Messages

Hi! I've got a weird problem and can't figure out what I'm doing wrong.

Setup:
LAN: 192.168.200.1/24
DMZ: 192.168.1.1/24

When I'm done I'm going to let LAN access DMZ but not the other way around. For now I've left the default LAN "pass everything" and added the equivalent for DMZ (interface DMZ, source DMZ net, dest any, action Pass).

However when I access DMZ from LAN I get dropouts and timeouts (e.g. when setting up NFS connection). Debugging this, accessing a web management GUI in the DMZ from my laptop on the LAN, some packets are let through on the basis of the default LAN rule but then some dropped on the default deny, and I can't see the reason for this at all.

See attached opn1.jpg screenshot from the Live View firewall log and opn2.jpg from the drill down of one of the blocked connections - how can that not be caught by the same default pass rule?

Also, I don't understand why "default allow LAN to any" comes in pairs with DMZ "let anything out from firewall itself".

Totally stumped on this so would appreciate pointers!

Need to set "Local Network" to 0.0.0.0/0, instead of LAN subnet, for the routing to be set up properly at the client side.

I confirm it's NOT working with "IPsec net". Yet, does it work with CIDR notation of VPN segment? I expect to, but I'm not sure if default GW works as if you're in the LAN itself. Would you please test again this particular point, and write back? Thank you!

No, setting the CIDR of the VPN (10.10.0.0/24 right?) does not work either. Needs to be 0.0.0.0/0 for it to route properly...

I figured it out...!

Need to set "Local Network" to 0.0.0.0/0, instead of LAN subnet, for the routing to be set up properly at the client side. Also needed to add access from the IPSec subnet to the Unresolver DNS config.

Now it works as expected... Clients can connect via IPsec (tried iOS and Mac OS) and access the local LAN as well as use this opnsense instance as Internet gateway (NAT).

This was poorly documented.. No help text available in the GUI at all, and no mentioning of this in the docs either. Found the solution from a pfsense blog combined with trial-and-error and clicking around in the GUI. Could be improved...

Hi! First post on the forum. Just installed opnsense on a Qotom i5 mini pc at home and got it up and running fine (as router + firewall). I also managed to configure IPSec for road warriors as described here: https://wiki.opnsense.org/manual/how-tos/ipsec-road.html. All good so far and very happy!

There is however one thing I cannot figure out. When I connect to my opnsense firewall via IPSec (as road warrior) I would like to access my LAN (works) but also use my opnsense as Internet gateway (i.e. NAT through the WAN as if I would have been on the internal lan already). I cannot figure this out.

My setup:
VPN -> IPSec -> Mobile Clients; Virtual Address Pool = 10.10.0.0/24, DNS Servers = 192.168.1.1
Firewall -> Rules -> IPSec; single rule allowing anything to anything on the IPSEC interface
Firewall -> NAT -> Outbound; Hybrid outbound NAT rule generation, added a rule Interface = WAN, Source address=10.10.0.0/24, Translation / target = Interface address.

With this, I can connect to the VPN from an iOS client and successful access the LAN. When I try to load external pages from iOS Safari, I can see the connections being let through in Firewall -> Log Files -> Log view however iOS does not get any response and eventually times out.

I cannot figure this out... Would appreciate some pointers!

I'm running OPNsense 18.1.4-amd64 by the way...