to System --> Gateways --> Single
- Edit WAN gateway
- Verify "Upstream Gateway" was checked. It was. ping didn't work
- Uncheck "Upstream Gateway". Save. Apply. ping didn't work
- Check "Upstream Gateway". Save. Apply. ping didn't work
- Reboot. When it came back up the ping "magically" started working.
- Write this up to help the next guy and hopefully tag the guy that knows how to fix this for future releases.
I say "magically", because this is computer science not alchemy. So, there is a real reason for this. First, I verified the Interfaces --> Diagnostics --> ping worked from each interface to 8.8.8.8 and of course it did. So I went back to the config and pulled up the original config I started with yesterday and used notepad ++ to compare it to my working config. The difference is there is no filter rule section in the non-working config for states. Why? I don't know. I feel it should have been created when the default rule was created.
Code Select
<type>pass</type>
<interface>lan</interface>
<ipprotocol>inet</ipprotocol>
<statetype>keep state</statetype>
<direction>in</direction>If you are missing this section in your non-working config please see the steps above. Apparently, something didn't trigger correctly in the config setup script.
If you are in charge of maintaining the script that controls this function please review the settings and if there is a way to trigger this without the gyrations of manipulating the already checked "Upstream Gateway" box then lets link to the documentation.
Now I can drive another 200 miles round trip to complete my install that should already be working.
Thanks,
JC
