Messages

Hello,

So I have finally finished  struggling with OpnSense on AWS.

A few remarks :

- It seems the default gateway is automatically attached on the LAN interface, so NAT won't work. Go to system -> gateways -> Check "upstream gateway" on the WAN.

- On the AWS console, on the OpenSense instance, go to Action > Change Source / destination check > Make sure the "stop" checkbox is checked. And on each network inferface of the instanceAction -> Change source/destination check -> Make sure the checkbox is not checked

- I thought "Automatic outbound NAT rule generation (no manual rules can be used)" will be enough to have NAT on WAN but actually no. You have to select Hybrid Outbound and add  the rule.

- The weirdest stuff is about the firewall rules for  the LAN. Look at it :



It says : Default allow LAN to any rule but it does allow traffic for all, not only LAN. Or I guess this rule should be for the LAN interface, not the WAN...

In AWS, usually when the AMI is installed, it only has one interface. And Opensense detects it as WAN. And then you have to attach the LAN interface after.

Maybe because of this order, I got all of this mis-configuration.

Last remark : I thought the auto-generated rules on the WAN interface included rules to allow HTTPS and SSH but actually no..


I spent all my weekend on this...but OpnSense still great!

Hello all,

My WAN and LAN interfaces have both private IP (as I my OPNsense is in AWS VPC).

I have use the defaul setting for NAT :

Automatic outbound NAT rule generation
(no manual rules can be used)

But the NAT was not done. I had to select

Hybrid outbound NAT rule generation
(automatically generated rules are applied after manual rules)

is it normal?

Thanks

Obvious indeed. Thanks

Hello all,

I have installed the AMI of opnsense in my AWS VPC. I have to subnet

Public :  172.31.1.1
Private : 172.31.2.0

My interface :



My NAT (I let it by default)



My LAN firewall rules (allow all).



My WAN firewall rules (allow all, for testing).




So what is weird, is that my private host who is 172.31.2.244 can ping the LAN of opensense (172.31.2.251) but can't ping the WAN (172.31.1.114). And of course, can't go on the internet.

Here is the host behind OpenSense route table.

sh-5.2$ ip route show
default via 172.31.2.251 dev enX0
172.31.0.2 via 172.31.2.1 dev enX0 proto dhcp src 172.31.2.244 metric 512
172.31.2.0/24 dev enX0 proto kernel scope link src 172.31.2.244 metric 512
172.31.2.1 dev enX0 proto dhcp scope link src 172.31.2.244 metric 512

What is even more weird is that I have another host on the public subnet, who can ping the WAN.

So I have absolute no idea what is blocking the ping from private host to reach the WAN interface. I know that there is no point for allow a private host to ping the WAN interface, but I thought, before I understand why it can't go to internet, I should now why the packet can even reach the interface.

I have checked AWS group security.

Any idea?


If one of you lives in Taipei, I will pay him a drink...

Thanks

Hello all,

Is it normal that the SSL certificate is invalid when using the official OpnSense AMi from AWS ?

the AMI : OPNsense-24.1-15b139b4-a82f-4a8f-a48b-00888fcb1c88

When I go to System -> Settings -> Administration the WEB GUI certificate is already applied.

Thanks

Hello all,

There is something I don't understand, I don't know if it is normal or normal or not.

I have started my AW instance with opnsense. There is only one interface so far, I will add the LAN interface later.

I can login to opnsense.

Then I assign an elastic IP to my instance, then on opensene, as soon as I assign this public IP to the WAN interface, after I click on apply change, opnsense becomes unreachable. Even with SSH.


Even if I restart the instances. 

WAN interface should have the elastic public IP, not the 172.* gave by AWS right?