Noob to OPNsense - Firewall Rules

[centuryx476]

Hello,
I am brand new to OPNsense (This is my only 2nd full day with it running on my internal network). I switched over from PFsense since my PFsense box died and I had to sign up and give billing information just to get the CE .iso.

I need some guidance on the structure of firewall rules and I have an example of what I am trying to accomplish.
Current Setup. I am going to use different IP addresses
Interfaces:
WAN: Set to DHCP (No issues)
LAN: Main LAN
DMZ: Main Services that require internet exposure.
Under PFsense I had the following setup.
I have two internal DNS servers at 10.10.8.50, 10.10.8.51. They forward traffic to some DMZ DNS servers that in turn forward to Cloudflare. Nothing complex, pretty simple.

I created an alias in OPNsense that contains a DHCP range of IPs that require internet access. These devices use the LAN internal DNS servers for lookups.

How can I achieve internet access for only the Alias of DHCP range of IPs.
I have it currently set for source as "LAN Net" but when I change it to the above mentioned Alias those devices lose connection.
I think I am getting confused on the IN/OUT and inverse options of the firewall rules.
I attached a screenshot of what I have to currently get internet access using the internal DNS servers.
But if I simply change the second rule from "LAN Net" to the DHCP Alias I lose connection.

Any help will be greatly appreciated to this noob.

Thank You

[cookiemonster]

first please make sure your dcpp range for static leases is outside the range of dynamic ones. For instance range is /24. Then your static could be from a.b.c.200 to a.b.c.250, then your dyanamic could be from a.b.c.2 to a.b.c.199
then
- rules are evaluated in order descending. Note the tooltip help of "quick" rules. Most times quick is what you want
- IN/OUT is as if viewed from the firewall point of view. So for your devices on LAN, the traffic comes IN via the LAN interface into the firewall and that's where you normally place your rules. You seem to have that OK.
- Inverse option of a rule like above would say traffic that is NOT coming in from the LAN.
Check this and report back please.

[centuryx476]

first please make sure your dcpp range for static leases is outside the range of dynamic ones. For instance range is /24. Then your static could be from a.b.c.200 to a.b.c.250, then your dyanamic could be from a.b.c.2 to a.b.c.199
then
- rules are evaluated in order descending. Note the tooltip help of "quick" rules. Most times quick is what you want
- IN/OUT is as if viewed from the firewall point of view. So for your devices on LAN, the traffic comes IN via the LAN interface into the firewall and that's where you normally place your rules. You seem to have that OK.
- Inverse option of a rule like above would say traffic that is NOT coming in from the LAN.
Check this and report back please.

Hello,
I figured out what was causing the dropped packets and it had nothing to do with the DHCP Alias I wanted access to the internet.
I had created a virtual IP for an interface but somehow it got assigned to a different interface. When that happened the route (10.10.8.0/24) for that interface disappeared. This interface handles the DNS servers in the DMZ which then forwards to cloudflare.
Once I assigned the virtual IP to the DMZ interface the route returned to it and everything flowed out correctly...

Thank you for your assistance.