Messages

By default rules are applied in order (you can change this by unchecking the Quick box in the rule definition).  The order in which rules are examined is:

Automatically Generated Rules
Floating Rules
Interface Specific Rules

Floating Rules are intended to apply to multiple interfaces.  A floating rule setup for one interface should be the same as an interface specific rule for that interface, excpet thet the default rule is examined first.

As to what is happeing with your WAN rule I cannot say without looking at your ruleset.  Maybe you have a block rule ahead of the interface rule but after the floating rule.

Are you serving up data to the web?  If not then you do not need or want any inbound WAN rules and I would not be connected to the DMZ side of the ISP's router.  What do the firewall logs show?  Do you see anything being blocked?  OPNSENSE comes with an allow any any inbound on LAN interface.  If you delete that and do not add any allow rules then nothing will go out to the internet.  You would need at least an allow rule for ports 80 and 443 plus port 53 if you do not use DOH.  I always put a block rule any any with logging as the last rule on every interface (other than WAN) so I get a log of everything blocked.

This could be a DNS issue. Are you using the DNS provided by the DHCP request or are you manually entering the DNS server?  Windows, for example supports DOH, Linux does not unless you install DNSCRYPT.  If you have no rule to allow port 53 and you setup DOH on windows then windows would work fine but linux would fail.  Check your logs, is port 53 blocked or is it blocked on the server used by linux?

For the benefit of anyone else trying to do this I did get it to work defining the second router as a gateway and defining a route for the ip of the printer going to that gateway.  A few gotchas I had to get around:

1. The route configuration requires a network so I had to put in the ip as 192.168.xxx.xxx/32.
2. Do not define the gateway as an upstream gateway.
3. On the second router define a port forward to the ip of the printer for the protocol and port used by the printer.  I had to define two since the printer uses both TCP and UDP.  Initially I only defined the UDP protocol and it didn't work.
4. Define firewall rules on the interface sending the print requests to allow the requests to go through

Thank you all for your responses.

In my setup I have the opnsense router connected to the ISP modem.  Connected to one of the physical interfaces on the opnsense router is a second router.  Connected to that second router is a printer.  I want to access that printer from other interfaces on the opnsense router.  Can I:

1. Define that second router's IP as a gateway
2. Define a route for the ip of the printer as going to the gateway defined in step 1

How do I keep internet requests from going to the second router?

If this doesn't work does anyone have any other ideas?

Further investigation has revelaed that 192.168.1.116 is the ip address of one of the mesh nodes.  I see this as a bug in the Asus firmware.  These packets shouldn't be going out to the WAN.  Thanks everyone for all your help.

bartjsmit, Yes, I can capture packets, here is one packet:

ethertype IPv4 (0x0800), length 86: (tos 0x0, ttl 64, id 49801, offset 0, flags [DF], proto TCP (6), length 72)
    192.168.2.102.59963 > 192.168.1.116.7788: Flags , cksum 0xc5fd (correct), seq 4265057839, win 64240, options [mss 1460,sackOK,TS val 1998323531 ecr 0,nop,wscale 6,mptcp 12 join id 8 token 0x87a2e95e nonce 0x2173f5db], length 0

Attempt to downlod the package fails, unknown error

EricPerl, you have it correct.  The LAN side of Asus is 192.168.1.1/24.  The WAN side of Asus is connected to the Ofice interface of opnsense, 192.168.2.1/24.  The DHCP ip assigned ip on the WAN side of Asus is 192.168.2.102,  No port mirroring.  Steam isinstalled on some computers but packets appear even when those computers are turned off, In fact they appear if all computers are turned off.  I don't know what Unreal Tournament is so not that.  Asus has stock firmware, no packet capture ability.

Sample of the logs I am seeing:
   Office      2024-10-21T16:37:58-04:00   192.168.2.102:49825   192.168.1.116:7788   tcp   Block everything else in office   
   Office      2024-10-21T16:37:57-04:00   192.168.2.102:51411   192.168.1.116:7788   tcp   Block everything else in office   
   Office      2024-10-21T16:37:54-04:00   192.168.2.102:49513   192.168.1.116:7788   tcp   Block everything else in office   
   Office      2024-10-21T16:37:28-04:00   192.168.2.102:40767   192.168.1.116:7788   tcp   Block everything else in office 

Thanks for getting back to me.  I did think of packet capture but not wireshark.  Unfortunatly when I try to download the captured data I get Unexpected Error  Check Log for details.  I don't know which log to check.

