[Resolved] Home use "easy button" question

[Ymebp1991]

New OPNsense user. I know my way around a keyboard but network firewalls I only know enough to do basic things. I have a new opnsense install. Worked great testing it, surfing the web etc, flipped the whole house over to it and all hell broke loose. The default deny policy played havoc with my smarthings, netflix, hubitat, heck even gmail would fail to load at times. I dug through the logs and saw it was even blocking things on the not only the WAN but the LAN interface as well. It was certainly doing it's job for sure, but how would I allow all these home services like streaming and minecraft to work without a giant list of firewall rules making the deny policy all but moot? I plugged my Asus ET12 back in and poof everything worked (I have SOOOOO many questions about the firewall in the Asus router now btw =D). I have 2 Wan links and a couple subnets behind a routed switch. 

Some things I checked/tried:
1) Unbound. In reading through the forums I've seen many threads where unbound is the culprit, so i ran with it enabled and disabled.
2) NAT Reflection, same ran enabled and disabled
3) Port forwarding, I have a plex server tried a standard port forward and it would work, then not so turned all that off
4) IPS/IDS i ran with it on and off. same results.
5) reformatting reinstall put NO plugins or rules or anything in, one WAN link plugged in, and it behaved the same.

I still have all the logs and it is still connected to one of the WAN links, happily sending packets to the bit bucket =D.

A simple example, I created a port forward rule to a single server on port 58112 tcp. The firewall is blocking it, "default deny rule" even though I created a rule to allow it on the LAN & WAN interfaces and everywhere else. 

Picture of my network is attached, couldn't paste it inline.

[Patrick M. Hausen]

A default OPNsense installation permits anything from LAN out into the Internet just like any common home router.
I suggest you try with a default install, first. All your smart things, Netflix etc. should just work. There is no reason why they won't if you do not change any of the settings except for the root password and the configuration for your uplink on WAN.

Similarly Unbound will only become "the culprit" if you mess with its settings. Leave everything at the default and you should have working Internet. If you switch it off, of course nothing will work - it's the component of the system that provides DNS service in a default setup, so it's quite essential.

[Greg_E]

The only thing you will want/need to do to compare to a typical consumer home router is this:

Activate DHCP on the LAN port and set your range, subnet, gateway, and DNS server. 192.168.1.50-192.168.1.200, 255.255.255.0 or /24, 192.168.1.1, 192.168.1.1 in the order listed above for descriptions.

Go to unbound and check the box to allow it to be the system DNS provider, if you don't do this, then you need to set your chosen DNS provider for each client or in the DHCP config (1.1.1.1, 8.8.8.8, etc).

[Ymebp1991]

I thought so too, I reverted back to a vanilla fresh install and it still had problems. There are a zillion block entries in the logs that correspond to services that were initiated from inside the network, only to have their response blocked. I suspected it was my dual WAN setup so I removed on of the links before the reformat reinstall, and then left it off after the reinstall.

I too found this odd, but I did see in the logs lots and lots of deny with IP of my tv on various ports.

[Patrick M. Hausen]

Activate DHCP on the LAN port and set your range, subnet, gateway, and DNS server. 192.168.1.50-192.168.1.200, 255.255.255.0 or /24, 192.168.1.1, 192.168.1.1 in the order listed above for descriptions.

Go to unbound and check the box to allow it to be the system DNS provider, if you don't do this, then you need to set your chosen DNS provider for each client or in the DHCP config (1.1.1.1, 8.8.8.8, etc).

Sorry, no - why? OPNsense will out of the box send 192.168.1.1 as both default gateway and DNS server to the clients via DHCP and Unbound will just resolve any domain you throw at it recursively.

Only mess with settings if you know what you are doing. OPNsense works exactly like a consumer router out of the box.

[Ymebp1991]

Activate DHCP on the LAN port and set your range, subnet, gateway, and DNS server. 192.168.1.50-192.168.1.200, 255.255.255.0 or /24, 192.168.1.1, 192.168.1.1 in the order listed above for descriptions.

Go to unbound and check the box to allow it to be the system DNS provider, if you don't do this, then you need to set your chosen DNS provider for each client or in the DHCP config (1.1.1.1, 8.8.8.8, etc).

Sorry, no - why? OPNsense will out of the box send 192.168.1.1 as both default gateway and DNS server to the clients via DHCP and Unbound will just resolve any domain you throw at it recursively.

Only mess with settings if you know what you are doing. OPNsense works exactly like a consumer router out of the box.

I will do another reformat install and try again. I don't think I went that far off the reservation but I'll wipe it and start again.

