Messages

1

24.7 Production Series / Re: Weird WAN interface issues on new install

« on: August 10, 2024, 12:23:14 am »

Think I'm just going to go ahead and hook it up straight to the internet (after disabling admin interface on wan) to at least rule out my network/lab environment.  If I can get online then I know it has to do with the double NAT or other factors messing things up.   How do I do a DHCP release on the WAN interface?  I can't seem to find that option.   I will need to do that before I reconnect my production router otherwise I won't get my internet back when I switch back. Has to do with way my ISP is setup.

2

24.7 Production Series / Re: Weird WAN interface issues on new install

« on: August 09, 2024, 11:48:43 pm »

Ok I managed to find the GUI firewall log and filter out all the noise and I'm seeing stuff now.  Getting "default deny / state violation rule" if I try to get to the admin interface or to a forwarded port.  Nothing for ping though even though ping is being blocked, but I'm not worried about that for now. 

3

24.7 Production Series / Re: Weird WAN interface issues on new install

« on: August 09, 2024, 11:12:45 pm »

It's a fresh install, except I restored a backup of all my vlans, after restoring the backups I can't communicate out the WAN interface. That backup state worked before, it only stopped when the install got trashed after I tried to upgrade it, so I reinstalled. 

I'm more looking for clues on how I can troubleshoot this, is there any places I can look that can tell me where traffic is being blocked?  The firewall log at the console moves too fast because it keeps querying DNS, NTP etc.  but I don't think the traffic is making it as far as being blocked since I did a ping -f to see if it would show up in the console and be easier to see in all the noise and that didn't show up.

4

24.7 Production Series / Re: Weird WAN interface issues on new install

« on: August 09, 2024, 10:58:42 pm »

Why would that matter though, won't my network just see it as one device?  Ex: the WAN IP.  Everything behind the NAT is irrelevant to it, if I forward a port it's just connecting to the WAN IP as far as it's concerned.

This was working originally but when I restored the backup that's when it stopped working.  Just not sure what happened to cause it.

I might move some patch cords around at my rack to see if I can connect it straight to the internet temporarily just to rule out my network causing weird issues.  The firewall is not at the rack yet, as I don't have any form of console access there.

5

24.7 Production Series / Re: Weird WAN interface issues on new install

« on: August 09, 2024, 10:38:32 pm »

That didn't seem to help, BUT I can ping the "internet" (if it was normally connected to internet) gateway from laptop, while before I couldn't, so it did do something.

I also did a port forward to the laptop running a SSH server and can't connect to that either from my network (the internet as far as the new firewall is concerned)

If I use the function within Opnsense I can in fact connect to the laptop's port.

6

24.7 Production Series / Weird WAN interface issues on new install

« on: August 09, 2024, 07:31:04 pm »

I'm in the process of installing Opnsense on a Sohpos XG 115 and have it setup in a lab environment until I get all my vlans and rules working well enough that I can swap it into production.  Just to give a general idea of my environment, I have the firewall box setup so the WAN port is going to one of my vlans of my existing prod network, and the LAN port is setup as a trunk to a switch I'm using temporarily so I can plug a laptop into it and test the vlans etc, and do initial config. 

I originally accidentally installed the legacy 24.1 and when I performed the upgrade it trashed the whole install and I lost access to everything even from the laptop. I was able to get back in by creating a temporary admin interface on a 3rd port then found that all my vlans were not assigned anymore.  When I came to the forum that's when I realized I was on 24.1 when I checked my version to check what forum to post in and saw that 24.1 was considered legacy. 

So I reinstalled and put 24.7 and now back to configuring vlans etc.  I had a backup from the initial config on 24.1 so I restored it.

