Eve-ng WAN access

Started by Laytman, July 23, 2025, 09:53:00 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 23, 2025, 09:53:00 AM
Hi, 2All.

OPNsense has been set up in EVE-NG. One WAN interface is connected to the Cloud (Management Cloud0), and the other LAN interface is connected to a Mikrotik switch that leads to the local network. The WAN interface receives an IP address via DHCP. The local addressing is 192.168.30.1/24.

However, packets do not go out to the internet, nor can they reach OPNsense from outside. Other PCs are connected to the same Cloud and work fine. I suspect the issue is with the firewall settings.

In the WAN interface settings, I disabled Block private networks and Block bogon networks. I assume the problem might be in the default rules, but I cannot edit them. I created allow rules, but still couldn't achieve the desired result. SSH access from outside also doesn't work, even though I created allow rules for it.

I also tried disabling the packet filter entirely, but that didn't help either.

Could you please advise what the issue might be? I can't even update the system.
July 23, 2025, 10:52:17 AM #1
Quote from: Laytman on July 23, 2025, 09:53:00 AMHowever, packets do not go out to the internet, nor can they reach OPNsense from outside. Other PCs are connected to the same Cloud and work fine. I suspect the issue is with the firewall settings.
If packages can't reach OPNsense then there is an issue on the EVE-NG side.

If you connect a client on EVE-NG to the same Cloud, in the same project, does it work?

It's hard to image that it's an issue with OPNsense/firewall rules. If a package leave OPNsense it source address is the WAN IP address it got. From there it is just like any other clients. The default rule on LAN is to allow all traffic from LAN to everywhere.

Can you ping from OPNsense to the upstream router or the DHCP server? Can you show the WAN and LAN interface and firewall settings. Plus the OPNsense version you are running?
Deciso DEC740
July 23, 2025, 11:38:49 AM #2
Yes, in the same project, all other clients connected to the same Cloud are working fine.
This one cannot ping any host via WAN. Not even the gateway responds to ping. The OPNsense version is 25.1.
Let me describe the architecture a bit. The base is a PC running Linux with a VM configured via libvirt, running Eve-NG. Inside Eve-NG, the OPNsense instance is configured within the project. A bridge is created on the host PC. Around ten VMs are running via libvirt. Several networks are also configured and functioning within Eve-NG, so I haven't looked for problems in that area.

[Physical PC with Linux 192.168.30.164]
  └── br0 (bridge) → connected to physical network 192.168.30.0/24
      └── libvirt → VM: EVE-NG
           └── eth0 (inside EVE-NG) → gets 192.168.30.188 from the same network
               └── Cloud0 → bridged to eth0
                   └── VM: OPNsense → DHCP 192.168.30.198

LAN settings:
Static IPv4
IPv4 address: 192.168.1.1
All other fields are empty, checkboxes are disabled.

WAN settings:
IPv4 Configuration Type: DHCP
Override MTU: enabled
All other fields are empty, checkboxes are disabled, including "Promiscuous mode".

Attached is a screenshot of the console where you can see the WAN interface receiving an address. The last remaining part is the firewall rules after some experimentation.
July 23, 2025, 12:16:11 PM #3
Apparently, there was some kind of glitch 🤔 I noticed a strange display of the MAC address on the WAN interface vtnet0. Interestingly, it only appeared in the web interface — in the console, the address was shown correctly. I disconnected and reconnected it, but the issue persisted. Then I assigned vtnet2 to the WAN instead of vtnet0, and everything started working.

Thanks for the quick response and your attempt to help 😏
July 23, 2025, 12:25:02 PM #4
Quote from: Laytman on July 23, 2025, 12:16:11 PMThen I assigned vtnet2 to the WAN instead of vtnet0, and everything started working.
I see, I'd restart again too see if interfaces change again; that is unsual. But good it does work after all.

Regarding the WAN rules: I assume you did test a bit to find out why it didn't work? And clean up?

Some are not necessary and some, like the second (and fourth, IPv4 any protocol to Firewall) does include the first, tcp/22. And the fourth rules is not necessary at all.
Deciso DEC740
July 23, 2025, 01:07:28 PM #5
Yeah, I tried all sorts of things while experimenting. I've already removed it, thanks :)
Print
Go Up Pages1
User actions