[SOLVED] How can I restrict device to the local network only with one exception?

[Ciprian]

hutiucip,

Well, besides being insulting in your first paragraph,

- no, I didn't mean to insult you, as I have said, I only found it a bit funny and, in a friendly manner, and kindly apologizing right from the start, I meant to mock you a bit (again, in a friendly manner)! But definitely didn't mean to insult/ offend you. If you felt that way, I'm sorry! Truly and deeply! Thank in advance if you accept my apologies!

Is OPNsense only supposed to be used by networking gurus, and not by people who just want a better router in their homes than what they can buy off the shelf?  Sometimes, I wonder, given the effort some people seem to make to avoid posting clear answers to what should be simple questions.

No! Sorry to disappoint you, but as I see it, better means more versatile, more flexible, with more options, with more features, and so on and so forth. And all these mores means a lot of intricate components that depend one on the other... And that's it!
You're questions are simple (at least some of them are), but it's true that here every answer, no matter how simple it is, is in itself the trigger for another (at least one) question from you. It is normal when you are trying to get into something else then an "of the shelf" router, as you yourself strengthen it, but, as somebody else did state it already, you too have to be patient and let it sink in, and fall in place after enough pieces revealed themselves.

If I sound ticked off, I am a little bit, given that you found my confusion so funny, and then apparently made an effort to post a reply that would only serve to 1) insult me and 2) confuse me more.

For 1) I claim again I didn't mean to insult you, and apologize again for that, and for 2), believe me, it shouldn't be confusing.

A man that I think about as being very wise once told me that, if one feels lost, disoriented, and doesn't know which direction is the right direction, it only means one lacks at least one single piece of information (and continued "no one is stupid, is either uninterested or uninformed/ misinformed"). It was in another context, but I deeply feel it fits here perfectly, so please, don't take it personal!

It's not at all funny when you don't understand, even if the answer may be obvious to anyone else.

I deeply agree! Found myself, and not only once, in the same position! Every time I made the decision to not miss again the info required for understanding.

Cheers and good luck!

[comet]

hutiucip,

Thank you for your apology, which I accept.  Just for future reference, mocking people is probably not a good way to avoid offending them, even if you intend it to be funny.

Sadly, you have still chosen not to answer my clear question, and instead you tell me that I am just missing information.  Which is probably true, but I guess I am never going to have that information if no one can explain this in a clear and easy to understand manner.  At this point I'm not sure if people are deliberately trying to make it difficult, are just incapable of giving a clear and simple answer to a direct question, or if there is something else going on here, but if this is what happens when a new user asks a question then you probably won't be seeing too many of them (new users OR questions).

I give up on trying to understand OPNsense; it is running well enough as a basic router and that is really all I need.  This reminds me of the early days of Linux.  OPNsense could be like Ubuntu and try to make a distribution that real people (non-nerds) can use, or they could be like Slackware (one of the most difficult distributions to use).  Right now I would say OPNsense is somewhere in the middle (the GUI is pretty good but the help text could be a lot better).  But, I just want to use the software, not devote the rest of my life trying to figure out advanced networking in order to just to use it in my home.  I don't always give up on something this easily, but you guys are so far over my head I have no idea what you are talking about most of the time.

Sorry to have bothered you.

[Ciprian]

Comet!... Hello!... It's me again!... :)

I'll try to reply helpfully, I'll try to reply as plain and simple I can. So, here we (try to) go:

franco, I sent you a PM.

Basically, I have just one question at this point, if anyone cares enough to type a useful two-word answer:  Should I have used something other than "any" (which is what franco had told me to use), specifically "WAN Net" or "WAN Address", as the destination, in order to block access to the Internet but still allow access to services in OPNsense?  And if so, and this is the most important question, which of those two would be the better choice?  This is a very simple setup, one WAN port that connects to a cable modem and one LAN port that connects to a switch.  No additional WAN or LAN networks beyond that; I wouldn't know how.

