Issues setting up in existing environment

[pludikovsky]

First time OpnSense user, but I have some knowledge of FreeBSD & Networking.

We're updating our network and want to use OpnSense as the firewall in the future. However we've encountered an issue.

Some basic info:

• Local network: 10.9.8.0/22
• VPN network: 10.9.7.0/24
• Temporary WAN IP: 10.9.8.148

As soon as I configure on of the internal networks (10.9.11.0/24) I lose connectivity to the WebGUI on the WAN interface, and can only reach it again by disabling the firewall (pfctl -d) on the console. This tells me it's not a routing issue.

In the FW logs I see these messages:

Code Select Expand

WAN
2025-10-24T06:46:34
TCP
10.9.7.2:60542
10.9.8.148:443
block
Default deny / state violation rule

Checking with tcpdump doesn't resolve this in any meaningful way as the incoming packets are clearly marked as SYN packets, so not a strange state for a new connection. Any ideas on what to check or what could be the issue?

And yes, we know there's a network overlap between the existing a new network. It's intentional, we're moving from 10.9.8.0/24 to /22 to 4 separated /24 networks, 3 of which are currently empty.

[meyergru]

No. Just no:

Some basic info:

• Local network: 10.9.8.0/22
• VPN network: 10.9.7.0/22
• Temporary WAN IP: 10.9.8.148

Two things to read:

1. https://forum.opnsense.org/index.php?topic=42985.0, point #1
2. https://forum.opnsense.org/index.php?topic=47099, point #2

You cannot route between overlapped networks. Or: Both routes are the same, so only one will be taken. Your packets likely go "somewhere" you do not want them to. You have to get the network masks straight. That applies to your clients, too. If their netmaks are off, you will have problems as well. Consider it an non-optional feature.

[pludikovsky]

Just saw that I have made a typo. The VPN network is 10.9.7.0/24, not /22. And even then, they wouldn't be overlapping:

• 10.9.7.0/22 -> 10.9.4.0 - 10.9.7.255
• 10.9.8.0/22 -> 10.9.8.0 - 10.9.11.255