No connection from LAN to OPT2.

[EricMelvin]

I have a strange problem and I can't seem to find the answer.
My setup is:

OPNsense 24.1.4-amd64

On my OPNSense I have one WAN interface and a LAN, OPT1 and OPT2 interface.
There's also a virtual interface WGO for WireGuard.

From my LAN I want to connect to OPT1 and OPT2.
I made firewall rules on OPT1 and OPT2 to allow traffic from LAN to OPT1 and OPT2.



I CAN connect from LAN (192.168.1.40) to OPT1 (192.168.42.42), but I CAN'T connect to OPT2 (192.168.60.60).
But.. it seems that the rule works correctly in the log file of the firewall.



Furthermore, I CAN ALSO connect from the WG0 interface (10.10.10.3) to OPT2 (192.168.60.60)

What can be the problem? OPT1 and OPT2 are complete copies of each other in the firewall rules, so I don't think the problem lies in there.

[Patrick M. Hausen]

You need "allow in, destination OPT1, OPT2" on your LAN interface.

In 99% of all cases you only use "in" rules on the interface where the connection is initiated.

[cookiemonster]

This one is one I find it a bit non-natural to comprehend.
Would this requirement not be negated by the default "Default allow LAN to any rule" that exists normally on LAN in a default build?

[Patrick M. Hausen]

We do not know what the OP has defined on their LAN. 

[cookiemonster]

Right.

[EricMelvin]

You need "allow in, destination OPT1, OPT2" on your LAN interface.

In 99% of all cases you only use "in" rules on the interface where the connection is initiated.

I already have the "Default allow LAN to any rule" on LAN, why should I need another one? And what about the communcation to OPT1? I can connect to OPT1, but not to OPT2. So it looks to me that there's another problem?

[Patrick M. Hausen]

The "allow all" rule on LAN is definitely enough, don't create additional "out" rules on these interfaces. Do the devices in those networks have the OPNsense set as their default gateway?

[EricMelvin]

They all have the OPNSense as the default gateway. I test this from WG0 and OPT2. I can ping 192.168.60.1 from OPT2.

Could it be a routing problem?

[cookiemonster]

This test is a completely different scenario to the original post which you said you want to go from LAN to OPT and OPT2. Default allow LAN to any will cover that. You need to "fix" that you can't get to OPT2.

They all have the OPNSense as the default gateway. I test this from WG0 and OPT2. I can ping 192.168.60.1 from OPT2.
Could it be a routing problem?

These require completely different firewall rules, so don't confuse things.
Back to LAN to OPT2. Should work. How is OPT2 setup, do you have a switch plugged into it, or otherwise describe the physical setup please.

[EricMelvin]

Back to LAN to OPT2. Should work. How is OPT2 setup, do you have a switch plugged into it, or otherwise describe the physical setup please.

I have a single computer directly connected to the OPT2 port on my OPNSense. On my LAN side I a switch that connects to my WiFi.

[cookiemonster]

The screenshot shows the packet went out from LAN device to OPT2 one successfully. Seems the firewall rule is fine. Make sure there is something listening on that computer device.

[EricMelvin]

What I really don't understand, is that I can connect from the WG0 interface to the OPT2 interface. There are services listening on the ports.

If I do a Port Forward in the Firewall to a specific port on 192.168.60.60 (OPT2), i can see the external IP connecting.
If I setup a connection from WG0, i can also see that IP (10.10.10.3 in that case) connecting to the service.