This is kind of a shot in the dark but here goes, has anyone seen this kind of behavior?  First let me describe my setup.  From the isp modem I connect into the opnsense box wan interface, no surprize there.  I am not using the LAN interface except for device admin.  I have an interface named office that all computers and printers connect to.  I have an interface named iot that all iot devices and phones connect to.The office interface has a static ip of 192.168.2.1.  It connects to an Asus Zen Wifi Mesh router (this existed prior to building the opnsense router)  which has a static ip of 192.168.1.1.  Some computers connect via cable, others connect via WiFi.  I see in the firewall log blocked connections coming into the office interface from the Asus router with a destination ip of 192.168.1.116:7788, protocol tcp.  Since they are coming out of the router I cannot see the original source unless one of you can describe a way to do that.  I see these packets coming from the router even when all devices connected to the router are turned off (unless there is somthing on the router I am not aware of - possible).  Clearly 192.168.1.116 is not an internet ip so I have no idea why the router is sending it.  Let me add that there is no device on the Asus router with an ip of 192.168.1.116.  Any thoughts?

Thanks for your help.  The entries were coming from my iot interface.  Apparently some iot devices use these DNS servers.  I put in a NAT port forward rule to redirect all port 53 requests to local host.  That then routes them through the DOT server I selected.  I now see the port 853 requets logging on wan.

To answer your two questions, there are no DNS servers in system->settings->general but I did have "Allow DNS server list to be overridden by DHCP/PPP on WAN" checked.  I unchecked it.

Thanks again for your help, this is a great forum and opnsense is a great product.

I am trying to direct all DNS queries to the provider of my choice and I want to use DOT from opnsense to go there.  I know the issues with DOH and that I can't completely block it, that is not my question.  My question is that when looking at the log I see entries going to 9.9.9.9:53 and 8.8.4.4:53 only on the wan interface with a description "let out everything from the firewall host itself (forece gw)".  From this I gather that opnsense is doing queries on its own, not coming from any interface and it chose to use these DNS providers.  Am I correct?  If not can someone explain what this means?  If I am correct then where are the settings to tell opnsense which DNS provider I want to use?

Everything is working now.  Don't know why the site worked on my phone when connected to cellular or on my computer when plugged directly into the isp modem but would not work going through the appliance but now is working through the appliance.  My computer is setup to only use ipv4, the phone likely can use ipv6 on cellular only since I have ipv6 blocked on the appliance.  Apparently the issue was on their end.  I just put the appliance into production yesterday so I though I messed up a setting.

Here is a head scrtacher.  Recently inserted opnsense appliance into my network.  Working great... until I try to go to opnsense.org.  Then nothing.  Also can't update.  All other websites that I have tried work.  All my iot devices work.  Only opnsense .org does not work.  To do this post I had to connect my computer to the isp modem directly.  My LAN interface has only default rules.  No block floating rules apply to LAN.  I created separate interfaces, one for computers, one for iot devices.  Even on LAN with only default rules can't get to opnsense.org.  Before putting the appliance into production I was using it through the existing router and then I was able to access opnsense.org.  Now, directly connecting to the isp modem I cannot.  Anyone else see this behavior?

OK, found the DNS issue, it was on my computer, not opnsense.  The factory reset solved the problem.  The first time I installed I changed the LAN ip during the install.  That is the only thing I can think of that may have broken it. 

I made some small amount of progress.  But still no joy.  I reset to factory defaults, then made only the following changes:

interfaces->wan-> unchecked block private networks and block bogon networks
interfaces->lan->changed static ip to 192.168.77.1
services->ISC DHCPv4->changed range to 192.168.77.100-192.168.77.199

Rebooted.

I can now ping 192.168.1.1 successfully
I can check for updates successfully
I can ping 8.8.8.8

I can't go to any website from firefox/
I am thinking some king of DNS issue.  Still ivestigating. 

My plan is to wait until this evening when everyone is off the network and then try directly connectiong to the isp modem again.