Messages

Let me know how that goes and steps to remedy it if you are able to do that.
Thanks

Here's a very weird update, I'm assuming you have been connecting your work computer via an ethernet cable, have you tried moving it to wifi? 

I went round and round with my works IT group with no real luck.  I ended up switching to VM desktop so I could at least get some work done, that came with it's own limitations, but I circled back around to my work computer again, and played around with some connections, and I find that connecting to wifi so far seems to have addressed my issues.  I have no idea why anyconnect would treat a wifi connection different than an ethernet cable, but just something to think about.

This is going back through OPNsense via the same VLAN my work computer has always been on.  So the only difference is the connection type to the network .

Let me know how that goes and steps to remedy it if you are able to do that.
Thanks

Well this morning was extra strength slow and already dropping connection not 20 mins into to working. 

I opened up 443, that didn't do anything
I am currently on version 4.something

I've now bypassed my router and gone straight to my modem and things seem to have gone back to normal.  Later today after some meetings I'm going to put my old pfsense router inline of my modem and work computer and see how that works out. 

I guess i should have connected the dots that all my cisco connect issues started when i swapped to opnsense

While I'm not happy you're having VPN issues, I'm happy I'm not alone with anyconnect and opnsense not playing with each other.  I'm going to try opening up port 443 and see what happens.  While my speeds aren't the best, I would like the stability back.  Just out of the blue i lose connection to my emails and anything on our work network, but I can still ping google and other things, so it doesn't completely die. 

And now that I think of it, it all started when I moved from PFsense to opnsense.  I just blamed my works VPN first, lol.

LAN in, destination !RFC_1918  (or !PrivateNetworks as you call it) shall use the gateway wan1_gw

Oh wow, this ended up being way more elegant than I had originally thought!!

I've been watching the live logs while playing with it this morning!

I left the default pass rule at the very bottom, which picks up the DNS as it doesn't match the above rule.  Fricken brilliant!! Networking, I will never fully understand your weird ways.   :)

The thing about policy based routing is, it is policy based routing.

Your rule not just "changes a gateway" it forces every IPv4 traffic coming in on LAN to be sent to WAN1_GW

Hence, nothing internally works as soon as a package reaches your firewall. Luckily enough, SSH and HTTPS are matched by earlier automatic rules and that's why those still work. Internet works as usual as WAN1_GW is the gateway for it.

With your additional rule you don't make it happen for traffic with target "this firewall" = all IPs of the firewall including all interfaces.

In case you still want to run policy based routing try writing it as:

LAN in, destination !RFC_1918  (or !PrivateNetworks as you call it) shall use the gateway wan1_gw

And make sure it is matched late in the chain-  if you want to make exceptions later it will avoid extra work.



Answer to your question: Read the docs first. I don't know about pfSense but I guess it also just works as stated in the docs.

Yeah ok, I guess that makes sense then. Thanks for the insight.

I have read the documents many times.  Most of it doesn't make sense until I've worked through this stuff multiple times over. Still a new person at all this, but thanks for assuming I didn't read the directions.   ;)

[My main question to people that are way smarter than I, why does changing the gateway kill certain access to the firewall?]

Greetings all, I had posted about my multi wan issues before, but since then I have kept drilling down on what happens (as well as someone that doesn't know much about all this can do) when I "break" my firewall.

On a fresh install and only have a single interface with a single rule everything works fine. 

As long as I have my gateway set to default all works as one would expect.

When I change my gateway to be a specific gateway, I lose access to parts of the firewall.  I can't ping the interface, I lose DNS and therefore access to the internet.  I can how ever SSH into the firewall, ping 8.8.8.8, and I can still get to the GUI.

My original "fix" was adding a rule to allow access to "This Firewall", this worked just fine as long as I didn't have any VLANs.  I couldn't ping devices on other networks, I could however ping the interface for that network. 

My current "fix" is to set up an alias for all private networks and allow access to those.  I'm ok with this answer for this network as it wont be my IoT network. But I don't know if there's any long term downsides to this.


My main question to people that are way smarter than I, why does changing the gateway kill certain access to the firewall?

Most of my experience is with PFsense, and I don't need to add extra pass rules when selecting a different gateway.

Exactly. So by default OPNsense doesn't have a firewall rules to allow outgoing traffic from LAN. You will have to create one yourself. E.g., (PASS out; From LAN network; To ANY destination).

Which is ironic that mine is working just fine, and I haven't set up anything to pass directly to the upstream GW.

So far I've not had any issues with getting my gateway above my OPNsense (knock on wood), but coming from PSsense, it really didn't want to allow me to get to the gateway interface.  I had to add a new rule to explicitly allow it, and after that, zero issues.  You may try this solution, it may not be the perfect answer, but it may be an answer. 

