Messages

Ok, thanks much. Seems that this was just a misunderstanding on my part. Now that I have read up on it a little more, it actually makes a little more sense to me. I had wondered why the dynamic address was not automatically populated when a static reservation was created. I guess I know now.

Thanks for educating me. I am very new at the firewall and networking game. I am learning a lot, but sometimes it is slow.

Ok, maybe I am not using the right terminology here. What I am referring to as a static DHCP reservation is sometimes called a DHCP IP reservation.

Static DHCP reservation, also known as DHCP IP reservation, is a feature that allows a device to always have the same IP address when it connects to a network. This is useful when a device needs to have a consistent IP address, such as a printer, so that the computer can always find it.

I understand that static IP assignments that are set at the client need to be outside the DHCP dynamic range. What I am trying to do is get an IoT device that has no ability to use a static IP address to have the same IP address whenever it connects to the network and requests an address. So, if that is not a static DHCP reservation, then how to I do it?

Thanks again.

Good evening all,

I have been switching devices over to a new network configuration and just ran into something that had me scratching my head for a minute. I set up a device yesterday and as part of the setup made a static DHCP reservation for the device. Today, that device was powered off when I added a new device to the netowrk and the IP address for the static reservation I made yesterday was assigned to the new device.

Is this normal behavior? From what I understand, it is not, but someone may can correct my thoughts. I thought one of the reasons for a static DHCP reservation was so the static assigned address would not be given out to another device - under any circumstances.

If this is normal behavior, then is there a way (other than assigning static IP addresses to the devices) to make this work?

Running OPNsense 23.7.12_5. Yes, I know I need to upgrade to 24.1, but everything is stable right now and I am not going to chance breaking it until next year.

Thanks in advance for the help.

It really seems weird to me too.

So, I am running OPNsense bare metal on a ZimaBoard. I had heard that FreeBSD and the native RealTech NICs did not play well together, so I got a dual port PCIe Intel NIC to use. My WAN port is connected to my ISP router, so I am double NATed but my research indicated this should not be a problem. My LAN goes out to a Zyxel GS1900 switch. In testing, I have disconnected both the ISP router and the switch and the problem remain, so those are ruled out as the source.

I am using my LAN is untagged going out igb1 and my other VLANS are tagged going out the same interface. So, I went in and assigned the RealTech NICS to T1_LAN and T2_LAN, both untagged. I setup T1 LAN with a default allow any rule and a block all private networks as shown in a previous screen shot. I set up T2_LAN with a default allow any rule to mimic the LAN interface rules.  I still have the same pinging behavior between the two separate networks that are on completely different interfaces.

So, I guess I could try moving my VLANs over to one of the RealTech NICS so that all VLANS are off the same NIC, but I am not sure that will do anything given my test with T1_LAN and T2_LAN. I could get a 4 port Intel NIC and see if that helps any. As a last resort, I could get an entire different hardware platform to see if that makes any difference.

Again, thanks so much for your help. I am sure I will eventually figure it out.

Ok, attached are the only NAT rules that are in place and the floating rules. In both cases, I have added nothing, just the default configuration.

I enabled logging on the T1_LAN interface block local networks rule, and when I ping from a machine on that interface, I see nothing in the log with a source IP address matching the computer that I pinged from.

Thanks again

meyergru,

Well, I thought I understood it all. I created a new interface T1_LAN to test some of this. Attached is what I have for rules on this interface right now (one with auto-generated rules shows, one without). The PrivateNetworks source is the RFC1918 private network addresses. This did not fix the situation. I am getting the same exact behavior.

I have watched so many videos and read so much on this. I though I had the in/out concept down, but obviously that might not be the case. As far as first/last match, I have that. I also think I pretty much have the priorities down.

I know this is something that I just don't understand or something that I am overlooking. I appreciate the help in looking at this and attempting to educate me on the concepts.

meyergru,

I tried adding an block all protocols from my other VLANS to the LAN rule set ahead of the allow LAN to any rule, and I still get the same behavior.

I guess I am going to have to back-step on my configuration and rule out my switch setup. I guess it could be causing this, but I am pretty sure I have it correct. Oh, the joys of trying of trying to figure out where the problem lies.

Hello all,

Just getting started with OPNsense and trying to make sense of something I am seeing. I am sure this is just a misunderstanding on my part, but I would like to make sure I do not have something set up wrong.

My setup has LAN (192.168.10.*), GUEST (192.168.20.*), IoT (192.168.30.*), and NoT_CAM (192.168.40.*) networks set up with nothing other than the automatically generated rules and the allow LAN to any rules on the LAN network.

Using IoT as an example (all non-LAN networks have this behavior, though), If I first ping from IoT to LAN, I get no return, as would be expected. If I then ping from LAN to IoT I get responses, also as expected. Now, if I immediately go back to IoT and ping LAN I get responses. This is what I was not expecting to happen. If I let the connection sit idle for about 30 seconds, and try the ping from IoT to LAN again, I get no responses.

So, I think this has to do with the stateful nature of the firewall, but I am not sure. Could someone please clarify what is going on here? Also, is there any way to keep this from happening?

Thanks in advance for helping out a newbie.