On the LAN interface in FW place on the very top a "block" rule from surce being the IP address 192.168.1.X/32, to destination !LAN net (the exclamation mark means that you check "destination / invert", so that you invert the sense of match). This way, any request made from that IP address (the source) to any destination which is NOT something in the LAN IP address range, will be blocked. Other source IP adresses (aka hosts, devices) from LAN will not be blocked by that rule simply because their IP address is not a match for the source in the FW rule. And, of course, your FW and its services, like NTP, DNS, DHCP etc., will be reachable even for that particular device, with that particular IP address set as source in that FW rule.

Now, if someone can explain the difference between "WAN Net" and "WAN Address" without resorting to jargon or esoteric concepts that would fly right over my head, I would very much appreciate it, but really I just need to know which is the correct choice, "WAN Net" or "WAN Address".

As you maybe have deduced already from the first answer, upon, NEITHER of WAN net and WAN address is the correct choice for what you want to accomplish.

Regarding the difference between them, try to understand the concept:
WAN net is the network space - or IP range - in which the WAN IP address of your router resides, but it's not the whole internet. This is commonly established by your ISP, it is out of your control, if and only if your FW is directly connected to the internet on the WAN interface. Since I remember you said before that your FW's WAN interface is connected directly to a modem, the WAN net is your FW's WAN IP and / + the modem's LAN IP (yes, for your modem your FW is on the LAN side, and for your FW the modem is on the WAN side). The WAN net of the modem, for example, is the modem's WAN IP and / + the IP of the ISP's router connected to the WAN interface of the modem. And so on, and so forth.

WAN net is for WAN interface, and from the WAN interface point of view, all IP addresses reachable directly, without the need for a single router as a GW. This is why I said before that WAN net is similar to LAN net, and WAN address is similar to LAN address: for both nets you don't need more than an unmanaged switch, or a direct connection, in order to fully reach any IP address in that net.

It's like if I were asking someone how to fry an egg.  I don't need to know the history of eggs, nor the different breeds of chickens, nor what type of chicken feed produces the best eggs.  Nor do I need an explanation that involves using kitchen utensils I've never heard of before in my life.  None of that would be the slightest bit helpful to me, and I'd probably walk away hungry.

Sorry, bro, but when you ask me how to fry an egg and you realize that my answer makes you walk away hungry, it's not because my answer makes the history of egg, but because my answer states that those matches you are trying to light up the fire with are, in fact, not matches but a lens, and you shouldn't rub the thing, as you thought, you should fine tune and fine position the thing on a precise direction.

I'd also ask people to remember that there was a time you didn't know any of this stuff either.  You probably asked questions and learned from the answers, but only if the person explaining could do it at the level you were at.

You are perfectly right, dear friend, there was a time when I knew exactly nothing about, and in that time I was looking for answers to my questions, and I learned only if the person giving the answers put those answers right at my level of understanding, and structured them in an hierarchical manner based on levels of complexity.

But I usually called that person a professor, an educator, a mentor, a consultant, and I usually payed that son-of-a... person a price for that effort, because consultancy is not an easy profession, accomplished in a blink of an eye. Or else, without the payment, I wouldn't have had any particular expectations and particular demands from any person, but only gratitude and recognition of their efforts to be helpful, even if those efforts were not quite effective, and not quite what I exactly, in particular, needed.

So, take that time you spend in endless vivid/ heated discussions around here and do some self study by yourself. I stand by the opinion that nobody is stupid, but anyone could be uninterested or not (yet) informed. Inform yourself, please!

A child learning multiplication is not going to learn a thing from someone explaining calculus.  And, you probably didn't learn much if someone tried to make you feel stupid for asking questions (I had an 8th grade algebra teacher that did that, and to this day I do not know algebra).