I also setup a rule so I can access admin interface from WAN, which obviously would be a bad idea if it was facing the internet but it's setup on my network temporarily.  This was working before I restored the backup but now I cannot access the WAN interface at all, I can't even ping it, despite adding firewall rules.  I also can't leave the WAN interface from the firewall.  It's almost like the WAN is not doing anything at all.  It shows up that it picked up an IP from my DHCP server but I can't do anything at all from there.

I also removed the checkbox to block bogon networks, as I thought maybe that was causing problems. (I will put that back once it's in prod). 

Any other ideas on how to troubleshoot this?  I want to make sure I can pass traffic through the WAN interface before I put this in production and it would also be nice to be able to configure rules from the WAN interface as I can do it from my PC instead of standing at the laptop on the workbench. 

7

24.1 Legacy Series / Re: Lost access to everything after upgrade.

« on: July 31, 2024, 09:11:55 am »

Yeah I made sure to lock all the interfaces after previously having them all wiped out and found that I need to set that option after googling and finding this was an issue.  No USB devices here there are 4 built in interfaces. (it's a Sophos XG115 device)

Either way I just did an update now and it didn't happen again, although I did not configure all the vlans yet just the main one that's used for LAN. I think once I put this in prod I'll just keep my old firewall in the rack for a while until I can confirm this won't be an issue again.

8

24.1 Legacy Series / Re: Lost access to everything after upgrade.

« on: July 31, 2024, 08:47:05 am »

I ended up clean installing so I can put the right version, but I am worried the same thing happens again...

Is this some kind of known issue? 

Also vlan naming is kinda odd as I have different vlans on different interfaces but it doesn't actually name it in a way where it's easy to tell which is which.

So I made my own convention where I call it vlan02.1 where 02 is the vlan number and 1 is the interface number.  Does the naming convention actually matter for anything within how the system works?  It seems fairly strict so I'm wondering if the way I'm naming them somehow messed something up.  If I leave it default it just names it vlan02 vlan03 and it doesn't even match the vlan tag number so it's very confusing.

9

24.1 Legacy Series / Re: Lost access to everything after upgrade.

« on: July 31, 2024, 07:11:54 am »

Since this box has 4 interfaces decided to configure a 3rd interface from the console to see if I could access the admin interface that way.  It worked... but I noticed that all my vlan assignments are GONE!  What happened and how do I prevent this in the future?  This is only a lab environment for now but this would be a huge disaster if it had happened in production and would completely cripple my entire infrastructure.    All the firewall rules and everything are gone. 

At this point I think I will just reinstall from scratch using the proper version but really wondering what even happened and how I can prevent this in the future. 

10

24.1 Legacy Series / Lost access to everything after upgrade.

« on: July 31, 2024, 05:23:30 am »

I'm in the process of upgrading my current firewall to Opnsense from an older version of Pfsense. I have it installed on a Sophos box and have a Dell switch with all the vlans setup so I can have a test environment before I deploy it live.  For now the WAN is connected to my internal network, so I had allowed the admin interface to be accessible, so I can play around with it from my regular PC instead of standing at it directly with the laptop plugged into the switch.

I had the basic stuff working and decided it would be a good time to run an upgrade to bring me to the latest version. (although I now see that this version is considered legacy?  So that's odd. Maybe the upgrade never took)

After the upgrade process and it rebooted I lost access through every port and can no longer get to the admin interface. It's basically blocking all traffic, even internally.  I had it setup so the admin interface is available on all interfaces as a temp measure and have the laptop plugged into a port setup as vlan 2 and LAN is setup as a trunk port to the switch and I get an IP from the firewall which indicates to me that network wise my setup is correct.  However I can no longer access the admin interface either internally via the laptop, or externally via my PC. Cannot ping either.  In the console I went to the firewall log and sure enough I can see that the packets are being blocked.

Is there a way I can gain access to the admin interface without having to do a factory reset?  Like some kind of way to turn off the firewall portion completely?  I'm guessing with the upgrade a default rule may have changed or something and the admin interface is now being blocked.  I had not explicitly allowed it, as it was working already.