Can anyone reach their cable modem through OpnSense?

[mitsos]

3f: that's how it's supposed to be

3e is interesting: The server that answered your query was 127.0.0.53. That's the local subnet. I thought you changed the DNS servers to PIA's ones. Can you double check the DHCP DNS settings + the DNS settings for opnsense?

Before you double check the servers, from your LAN: "dig www.google.com @{your actual dns server or 1.1.1.1}" ie "dig www.google.com @1.1.1.1". I'm betting a banana that it will answer correctly.

[jds]

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached
I guess you owe me a banana.

The DHCP DNS settings are for the pihole: 192.168.1.53
The DNS settings under System:Settings:General are 1.1.1.1 using the gateway OPENVPNCLIENT_VPN4,
which, remember, is set to "dynamic", and is always on the subnet of the VPN tunnel's virtual IP.

[mitsos]

Slowly getting somewhere... (there is an issue with your routes)

Which of the following is true?
1) You want everything to go over the tunnel, except "local" destinations (ie your cable modem)
2) You want only specific traffic from specific interfaces to go over the tunnel (ie everything from LAN to the internet goes over the VPN)

Skimming the thread, I'm under the impression that it's 1 from above, so to save some time I'll use that:
1) add a route for your VPN provider's public network:
Network address: 10.0.0.0/24 (example, adjust for your provider's public IP range, ie the IP you connect to before the tunnel is up)
gateway: WAN_DHCP
Description: Finding the VPN provider (to make it easier on you in the future)
2) system > gateways >  OPENVPNCLIENT_VPN4 > make it the default
3) Edit the LAN rule (any to any) and change gateway to default.
4) Make sure NAT is auto
4) Repeat all the pinging, DNS resolving posting the results.

[jds]

Yes, my current set up is 1), although I would like to modify it so that tunneling happens according to destination domain (for example, make an exception for Netflix).  For the moment, though, I would be happy with 1).

So here is what I did/got:

1) reverted back to suggested (nonworking) configuration: automatic outbound NAT rules; manually set LAN gateway to VPN tunnel virtual IP;
set LAN outbound rules to that gateway; also disabled the OpenVPNClient rules that blocked 443 and 80 if it does not go out the VPN.

2) System: Routes: Configuration: added a route to the public server of the VPN server. Made the gateway WAN_DHCP.

3) made the OpenVPNClient gateway default (System:Gateways:Single)

4) changed the "any to any" LAN rule to default gateway.

From LAN client:

ping 8.8.8.8 -> returns no packets.

ping www.google.com -> likewise

dig www.google.com @1.1.1.1:
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

ping from OPNsense box:
# /sbin/ping -c '3' '8.8.8.8'
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.107 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.081 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.089 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.081/0.092/0.107/0.011 ms

or:
# /sbin/ping -c '3' 'www.google.com'
ping: cannot resolve www.google.com: Host name lookup failure

So, now the OPNsense box cannot reach outside.

[mitsos]

You missed pinging the VPN gateway's private IP (after the tunnel is set up) from opnsense + LAN.

[jds]

3a) ping from your LAN to your OPNSense:
PING 192.168.1.50 (192.168.1.50) 56(84) bytes of data.
64 bytes from 192.168.1.50: icmp_seq=1 ttl=64 time=2.12 ms
64 bytes from 192.168.1.50: icmp_seq=2 ttl=64 time=2.00 ms
64 bytes from 192.168.1.50: icmp_seq=3 ttl=64 time=7.66 ms

3b) ping from your LAN to the VPN gateway (the PIA server's VPN IP):
PING 104.200.153.72 (104.200.153.72) 56(84) bytes of data.
64 bytes from 104.200.153.72: icmp_seq=1 ttl=55 time=10.0 ms
64 bytes from 104.200.153.72: icmp_seq=2 ttl=55 time=13.0 ms
64 bytes from 104.200.153.72: icmp_seq=3 ttl=55 time=10.3 ms

3c) ping from your LAN to 8.8.8.8
returns nothing

3d) ping from your LAN to www.google.com
ping: www.google.com: Name or service not known

3e) On OPNSense Interfaces > Diagnostics > DNS lookup for www.google.com:
returns nothing

3f) You mentioned linux, so I'm assuming that you are using linux instead. Do a "dig www.google.com" from your LAN.
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5346
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; Query time: 100 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Mar 28 09:11:13 CDT 2019
;; MSG SIZE  rcvd: 43

dig www.google.com@1.1.1.1 :
; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

[mitsos]

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5346
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; Query time: 100 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Mar 28 09:11:13 CDT 2019
;; MSG SIZE  rcvd: 43

What is that server? I talked about it a couple of replies back.

Feels that there are other things fighting the configuration. Assuming the gateway (the PIA one) is correctly set up, I don't see why it wouldn't work. Also assuming a default configuration + customizations that I mentioned, the gateway is there, the routes are there, the rules are there, dunno why it's not cooperating.

Other than mtr'ing the entire network to see why and where packets gets stuck, I don't think there is any other solution.

[Bonkerton]

On recent Ubuntu version (the ones using systemd) the command to see Ubuntu's DNS setup is

systemd-resolve --status

Maybe there's some info in there.

[jds]

MTR?  What is that?  Resetting to factory defaults?

I did check what my LAN client thinks is the DNS, and it is correct, the pihole IP.

[mitsos]

https://linux.die.net/man/8/mtr

[jds]

That looks analogous to a colonoscopy, and about as pleasant.

Since I have my current configuration saved, I am thinking about starting from factory defaults, and rebuilding everything, but with the openvpn client set up more rationally this time.  This seems slightly less painful.

[Bonkerton]

I know this is old but the thread came up as the first result when googling for this problem.

Even going to 'Automatic outbound NAT rule generation' as suggested above did not allow me access to my cable modem admin page.

But I got it to work using the method described here:
https://forum.opnsense.org/index.php?topic=8616.0

In short:
- cable modem and own network (from which you want to access the cable-modem) need to be on different subnets
- create a Virtual IP (in OPNsense 19.7.5 under Firewall->Virtual IPs) in the same subnet as the cable modem
- create a floating firewall rule and a corresponding NAT outbound rule
- profit

My home network is 192.168.0.0/24
My modem is a Linksys CM3008 on 192.168.100.1 - created the Virtual IP as 192.168.100.2