You are not interested in algebra, as simply as it sounds. And it's nobody's duty to rise the interest for something, for anything, in you! If you need it, you learn it, if you don't, you don't. I have to admit, the solution of least resistance drives all living beings.

And I'm over and out from this topic: because maybe I offended you, unintentionally as I said, but also maybe you don't realize how much and how much more than me, you offend each and every person that wrote even a few words in a reply to your post, by stating all the ideas like trying to be over your head, and fried eggs still making you to run hungry... etc etc etc. This, the following, for example, is one of yours best of:

I'm beginning to think no one really understands OPNsense, and we are all just guessing and making it up as we go along?

Too bad, to sad! :(

Sorry for everything, I shouldn't have tried to be helpful in the first place: the guilt of you not knowing, later as well as before, ended up as being mine. :(

[comet]

On the LAN interface in FW place on the very top a "block" rule from surce being the IP address 192.168.1.X/32, to destination !LAN net (the exclamation mark means that you check "destination / invert", so that you invert the sense of match). This way, any request made from that IP address (the source) to any destination which is NOT something in the LAN IP address range, will be blocked. Other source IP adresses (aka hosts, devices) from LAN will not be blocked by that rule simply because their IP address is not a match for the source in the FW rule. And, of course, your FW and its services, like NTP, DNS, DHCP etc., will be reachable even for that particular device, with that particular IP address set as source in that FW rule.

THANK YOU!!! Had you replied with that in the first place, it would have saved a lot of hard feelings and needless typing!  I do appreciate that you finally answered the question, really.  THIS reply makes sense to me.

As you maybe have deduced already from the first answer, upon, NEITHER of WAN net and WAN address is the correct choice for what you want to accomplish.

Regarding the difference between them, try to understand the concept:
WAN net is the network space - or IP range - in which the WAN IP address of your router resides, but it's not the whole internet. This is commonly established by your ISP, it is out of your control, if and only if your FW is directly connected to the internet on the WAN interface. Since I remember you said before that your FW's WAN interface is connected directly to a modem, the WAN net is your FW's WAN IP and / + the modem's WAN IP. The WAN net of the modem, for example, is the modem's WAN IP and / + the IP of the ISP's router connected to the WAN interface of the modem. And so on, and so forth.

Okay, I think I understand this.  You are basically saying the WAN Net is the private local network connecting the cable modem (in this case) to the router's WAN port, and in most cases there will only be two addresses on that network, that of the cable modem and that of the router's WAN port.  Put another way, my cable modem has an IP address that's not part of my LAN, but it's also not a public Internet address - it's on its own little network (along with the router's WAN port), and THAT is what OPNsense calls the WAN Net.  So far that makes sense, but it's not something I would consider obvious, especially for people coming from an off-the-shelf router.

WAN net is for WAN interface, and from the WAN interface point of view, all IP addresses reachable directly, without the need for a single router as a GW.

See, it's when you throw in things like this that you confuse me.  Mentioning "all IP addresses reachable directly, without the need for a single router as a GW" just makes me wonder what you are talking about.  Maybe there are situations where the WAN net would have more than two devices on it (the cable or DSL modem, and the device running OPNsense) but for a home user that's a very atypical situation.

This is why I said before that WAN net is similar to LAN net, and WAN address is similar to LAN address: for both nets you don't need more than an unmanaged switch, or a direct connection, in order to fully reach any IP address in that net.

And again, the reason something like that would be confusing to me is because I cannot conceive of a situation where you'd run an unmanaged switch (by "unmanaged" I assume you mean plain old dumb switch, like you'd use in a typical home environment) off the cable modem.  Maybe there is a reason someone might do that, but it's not common, at least not in a home (I am not talking about the case of a cable modem that has a built-in router; mine doesn't, and that's a whole other can of worms).

I really do struggle with this stuff and have a hard time understanding.  You've finally explained it in a way that I understand (I think) and I am grateful for that.  I just wish we could have got here a lot sooner.  I won't address the remainder of your post because you've said a few things that I could maybe argue about, but that would be pointless and not helpful to anyone, and I'd rather leave this on a positive note.  So thank you again.