As I work through my issues related to trying to do some Multi WAN routing, I think I've come up with the least intrusive answer to my issue.  By adding a new rule setting the source to LAN Net and Destination This Firewall, this is giving me what I'm looking for. 

This allows pinging of all interfaces and all ports so my DNS works so the internet works!!! 

I still don't fully understand why the LAN network loses access to the firewall when I switch from the default WAN to a specific WAN interface.  So if anyone has any insight into why this is happening, I would love to hear why this is and if there is a more elegant solution than what I have here.

Plot thickener, so when I set the WAN to a specific WAN (WAN1 or WAN2), It doesn't just kill DNS, I can't ping the interface IP at all.  Yet I can still SSH into it on that same IP address. 

Ah crap, something I can comment on because I have been struggling with multi wan for the past several days!!

1.  When I was messing with NAT rules, the first WAN that was set up in the wizard would show up regardless of how it was set up, static, DHCP (the only 2 I tried).  In my case, if I would add a second WAN, it would only auto populate if I set up the new WAN as DHCP.  No clue why, but I would have to manually add the second WAN NAT rules.  I just mimicked WAN1 set up for WAN2, and I was good to go. 

2.  Did you go back in a select the WAN2 gateway as the gateway in the WAN2 interface? I just set up a second WAN to see what happens, and it pulls that WAN2 out of the source networks.

Well now this is confusing, when I did it this time, it did automatically make WAN2 NAT rules.  So cool, I'm confusing myself.

Something to note that I'm running into, if your end goal is to have 2 GW to decide what clients go over what via some rules in your LAN, mine would drop DNS and no longer allow access to the internet.  I don't understand all of this enough to know what's all happening, but just something to look out for.

https://forum.opnsense.org/index.php?topic=38987.msg190885#msg190885

[UPDATE#2: Well, while my "fix" allowing access to the firewall worked to get access to the firewall, I found that I can't ping anything on other networks. Which makes sense to some level, but doesn't fix the underlying problem of dropping firewall access when a specific wan is selected.]

Greetings all, semi long PFsense user (2 years now), almost as long trying to convert to OPNsense (year+-).

UPDATE#2: Well, while my "fix" allowing access to the firewall worked to get access to the firewall, I found that I can't ping anything on other networks.  Which makes sense to some level, but doesn't fix the underlying problem of dropping firewall access when a specific wan is selected.

Update:  It wasn't specifically DNS being blocked, OPNsense no longer passes data to the firewall once you change your firewall from Default to a specific WAN. I found my answer to it, but it still doesn't seem correct that it should be doing that.


The sweet irony of all this as I was writing this, I figured out what was happening, and it was DNS.  It's always DNS!!  ;D  But I figured I would still post this because maybe someone else may find this useful. 

Computer: HP T730 with 4 port intel nic

End goal, have two separate gateways (GW) for me to decide which clients goes over which GW based on rules in the firewall>rule>lan section.  This is currently how my PFsense is set up, it's not based on load balancing or fail over.  Just two separate gateways, because...reasons.

Started with a factory reset box and all updates, shut down IPV6 where I could (not against it, just don't understand it enough, and I wanted to take that off the plate as a source of the problem) Set default DNS to 8.8.8.8 and 8.8.4.4 in wizard.

Set up OpenDNS via Unbound DNS with DNS over TLS.

I made two WAN interfaces with static IPV4s, WAN1, 192.168.15.5 and WAN2, 192.168.8.5. These are both open IPs on my modems.

Set up two GWs, each using the designated gateway IP, 192.168.15.1, and 192.168.8.1, both the GW are on their own internet source.

Went back to WAN1 and WAN2 interface and picked the appropriate IPv4 Upstream Gateway.

Manually set up NAT rules for WAN1 and WAN2, copying what was originally created when the wizard was complete.  Four NAT outbound rules in total.

Only have the single LAN and one rule, pass the internet.  My computer is plugged directly into the port that is specified in the interface for LAN.

Here's where my issues starts,

If that lone LAN rule has GW set to default, internet works just fine, as soon as I manually pick either WAN1 or WAN2 specifically, the internet dies.  I can still ping 8.8.8.8, 8.8.4.4, and 1.1.1.1, which lead me to thinking it was a DNS problem. 

When the LAN rule is set to Default GW, I could change what internet source my traffic was going out of if I set WAN1 and WAN2 both to be in the default pool (Upstream Gateway), and change around the priority.

My question is, what is happening to my DNS when I switch to a specific GW?

I can fix it by putting a DNS rule at the top of my rules.

With this rule, I can freely switch between the two WANs and it works as I want it to, I'm just trying to figure out if there's a more elegant way of doing this VS putting a DNS rule at the top of every new interface.

Thanks for any insight!!!