LAN Firewall settings

[ajzimme]

Hello, I have setup a Lab and am using Opnsense for the firewall. Everything works fine except for internet.
I set it up explicitly to only have access to certain computers on our other LAN. < - Ok so far.
And I set the lab lan to only have access to the fw, and WAN.
The problem is, the WAN won't work unless I allow it to access everything...I tried allow pass LABLAN -> WAN NET and it won't work! But when I do allow pass LABLAN -> * I'm able to ping google just fine.
The Opnsense sits right on the WAN, so it's not having to go thru our other LAN for internet. Its DNS is within the LABLAN itself, and of course all machines in the LABLAN have access to the firewall.
Is there anything else I should add to describe my problem?
Thanks.

[guest15389]

Without seeing any IPs, do you have a NAT Rule setup to get that new LAN out to the Internet?

If you check Firewall->NAT->Outbound, I would expect to see something there.

Other than that, do you see anything in the Firewall logs in terms of something being blocked?

[ajzimme]

I guess not!
The LAN listed in the jpg is our LAN, not the LAB one.



I updated the image, so now I added similar rules for outbound NAT, I'm not sure why I would have to do that, but either way, it still doesn't work- without me allowing LABLAN out to *, it will not have access to the WAN.

[guest15389]

I kinda think of it like the SSL VPN Instructions. They go through adding and validating the rules are there for another 'network'  to connect.

https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

Step 2 shows the firewall rules.

To get out to the internet, I'm assuming your lab lan is private as well so you need the Outbound NAT rule.


Bottom on there is the OpenVPN network back out through.
The second to bottom is my normal private lan back out.

[ajzimme]

I don't mean to be dense. But I'm extremely confused now. Haha.

I don't have a VPN setup. I have a WAN, and two different LANs.

[guest15389]

If you can post your Outbound NAT screen like I did, that would be helpful now.

If you can access everything internally and just not out to the Internet, I think you are missing a NAT as your routing should be ok then.

[ajzimme]

This is my outbound NAT sir.
https://forum.opnsense.org/index.php?topic=4681.msg18125#msg18125

[guest15389]

I'm trying to follow as some of the internal IP info is blurred out.

Your LABLAN looks to be 192.168.10.0/24.

You only have part of the screen, I can't tell if your rules at Automatic/Hybrid/Manual or None.

You need a NAT Out with the Source 192.168.10.0/24 Interface WAN like the last 2 lines in my NAT Outbound output.

You need to translate your internal IP schemes through the firewall to NAT'ed addresses.

So the rule would look like:
Interface: WAN
Source: 192.168.10.0/24
NAT Address: WAN Address
Everything else *s

I have static checked because I have XBox traffic that requires it, but I don't think you'd need that. I don't have it setup on my other interface.

[ajzimme]

I tried that and it didn't work.

[ajzimme]

I ended up just giving up, and creating an alias with every IP on our network (excluding the ones I want it to have access to) and blocking them.
Sad.

[remd]

Bump
I have two issues, one of them is similar.
The first one is DNS resolution, it was working and it isn't anymore (probably some rule as it was working, but I haven't found out which one), then from the second fw behind the first one, will only work if I allow to Any, as described here.
Does anyone have an idea ?