[Ciprian]

OK, glad you're really catching up! Honestly, you really seem to understand what I have said, giving your paraphrases and explanations using other words, but keeping the idea. Congrats, honestly!

Had you replied with that in the first place, it would have saved a lot of hard feelings and needless typing!

Roll back the conversation, and you'll realize too that many answers considered not needed and frustrating etc helped you have that "everything falls in place", that "aha" moment you just had! Only one example for this:

It still makes no sense to me why a firewall rule that supposedly cannot restrict communications between devices on the local network somehow manages to restrict communications to OPNsense itself, even though OPNsense is very much on the local network.

followed by

So the traffic is not blocked only because the switch is intercepting it and it's never getting to the router?  That's interesting.

(still inexact, but close enough: the switch never intercepts traffic, the switch only knows which of its ports is connected to any particular IP address, and sends the communication destined to that IP address only through that corresponding physical port, meaning it's not sent to the router/ FW instead - for the switch every device in the network is exactly the same as any other device, the switch knows and cares about only IP addresses.) after giving you the "unnecessary" explanation - unnecessary = the type not welcomed by you, the type considered already known, since basic, by me.)

And now, only to show you why I (or anybody else) didn't came with this answer in the first place, and a lot sooner, I dare to remind you that most of us tried to point you to a direction of using different subnets/ interfaces (at the moment it wasn't quite clear what you need), and for me, as for others, it was OK, seemed to be the right direction. The answer being given, no need to redundantly write again. Further questions from you, most of them requiring further explanations, forked the discussion even more.

Many replies have been already posted, discussion forked in several directions, when finally me, and somebody else, told you to try to use a different VLAN on your switch if it's a manageable one, or another mere mortal switch (unmanaged) for that interface on FW. Maybe now you understand why: at the time, for all of us it appeared that you want to restrict something even in the LAN vicinity for that host, not only the internet access, and - and this is a very big "AND" - the idea that the switch will make the internal LAN traffic avoid the FW being so basic, so ABC, so axiomatic if I can say so, made us being so convinced that you should be aware of that, and even if you are not, a simple hint like "use VLANs, or different switches and different interfaces" should remind you that internal traffic in a NET never reaches the GW (in this case, your OPNsense) if the destination is not the GW itself.

See, it's when you throw in things like this that you confuse me.  Mentioning "all IP addresses reachable directly, without the need for a single router as a GW" just makes me wonder what you are talking about.  Maybe there are situations where the WAN net would have more than two devices on it (the cable or DSL modem, and the device running OPNsense) but for a home user that's a very atypical situation.

A very atypical situation is when there are only two devices in one network and only one network in between those two devices. If you have only two devices, in only one network, and especially if that network is an intermediate network - meaning, is a middle part in at least a route, like your FW <-> modem network - then when any of the two devices fails causes a complete failure in routing through that single point of failure type network. In a Fail-Over, High-Availability topology, where a plan B should exist from the beginning, this is not allowed, let alone typical or not. Further on we, or at least I, can't figure out of the thin air the level of knowledge somebody has, and the strong instinct is to assume that the level of knowledge of those interested in FWs like OPNsense is at least intermediate, not about OPNsense, of course, but about networking, and TCP/IP, and switching and routing... So that the atypical needs no explanations.

It shouldn't be a problem if somebody is not at least an intermediate, but your opening statement, that you are new to OPNsense (and not new to networking), implied that you are looking for help to implement some general and known networking staff using the particular and unknown means of OPNsense.

Cheers!

[comet]

What, exactly, was the point of that post?  You couldn't get enough of a rise out of me with your provocative statements in your previous post, so you decided to poke the bear again?  And that despite the fact that I have marked the thread as solved, and am ready to move on?

