Messages

Back to topic...

[...]
I do see other devices on our local lan on the stats so I know it is seeing the network, but still unable to access the web interface using that IP or ping it.
[...]

How's it going? Were you able to see ARP on your OPNsense machine and your client(s)? On OPNsense, you should see entries for your 192.168.1.0 network; the entries for the 10.x.x.x net should look similar (both local and remote MACs).

If you have good ARP, have you tried watching the firewall live log when pinging the OPNsense machine? (You want to have the log view up when you start the ping.)

Yes sir, I was able to resolve it. I did see arp on the opnsense machine and clients, all good there. I viewed the firewall log and found it was an issue with our internal gateway. In our facility there are 2 separate asa's. I found that when I switched to the older gateway, it worked. I could ping the opnsense and I was actually able to proceed on and build a bridge, and I am now working with configuring to work with intrusion prevention module to stop the brute force that we are getting. I am glad I was able to get this far with it, just have to learn more on the intrusion prevention module. Thank you for all the help.

All, I am totally new at this. Maybe if I explain a bit further it would help. I am going to set this up on our local network at work, between our asa and the lan. I found an article on how to create a transparent bridge and got the hunsn firewall since it had several interfaces. I was able to flash opnsense (it came with pfsense), and was able to connect a laptop to the lan port and see the web interface at 192.168.1.1. I was wanting to set up an interface so that I could connect it to our local lan to see the web interface, and that is what I am attempting to do. Our local lan is on 10.x.x.x and it is /21. Our local lan has NO dhcp servers or services running, so everything on our network is static IP. I have a free ip to use for the interface, and I set it up using that IP. I also set up a pass firewall rule to pass everything in/out on that interface. We do have a dns server on our local lan which is our domain controller. I don't know where to enter that information so the interface sees it. I can go to the statistics and it shows entries coming in but not going out of that interface, and I am unable to ping it either. I do see other devices on our local lan on the stats so I know it is seeing the network, but still unable to access the web interface using that IP or ping it. Is this possible? My basic high level idea was create a transparent bridge for filtering traffic. Thank you, and again I am totally new at setting this up. I am studying all I can on this to figure it out.

The basics: Check for address typos. Check the interface state (e.g. in "Interfaces: Overview"), and ARP ("Interfaces: Diagnostics: ARP Table"). If ARP entries are present for the interface, make sure they are correct. Check them also on your client(s) ("arp -a" on most OSs). If the interface and ARP are good, try pinging from the firewall ("Interfaces: Diagnostics: Ping") (assuming the device you are pinging does not have its own firewall filters, e.g. Windows). You can check rule behavior using "Firewall: Log Files: Live View" (e.g. when pinging from a client).

Remember to clean up any test config (such as the gateway, assuming it is not required).

Thank you for this information. I am going through everything you suggested and will report back.

I purchased a HUNSN firewall with 5 interfaces. I installed OPNSense, and it sees the interfaces, it set up the lan 192.168.1.1 and wan ports as default and I am able to access the web gui at that address. I want to add a 3rd port for management on our 10.x.x.x network. I am able to see the interface, assigned it to ign2 hardware, and set up the ipv4 address on it. I set ipv6 to none. I have a cable running from that port to a switch on our 10.x.x.x network. I am unable to get to the web gui on the 10.x.x.x address I assigned it, and unable to ping that address. I even went as far as creating a gateway that matches our asa and marked it upstream gateway. That didn't help, still unable to ping or see. I set up an allow all rule for that interface as well, that didn't help. What am I doing wrong or missing? I just want to set up a static 10.0.0.0 IP on that port and be able to access the firewall opnsense. Thank you in advance.