"Quote from: sja1440 on May 19, 2024, 03:37:22 PM
By changing "invert LAN" to "any" you move from only blocking connections to outside your LAN to blocking everthing including to your DNS, NTP etc. services on OPNsense. Not having DNS is certainly going to prevent access to the internet (unless the destinations are hardwired in the IoT devices)
BTW Do your IoT devices use a hub/gateway lying within your LAN? If so, is that MAC contained in the IoT Alias? Does communication to the internet always go through that?
Regarding the need to clear firewall states after a reboot. Maybe this relates to the nature of OPNsense's MAC Aliases: OPNsense obtains the ipv4/ipv6 addresses by periodically (?) checking the arp and ndp tables. Possibly, your IoT devices are establishing a connection to the internet before the MAC Alias is populated. In this case the firewall No 1 rule will never fire. Resetting firewall states is not going to clear out the MAC alias, this would explain why a reset after a reboot fixes the problem..
Have you thought about putting the IoT devices on a separate vlan? Would make it a lot easier.
Ahh I see... thank you for the detailed explanation. My IoT devices connect straight to the internet without a hub, I use them locally with Home Assistant. Moving them to their own VLAN will be the end goal, but right now I use an Asus router as my AP, and that doesn't support VLANs. Once it breaks I will look to switch to Unifi or other products supporting VLAN. Thank you for the help!