There was a lot in that post that I didn't understand, but I suppose that was deliberate on your part.  But no matter, because I am so done with this.

Believe me when I say that I will have to be pretty desperate to ever attempt to ask another question in this forum.  I have participated in many forums over the years, going all the back to the days of dial-up BBS's, and I have to say that very few forums have been as unfriendly to new users as this one seems to be.

[franco]

I really don't get why you are upset, comet. People will post and not necessarily stop and you do the same. People state their opinion and their views not to annoy, but to share and learn. If that's not interesting enough at some point somebody will have to stop adding to a thread that is marked [SOLVED] and it might as well be you. ;)

[comet]

People state their opinion and their views not to annoy, but to share and learn.

If you can read that post that I was replying to and honestly believe he was not deliberately trying to annoy, then that's a big part of the problem with this forum.

Since I apparently have to spell it out, the reason it's annoying is because by now he definitely knows that I know next to nothing about networking, and that furthermore I don't really want to get into the more esoteric aspects of it.  It is not one of my goals in life to become a networking guru; I'm really just trying to run a home network, and by now he knows that.  And yet he insists on giving these long and rambling explanations that he knows full well I will not understand, AND he seems to think I should be grateful that he is dumping all this knowledge on me. Or something like that.

If you only want people well-versed in networking to use OPNsense, and not plain old users that just want to know enough to make the software work in a functional manner, then maybe you should just come right out and say that, because that's definitely the vibe I am getting.  I have already figured out that there are certain advanced features in OPNsense that I will never understand, and that's fine, and I'm not asking about those.  But when you have to ask questions to even make basic functionality work, and then no one can explain how those work in a clear and concise manner, that indicates a failure in the documentation at the very least.  And by the way, while on that subject, no one has yet explained how or why you'd use the "WAN Address" setting in the destination dropdown, since there doesn't appear to be any way to specify a specific WAN address, and if any of your documentation explains that, I've been unable to locate it.  Even something as simple as that is apparently not documented (same is true of LAN Address).  And while it's not important for me to know that now, it still bugs me that so much in OPNsense doesn't appear to be well documented AND that certain people in this forum seem to assume that you're thick in the head if you don't already know this stuff.  And then if you ask, you get some long, rambling reply that you couldn't understand if your life depended on it, along with maybe an insult or two to boot.  And as the moderator, you see nothing wrong with that type of reply, but if the person on the receiving end shows annoyance, you are right there to express your displeasure.

Part of the reason I rephrased some of what was posted when I finally "got it" about what I was doing wrong was an effort to show how to phrase things if you are trying to explain them to normal people.  I am not the best writer in the world, but if I understand how to do something and I am trying to explain it to someone else, I TRY to make that explanation as clear as possible, and to write at their level, and to answer the question they asked and not answer the question I think they should have asked.  I almost made a snarky comment to the effect that "this is how you should learn to write" but since I don't think my writing skills are all that great, and since I was trying not to raise the temperature of this thread any higher at the time, I thought better of it.

As this point I feel VERY unwelcome here and while I know a couple of people will be quick to say it's my own doing, all I will say is that I have participated in many forums over the years, on many different topics, and I can only think of maybe a two or three others where I have been this annoyed by the responses I have received to simple questions, and I am just not the type to quietly let people crap all over me.  And therefore I should just stop posting as you suggested, and I intend to, and while I have a great urge to say "I will never post in this forum again!", my fear is that after having put all this effort into getting OPNsense to work, they day may come that something might stop working and then I will be forced to try to find out why.  So I am not going to say that, but from now on I am going to avoid posting anything in this forum unless I feel it is an absolute necessity.

The only other thing I will say, which is something I said to you in my PM, is that you really ought to consider making a new board on here specifically for people who are new to programs like OPNsense and who know little or nothing about networking in general, so at least there would be a spot where new users could ask questions and the regulars would not assume that if they are trying to use OPNsense, they must have some advanced networking knowledge.  Unless I am right in thinking maybe that is a type of user you really don't want in the first place.