Things I need by default:
Internal 10.0.0.0/16 networks routed to an internal gateway of 192.168.0.254 and I think i figured that out
correctly as traffic was routed from the 10 network out to the internet and back properly. I created a gateway and used it as the target of a static route.

Port forwarding for Plex. Now I've followed the directions to do this, but it just doesn't work reliably (i posted on reddit but no responses yet).

Port forwarding for a deluge server i host for friends and family. This one was tricky as it uses random high ports by default. I've tried even on my Asus to get this working and I can't so I stick it in a "dmz" of sorts on the Asus to allow traffic to flow to and from it on any port. I tried the any, any, to server IP and that didn't work as things were dropped on the way back to the machine at the WAN interface on OPNsense.

I'll give it another go with changing nothing and monitor the logs. Wish me luck!!

[Patrick M. Hausen]

Nowhere in your initial post did you mention dual WAN or internal routes.

These are advanced topics, most of all dual WAN, and you should know how ip based routing and firewall based policy routing work before attempting such a setup.

If you want the devices in the 10.0.0.0/16 network to be able to access the Internet, you will have to switch your policy under Firewall > Network address translation > Outbound from automatic to at least hybrid and add a NAT rule for that network. OPNsense by default only NATs directly connected networks.

That might explain some of your problems.

[Ymebp1991]

Nowhere in your initial post did you mention dual WAN or internal routes.

These are advanced topics, most of all dual WAN, and you should know how ip based routing and firewall based policy routing work before attempting such a setup.

If you want the devices in the 10.0.0.0/16 network to be able to access the Internet, you will have to switch your policy under Firewall > Network address translation > Outbound from automatic to at least hybrid and add a NAT rule for that network. OPNsense by default only NATs directly connected networks.

That might explain some of your problems.

I would like to say that I appreciate any and all help, and I appreciate anyone and everyone who takes their time to try and help. 

I did mention dual wan, last sentence first paragraph of the post, also I mentioned it in the "what I tried" section, and it's in the drawing I attached.

I am familiar with how IP based routing works, I can't write ipchains rules off the top of my head but I can have a reasonably intelligent discussion about what a rule would look like based on the requirements. The challenge I am facing now is when I diagram out these flows on a white board, then translate them into a rule in OPNsense I do not get the desired result, and I'm thinking it is because I'm not checking the right boxes elsewhere in the interface other than the "Firewall" menu section.

The services that were spotty lived on a directly connected subnet the 192.168.0.x subnet holds my netflix xbox etc. The route and gateway I setup worked well, all my 10.x.x.x clients could get out to the web and didn't really have too much of a challenge. It was really the stuff on the 192.168.0.x subnet (same as the LAN of OPNsense) that were having issues. That and my port forwarding.

Of note I set the dual WAN to failover, then I unplugged it and deleted the interface, then I reformatted and didn't plug it in or configure it, taking any chance of hairpining happening, or split sessions etc off the table.

I've attached screenshots of the gateway and route I configured.

[Patrick M. Hausen]

I have 2 Wan links and a couple subnets behind a routed switch.

I overlooked that one. Sorry, I apologize.

[Ymebp1991]

I have 2 Wan links and a couple subnets behind a routed switch.

I overlooked that one. Sorry, I apologize.

Absolutely no worries at all. I sincerely appreciate you jumping in and trying to help!! I've got a post on Reddit up for 3 days with 1100 views and not one reply haha, so I appreciate your assistance. I'll report back once I've zapped the config and reinstalled.

Just to restate, I'm only going to use 1 WAN link to start with and test with that first before doing anything else, then move on to port forwarding, then to internal routing, then to 2 WAN links if all goes well. Is that order appropriate for testing?

[Patrick M. Hausen]

Pretty much so. Good luck.

[doktornotor]

Things I need by default:
Internal 10.0.0.0/16 networks

Well, no, you do need any such things at home at all. 65K devices is just pure BS. Back to the drawing board.

[Ymebp1991]

Things I need by default:
Internal 10.0.0.0/16 networks

Well, no, you do need any such things at home at all. 65K devices is just pure BS. Back to the drawing board.

You are correct, need and want are different I will agree with you on that. However, want ...  I have IP cameras and my kids have minecraft servers, I want them on different subnets to better control who has access to my IP cameras. Do I need a /16, no but ... they are free and it makes my life a little easier managing this little zoo of a network I have.

[Patrick M. Hausen]

That internal gateway - is that a managed switch? Once you got the basics settled, you might want to investigate VLANs and how to use OPNsense as the internal router instead. But first things first.

[Greg_E]

That may have been because I wasn't using DHCP that I had to check the box to use Unbound and the firewall for DNS. I may need to set one up in "simple" mode to see what I get. I usually think that people going for this kind of firewall will be configuring a few settings manually.