LAN side has no connectivity since 23.7.7_3 install

[arch113]

WAN is 2gb fiber, ONT into 2.5gb eithernet port on firewall (which is running virtually in proxmox)
LAN= 10.1.x.x
OpenVPN= 192.168.x.x

Firewall itself has connectivity, it can check for updates, ping 8.8.8.8, etc.

I can VPN into my system via separate internet connection and while on that connection can access the internet, ping 8.8.8.8, etc.

LAN side has no connectivity to the internet. It can't ping  8.8.8.8 (can ping the firewall and access the web gui).  TraceRt stops once it hits the firewall.

Of course this all worked before the update, seems weird I can vpn in, and it works just fine (and i can see my LAN side).

[Mo'Kai]

I had the strangest situation too after updating or even reinstalling to v.23.7.7_3.
Running on bare metal, i8500T with a i350-T4 network card, Zenarmor, Unbound + DNS over TLS.

No internet + ping not working on only two interfaces (igb2, igb3), the other two ( igb0, igb1) were fine. Internal newtwork worked fine on all four interfaces.
What helped in my case was deleting and rewriting NAT internal DNS redirection rules of those two interfaces.

[arch113]

I'm not using Unbound DNS on the firewall.  I think I have NAT set to automatic, but I will play around with it when I get home.  I hop0e there is a patch coming out that fixes it, I had to disconnect the WAN from the firewall and plug it into a ASUS Router so I can have some connectivity at home.

[cookiemonster]

patch for what? Seems a configuration problem.

[Mega32]

I'm an OPN newbie , but saw this one on reddit
https://www.reddit.com/r/OPNsenseFirewall/comments/17ibl22/open_sense_upgrade_to_2377_3_breaks_internet/

[misterjaytee]

Look at this thread:
https://forum.opnsense.org/index.php?topic=36688.msg179207


If your WAN side is PPPoE, then go to System -> Gateways -> Single. Edit your WAN_PPPOE connection and make sure that Upstream Gateway is checked. Don't forget to click Save.

This let's OPNSense know that this is your default gateway.

[arch113]

patch for what? Seems a configuration problem.

Config has been working until the patch was installed, I did not make any changes.

[arch113]

Look at this thread:
https://forum.opnsense.org/index.php?topic=36688.msg179207


If your WAN side is PPPoE, then go to System -> Gateways -> Single. Edit your WAN_PPPOE connection and make sure that Upstream Gateway is checked. Don't forget to click Save.

This let's OPNSense know that this is your default gateway.

Not using PPPOE

[misterjaytee]

Not using PPPOE

Still worth checking that upstream gateway is checked on your WAN side.

[Seimus]

As advised by @misterjaytee check that section first.

Its most probably either a routing issue or a rule issue (maybe NAT as well).

1. Check your route table
2. Check your rules
3. Go to Firewall > Log file > Live view and show us what is happening the moment you ping
A. Is LAN Ingress allowing ping to 8.8.8.8
B. Does the OPN nat the source IP and do you see egress allow towards the 8.8.8.8?

Regards,
S.

[arch113]

As advised by @misterjaytee check that section first.

Its most probably either a routing issue or a rule issue (maybe NAT as well).

1. Check your route table
2. Check your rules
3. Go to Firewall > Log file > Live view and show us what is happening the moment you ping
A. Is LAN Ingress allowing ping to 8.8.8.8
B. Does the OPN nat the source IP and do you see egress allow towards the 8.8.8.8?

Regards,
S.

Gateway looks good, tried disabling/enabling and unchecking/checking the primary gateway box.


1. Looks normal
2.  looks normal (hasnt been changed in awhile)
3.  LAN      2023-11-02T17:34:31-05:00   192.168.1.108   8.8.8.8   icmp   Default allow LAN to any rule
    I see the above in green in live log
    I have NAT set to Auto

All of this worked until the last update, I haven't made any changes otherwise.

[Seimus]

at point 3. When you see the green line for 192.168.1.108   8.8.8.8   icmp e.g permit, do you see as well same for the WAN ip towards the 8.8.8.8 icmp?

Can you as well at that moment while ping is going on go to Firewall > Diagnostics > States and check if there is a state with your WAN IP as source, NAT statement for 192.168.1.108 destination 8.8.8.8 proto icmp?

If you NAT, and try to open any communication outside your LAN, 2 states should be created
A. One for permitting your LAN IP to reach outside - this is what you have seen
B. Second for NAT reaching to the very same destination same protocol and destination port

Also if you can show us this Rule, how its configured:
Default allow LAN to any rule

Regards,
S.

[arch113]

Sorry its been awhile.

When this was working, I had the default allow-any-outbound disabled.  We do not allow all IP's to access the internet.  I created a Alias with a list of ~30 host ip's.  Copied the allow any rule and changed the source to the Alias, and this has worked until the above update.

If I disable my alias rule and enable the default allow any rules, i get internet back to my devices, but I dont want that, I want it to work the way I had it with the list of ip's

[arch113]

After some tinkering with my rules, I found out the Alias wasn't the problem.  I have 2 rules, one called General Access and one for VOIP, each Alias has a list of ip's that can access the internet, rule set to allow all outbound.  Where the 2 rules differ is 'Set Priority'.  On voip I had it set for for VOIP(5) on both settings, General Access was set to Best Effort(0).  And the rules have worked just fine until the 23.7.7_3 upgrade.

Once I changed both rules to the default 'Keep Current' and 'Use main', traffic seems to be flowing again.