So for now, goodbye, and thank you to those who did post helpful responses.  This will be my last post in this thread, and quite possibly on this forum.

[xinnan]

Personally, I find the people here at opnsense mostly very helpful.
They post.  I try to understand.  Sometimes, I even succeed.
Also, they haven't banned me yet, so how bad can they be?

[fabian]

Also, they haven't banned me yet, so how bad can they be?

People are banned for spam and very poor behaviour (for example permanently insulting people, posting illegal or inappropriate content etc.).
Until now I am not aware of anyone being banned from the forum because of lacking networking knowledge. This forum has users from beginners to networking professionals and this is visible in how the posts of those users are written.

For this reason, an answer from a professional might be not understandable for a beginner, but this does not mean that the answer is incorrect or useless. There might be someone with a similar problem, who finds the thread via a search engine and can solve his issue immediately with this answer. Please note that nobody here knows what the author of a question knows about networking.

[franco]

I'm quoting this and top posting, emphasising on the fact that I'm not going to read your long response that has nothing to do with your original questions. I can do better things with that time, maybe you could have done that,  too?

I also agree with Fabian. We talk... if there is miscommunication due to understanding gaps, language or else that's not a problem as long as we're willing to work towards a common base, repeat answers, break them down or otherwise approach the answer in a way that is better understandable.

That's the real work that's worth the time reading and posting here, not this...

People state their opinion and their views not to annoy, but to share and learn.

If you can read that post that I was replying to and honestly believe he was not deliberately trying to annoy, then that's a big part of the problem with this forum.

Since I apparently have to spell it out, the reason it's annoying is because by now he definitely knows that I know next to nothing about networking, and that furthermore I don't really want to get into the more esoteric aspects of it.  It is not one of my goals in life to become a networking guru; I'm really just trying to run a home network, and by now he knows that.  And yet he insists on giving these long and rambling explanations that he knows full well I will not understand, AND he seems to think I should be grateful that he is dumping all this knowledge on me. Or something like that.

If you only want people well-versed in networking to use OPNsense, and not plain old users that just want to know enough to make the software work in a functional manner, then maybe you should just come right out and say that, because that's definitely the vibe I am getting.  I have already figured out that there are certain advanced features in OPNsense that I will never understand, and that's fine, and I'm not asking about those.  But when you have to ask questions to even make basic functionality work, and then no one can explain how those work in a clear and concise manner, that indicates a failure in the documentation at the very least.  And by the way, while on that subject, no one has yet explained how or why you'd use the "WAN Address" setting in the destination dropdown, since there doesn't appear to be any way to specify a specific WAN address, and if any of your documentation explains that, I've been unable to locate it.  Even something as simple as that is apparently not documented (same is true of LAN Address).  And while it's not important for me to know that now, it still bugs me that so much in OPNsense doesn't appear to be well documented AND that certain people in this forum seem to assume that you're thick in the head if you don't already know this stuff.  And then if you ask, you get some long, rambling reply that you couldn't understand if your life depended on it, along with maybe an insult or two to boot.  And as the moderator, you see nothing wrong with that type of reply, but if the person on the receiving end shows annoyance, you are right there to express your displeasure.

Part of the reason I rephrased some of what was posted when I finally "got it" about what I was doing wrong was an effort to show how to phrase things if you are trying to explain them to normal people.  I am not the best writer in the world, but if I understand how to do something and I am trying to explain it to someone else, I TRY to make that explanation as clear as possible, and to write at their level, and to answer the question they asked and not answer the question I think they should have asked.  I almost made a snarky comment to the effect that "this is how you should learn to write" but since I don't think my writing skills are all that great, and since I was trying not to raise the temperature of this thread any higher at the time, I thought better of it.

