Messages

I guessed as much, already. Perfectly understood. I run DCs myself.

You simply need to manually

- disable NAT - Firewall: NAT: Outbound: "Disable outbound NAT rule generation"
- create a firewall rule on WAN permitting access to your servers

The default setup of a new installation is tailored to a home/SMB setup for Internet access with NAT. And everything you do not explicitly allow is forbidden by default. So without an allow rule on WAN no access.

HTH,
Patrick

I've tried many configurations now (NAT disabled, explicit WAN and LAN rules in place), but I still can't resolve the issue.

One important detail about my rack setup:

I have two separate uplinks from the datacenter

Uplink #1 goes directly to the switch

Uplink #2 goes directly to the OPNsense WAN

OPNsense LAN is also connected to the same switch

So effectively, the switch has two uplinks:

one directly to the datacenter/core

one through OPNsense

This means the servers behind the switch may have two possible paths to the internet:

directly via the switch uplink

or via OPNsense

Could this dual-uplink / asymmetric routing design be the root cause of the state violation and 100% packet loss I'm seeing, even with correct firewall rules and NAT disabled?

If so, am I correct that the proper design should be:

a single uplink only into OPNsense (WAN), and

the switch should be connected only to the OPNsense LAN, with no direct uplink of its own?

I want to make sure all traffic is forced symmetrically through the firewall.

Thanks in advance.

Are you trying to connect from WAN/Uplink to the servers on LAN? You need to create rules for that. The default of a new OPNsense is to block everything on WAN. Also you probably want to disable NAT.

Thanks for the response.

Yes, I am trying to access the servers behind OPNsense from the WAN/uplink side (public network).

However, this is a datacenter routed setup, not a typical home firewall scenario.
I have two routed /24 public subnets provided by my upstream, not a private LAN.

WAN: 188.x.x.130/24

LAN: 185.x.x.254/24 (public subnet, routed to WAN IP by upstream)

My goal is pure routing with firewalling, not port forwarding.

Regarding NAT:
I actually do not want NAT if it's not required. The upstream router already routes the 185.x.x.0/24 subnet to my WAN IP, so this should work with NAT disabled and proper firewall rules.

Hello,
I installed OPNsense on a Dell R620 (2×2697v2 CPU, 256 GB RAM, 1 TB SSD) in a datacenter rack.
The network topology is:

Uplink → OPNsense → Switch → Other devices

When I move devices (VDS/servers) behind the OPNsense gateway, they cannot connect at all.
Access is completely blocked by the firewall.
blockDefault deny / state violation rule

My interface configuration is as follows:

WAN: 188.x.x.130

LAN: 185.x.x.254

I have two different /24 subnets.

I cannot access the VDS servers that are routed through the OPNsense gateway.
Is there anyone who can help, or share the correct / recommended setup diagram for this scenario?