OPNSense just stops working as soon as a new interface is made

Started by domidam, June 18, 2024, 05:20:05 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 18, 2024, 05:20:05 AM
Hello Everyone,

I seem to just not have any luck when it comes to this OPNSense. The software has been nothing but trouble for me and I am determined to figure it out. I have installed OPNSense on a Dell Optiplex Micro That I have lying around. I am specifically trying to set it up as a transparent filtering bridge so that all of the packets coming into my network are inspected before they hit my router. So it would go (MODEM - FIREWALL - ROUTER) However this seems to be too large of a task, for the life of me, I could not get into the GUI interface to make the bridge, even with a 3rd connection set up as a management port. So I decided to backtrack and go more simple. I brought the Firewall up to my homelab and connected it to my ethernet port in my room which is directly connected to the router. I re-run the setup and the auto-detector picks up just a WAN address. This address is within my local subnet which makes sense so I go to that address in Edge and am able to enter the GUI.

Next, I started to follow the guide to set up the bridge. Because no LAN port was auto-detected I manually created one and began following the steps to make the bridge. Everything went well until I applied the changes disabling BOGON networks. It was at this point that I lost access to the GUI. After learning about what BOGON networks are, losing access to the GUI made sense. They were local addresses. I took a break and thought about it for a while. I then had the idea to make an MGMT interface and connect through that, so whenever I make changes to the WAN/LAN bridge I should still be connected. However, for whatever reason, as soon as I apply the changes that create and enable a new MGMT interface I lose access to the GUI.

The only way I have found to regain access is to factory reset the system and then log in using the new WAN address that it picks up. I should probably mention that the other two interfaces, LAN and MGMT are connected to an 8-port basic switch. just so that no matter how it has to do it, it can somehow reach back to my router. I think this is where at least part of my problem lies. However, I don't even know of any other ways I can test it, with all of the ports I am going to use connected.

I have a feeling that the answer is so simple, a mismatched address or a wrong setting but I cannot figure it out for the life of me. Hopefully, someone can help! Please let me know if i missed anything or have any questions!
June 18, 2024, 07:03:13 AM #1
Quote from: domidam on June 18, 2024, 05:20:05 AM
I then had the idea to make an MGMT interface and connect through that, so whenever I make changes to the WAN/LAN bridge I should still be connected. However, for whatever reason, as soon as I apply the changes that create and enable a new MGMT interface I lose access to the GUI.

Hi domidam,

As I read your post, I thought, yeah, these are growing pains of learning a new firewall.  Been through it many times in my career.   I, too, incorrectly disabled BOGON Networks by mistake once. 

Regarding your problem,  you don't mention any details about the new management interface.  Is it getting a whole new IP subnet? Are you setting DHCP? What physical interface is being configured? For example, Is the new management interface the same physical interface you use to configure the firewall? If it's getting a new IP, you will have to request a new IP from DHCP or assign your PC to a new static address for management. 

Regarding your desires, I suggest still using a transparent configuration.  First, get a solid management connection to your firewall and then set up transparent settings.

June 18, 2024, 04:52:00 PM #2
Hi there,

Thanks for getting back to me, so I'll explain the interfaces I have going on. I have 2 USB to Gigabit Ethernet adapters acting as my WAN and LAN ports respectively. For the MGMT port I am using the built in Gigabit ethernet. I want the address for this MGMT port to be 192.168.1.2 since my router is 192.168.1.1.

I did not configure any VLANs or DCHP. At least at this point becuase its in my lab. After troubleshooting some more and reseting a few more times I was able to get into the GUI via the LAN, then add a MGMT interface and set the nessisary firewall rules to enable the GUI on said interface. I saw this happen live as it switch to the login screen becuase I had 192.168.1.2 open on another
screen. Now here's where it gets super funky. I went ahead and tried to enable the bridge. I got to the point where I created the bridge and confirmed it. But then it broke again, this time it wasn't just the firewall, it was my entire network, even those on the wifi not physically attached to my router or switch would not reach the internet. I thought I saw a DNS related error but I'm not 100% sure. I was able to fix the issue by simply jusy shutting off the box and the network came back. I can see how this sort of thing could happen when I move it into its final position but while in my lab, I shouldn't break my entire network. am at a complete loss as to what is going on here. I did make a backup of the configuration before I made the bridge so I should be able to get back to where I was.

I hope I cleared some things up
June 18, 2024, 05:20:00 PM #3
You cannot use an address from the same network that is already assigned to a different port for mangement. That's exactly why you lose access once you assign that. Each interface needs a different network, e.g. 192.168.1.0/24, 192.168.2.0/24, ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 18, 2024, 05:24:22 PM #4
What do you suggest I do?
June 18, 2024, 05:32:40 PM #5
Pick a network different from 192.168.1.0/24 for your management interface.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
June 18, 2024, 06:13:43 PM #6
So I restored the config from a backup and changed the MGMT Address to 192.168.2.1, Everything broke. I thought I would need to update my firewall rules accordingly but either there is nothing to change or I am not seeing the thing I need to change.
June 18, 2024, 06:22:12 PM #7
Quote from: domidam on June 18, 2024, 06:13:43 PM
So I restored the config from a backup and changed the MGMT Address to 192.168.2.1, Everything broke. I thought I would need to update my firewall rules accordingly but either there is nothing to change or I am not seeing the thing I need to change.

That being said, there could just totally be on setting or something that I am missing. Any other suggestions?
June 19, 2024, 02:01:50 AM #8
Quote from: domidam on June 18, 2024, 06:22:12 PMThat being said, there could just totally be on setting or something that I am missing. Any other suggestions?

After you make this change, nothing is broken.  The system you are using to configure the firewall needs to be in the same subnet as the NEW mgmt network, in this case, 192.168.2.x/24. 

Quote from: FLguy on June 18, 2024, 07:03:13 AMFor example, Is the new management interface the same physical interface you use to configure the firewall? If it's getting a new IP, you will have to request a new IP from DHCP or assign your PC to a new static address for management.

Brother, I have already mentioned this to you.  If your mgmt interface is now 192.168.2.1, then statically assign your computer to:

IP: 192.168.2.10
Subnet mask: 255.255.255.0

Now connect to your firewall again and configure DHCP on the MGMT network.  Then, set your computer back to DHCP, and you should be good to continue from there. 

domidam, please read the replies thoroughly.  Patrick was very clear in his first reply. 

Take care!
Print
Go Up Pages1
User actions