As this point I feel VERY unwelcome here and while I know a couple of people will be quick to say it's my own doing, all I will say is that I have participated in many forums over the years, on many different topics, and I can only think of maybe a two or three others where I have been this annoyed by the responses I have received to simple questions, and I am just not the type to quietly let people crap all over me.  And therefore I should just stop posting as you suggested, and I intend to, and while I have a great urge to say "I will never post in this forum again!", my fear is that after having put all this effort into getting OPNsense to work, they day may come that something might stop working and then I will be forced to try to find out why.  So I am not going to say that, but from now on I am going to avoid posting anything in this forum unless I feel it is an absolute necessity.

The only other thing I will say, which is something I said to you in my PM, is that you really ought to consider making a new board on here specifically for people who are new to programs like OPNsense and who know little or nothing about networking in general, so at least there would be a spot where new users could ask questions and the regulars would not assume that if they are trying to use OPNsense, they must have some advanced networking knowledge.  Unless I am right in thinking maybe that is a type of user you really don't want in the first place.

So for now, goodbye, and thank you to those who did post helpful responses.  This will be my last post in this thread, and quite possibly on this forum.

[Ciprian]

no one has yet explained how or why you'd use the "WAN Address" setting in the destination dropdown, since there doesn't appear to be any way to specify a specific WAN address, and if any of your documentation explains that, I've been unable to locate it

WAN address is the IP address you have on your WAN interface! :)

Remember, "WAN" is the name of (one of) the FW's interface(s). You could name that interface Nebuchadnezzar, for example, and then, in FW rules' drop-downs you would have seen Nebuchadnezzar NET and Nebuchadnezzar address. Wouldn't know to explain it better than this, sorry. There are two default interfaces the initial set-up comes with, one for internal (aka protected and NAT-ed) network, and one being connected to the internet (directly or indirectly; to the ISP directly or, respectively, indirectly to a modem - your case). For easiness of things and as a hint contained in the name, those two initial interfaces are not named INT1 and INT2 (or Nebuchadnezzar, so you will not going to see in the FW rules' drop-downs confusing expressions like "INT1 address" or "Nebuchadnezzar net").

Further, it is possible to add more interfaces in OPNsense, and at the adding time they will be created with names like OPT1, OPT2, ..., OPT7 and so on, names you are free to easily change to something more meaningful, like Wi-Fi, Perimeter etc. But since a FW, any FW, in its simplest setup and purpose, will definitely stay between at least 2 networks, one being a (protected) LAN and the other being (to) the internet, the first 2 interfaces are named not INT1, INT2, but LAN, WAN.

So, for the final time, LAN address is the IP address set on the LAN interface, usually and by default being 192.168.1.1/24. LAN net is the network space of LAN interface, usually and by default being 192.168.1.0/24. The same goes for WAN net and WAN address, but since those are usually obtained from an ISP, as a dedicated fixed public IP address (and the corresponding network) or automatically through DHCP, form ISP or another device (e.g. your modem), I wouldn't be able to say that usually the WAN address and net are by default X.X.X.X/Y. If you wanna see exactly what value each one has, you have to check the status of your FW's WAN interface.

Hope it's clear now, or I rest my case anyway, since I wouldn't and couldn't explain it better.

Even something as simple as that is apparently not documented (same is true of LAN Address).  And while it's not important for me to know that now, it still bugs me that so much in OPNsense doesn't appear to be well documented

I don't have the time now to point you to every place in the documentation where this matter is very well discussed (medical emergencies), I only mention the most important chapter in the official documentation, the chapter named "Initial Installation & Configuration", defaults being mentioned right at "https://docs.opnsense.org/manual/install.html#initial-configuration". Please be aware of the fact that, because of the reasons invoked upon for WAN net & address, there is nothing as a default for WAN address

The only default for WAN is the DHCP as the way of establishing both the WAN address and the WAN net -> too many possibilities, so no default values.

Cheers and good luck!