New to OpnSense, config borked, unsure of ideal setup

[raspberryminesmoke]

Hi, I'm sort of a new user that installed opnsense on a protectli vault a few months ago and I'm currently trying to set it up after moving to a new place. I currently can't access the internet or ping anything wan side, so I know the current configuration is incorrect, however the larger problem is I don't know the ideal setup in this scenario.

Here is the scenario: I got a new apartment where internet is bundled and roommate assignments are random(it's a college town), I'm not looking to alter the existing network, but rather create a subnetwork for my devices that connects to the internet, and perhaps can connect to a shared device on the untrusted parent network(a printer), but doesn't allow connections from the untrusted network to the opnsense subnetwork. I'd rather keep the subnetwork as a black box of (VPN) traffic from the perspective of the parent router and ISP.

Should I set up my opn system as a router or just a firewall? I was reading about double NAT being something to avoid, but that seems to only be an issue if you want bidirectional communication between clients of both networks, which I don't (I'm assuming all devices I don't own are untrusted).

How should I set up my system? here is the current(broken) configurations:
version: 22.1.4_1
Mirror https://mirror.dns-root.de/opnsense/FreeBSD:13:amd64/22.1
Repositories  OPNsense

DNS
8.8.8.8, 8.8.4.4 (currently)

Wan Settings
Static IPV4
192.168.10.108/32
DHCPv6

Lan Settings
static IPV4 Settings 192.168.1.1/24

Wifi Network
Static IVP4
192.168.10.1/24

Standard
802.11b

802.11g OFDM Protection Mode
off

hardware
protectli vault with wifi card

[Zephyr]

I don't see the IP of the router?

[pankaj]

Is the WiFi you added to the apartment? If yes, then its subnet seems to be conflicting with WAN.

You may also want to read this thread which was quiet comparable although not similar - https://forum.opnsense.org/index.php?topic=29874.0

[raspberryminesmoke]

I don't see the IP of the router?

the ip of the edge router(the one provided by the apartment and connected to the outside world) is 192.168.10.1

Is the WiFi you added to the apartment? If yes, then its subnet seems to be conflicting with WAN.

I'm not adding wifi to the apartment, the wifi comes with the apartment. I'm trying to create a subnetwork for my devices that connects to the internet via the edge router. I'm basically trying to make it to where all traffic related to me that goes through my apartments router comes from a single device. I would like to be able to send traffic to specific devices on the parent network(print jobs to a shared printer). potentially I'd also like to be able to port forward certain applications to the internet, but I can just put those specific devices on the parent network if I have to.

also, checking out the link now. Thanks

[pankaj]

Got it.

On LAN (192.168.1.1/24) make a rule that essentially says following:

Action: PASS
Interface: LAN
Direction: in
TCP/IP: IPv4
Protocol: any
Source: any
Destination: any

Then connect a client (say a laptop) directly wired into the LAN port and check:
1. Does the machines get 192.168.1.1 subnet address?
2. If so, try pinging 192.168.10.108 (WAN IP)

If it works then start tightening things with more rules and desired customization!

[raspberryminesmoke]

adding the rule and plugging in the laptop directly gave it the inet address 192.168.1.102, at least from what I could tell from ifconfig.
and I can't ping the edge router from my laptop on lan or wifi connection, but I can ping it from the opnsense install. still can't seem to update the packages though

digging through the settings under services->[WAN]->available range I'm seeing an error message :

No available address range for configured interface subnet size

searching it online I only found the message declaration: https://github.com/opnsense/lang/blob/master/pt_PT.po#L10310

[Demusman]

Are you sure the WAN isn't a /30 or /31?
/32 is a single IP.

[raspberryminesmoke]

Are you sure the WAN isn't a /30 or /31?
/32 is a single IP.

sorry, learning a bit of this as I go along. looking at the ifconfig for the computers connected to the main router, the netmask is set as 255.255.255.0, so I think it's meant to be 24. fixing that caused the error message to go away. I'm still not able to ping the outside world

[raspberryminesmoke]

Got it.

On LAN (192.168.1.1/24) make a rule that essentially says following:

Action: PASS
Interface: LAN
Direction: in
TCP/IP: IPv4
Protocol: any
Source: any
Destination: any

Then connect a client (say a laptop) directly wired into the LAN port and check:
1. Does the machines get 192.168.1.1 subnet address?
2. If so, try pinging 192.168.10.108 (WAN IP)

If it works then start tightening things with more rules and desired customization!

the assigned address (for the local machine) is 192.168.1.102, and I can ping 192.168.10.108 from the laptop(after changing /32 to /24)

[raspberryminesmoke]

solved. It was a couple things, will list in case anyone as dumb as I am finds themselves in a similar situation:

1. changed the wifi static IPv4 to 192.168.20.1, to avoid subnet conflict with wan
2. set the default gateway for the WAN interface with dest IP as the edge-router's actual ip, so 192.168.10.1.
3. created a route, using the above gateway, to the ip of the ISP listed in the edge-routers config
4. created a rule group for 3 interfaces: loopback, wifi, lan
5. created a default allow all rule(in, ipv4+6, any proto, any dest) for the created group
6. under firewall->settings->advanced, checked disable reply-to (may not be necessary)

I think that's everything. It was a lot of tinkering, trying to run interface diagnostic tools, googling, followed by more tinkering, so there may be changes that are relevant that I haven't listed. btw, If anyone sees something I should probably change, please let me know

otherwise I'll mark this solved in a few days