Communication between two LANs

[Vilhonator]

Oh also reason why aren't necessarily able to ping way you want, is the fact that your firewall is missing "   Default allow LAN to any rule"

Firewall will always block any traffic unless you create a rule which dictates otherwise.

Default allow LAN to any rule is required for internet and local connections. Opnsense only creates anti lockout rules automatically to LAN when you assign it, which is why you are able to access opnsense web gui and ssh server.

So basically LAN should be looking like as the picture show, with just default values (at least when opnsenses WAN port is directly connected to the internet).

Any other network you add, will require IPv4 rule to gain access to internet and own network etc. using IPv4 and IPv6 for IPv6 networks (which you can safely delete unless you need IPv6 addresses)

[laterizi]

The rule is working as I would like, but something is not going exactly as I expect.
Let's go in steps:

- from the LAN hosts I block all ICMP packets to the OPT1 hosts.
- from the OPT1 hosts I block all ICMP packets to the hosts of LAN
- I apply the rules
- firewall -> diagnostics -> states -> actions -> reset state table

After that the rules work.

Unexpected behavior, however, when I want to re-enable ICMP packet transit.

- from the LAN hosts I allow all ICMP packets to the OPT1 hosts
- from the OPT1 hosts I allow all ICMP packets to the hosts of LAN.
- I apply the rules

At this point only one of the two works. I have now made 5 attempts as described and the ping works 4 times for LAN and 1 time for OPT1. Almost like it was a random thing.

Forgive me, this sounds strange, but it is happening.

Gianluca

[laterizi]

The rules are already in place to allow all traffic for those networks and the block to ICMP is on top of them...

[Vilhonator]

Let's go in steps:

- from the LAN hosts I block all ICMP packets to the OPT1 hosts.
- from the OPT1 hosts I block all ICMP packets to the hosts of LAN
- I apply the rules
- firewall -> diagnostics -> states -> actions -> reset state table

After that the rules work.

Unexpected behavior, however, when I want to re-enable ICMP packet transit.

- from the LAN hosts I allow all ICMP packets to the OPT1 hosts
- from the OPT1 hosts I allow all ICMP packets to the hosts of LAN.
- I apply the rules

At this point only one of the two works. I have now made 5 attempts as described and the ping works 4 times for LAN and 1 time for OPT1. Almost like it was a random thing.

Forgive me, this sounds strange, but it is happening.

Gianluca

Yea the issue isn't Firewall rules, sorry, but that issue is beyond my understanding of how to fix. It could be route connections on OPT1 which causes slow enough response causing time out but not sure.

If try out nslookup IP address of one of the hosts on LAN, copy the name of it and from OPT1 host, ping name of the host in LAN and the IP of the host and see if there are any difference.

Also sometimes my opnsense wasn't able to connect to my truenas, so I had to add override to DNS, which worked, so you can go to services ---> Unbound DNS ---> Overrides and add all hosts to the top of the list like I have added my truenas and see if that works (though it must be FQDN of the server or you might get certificate warnings etc.)

[Vilhonator]

If ping works perfectly every time you type IP address and Opnsense is hosting DHCP, then go to services ---> unbound DNS ---> Settings and check "Register DHCP leases" and "Register DHCP static mappings" options.

This way you can check from "leases" the hostname of each device connected to opnsense and which recieves IP from opnsenses DHCP server.

Be carefull though, messing with DNS settings is always trial and error kind of thing. So I would rather ask help from someone who knows things which could be causing the issue you have, better than I do

[Vilhonator]

Sorry forgot to add the picture of overrides and general rules