Maybe Outbound NAT issue??? OPT1 and OPT2 ports not working.

[Gemneye]

I am running OpnSense 24.7.1 (with all the latest updates) on a Protectli Vault FW4C (4 NIC ports).

I am running Unbound with DoT support.  I have DHCP server on all ports besides the WAN interface.

I have different /24 networks configured on LAN/OPT1/OPT2 ports.

I have outbound NAT set to automatic.

I am trying to plug a wireless access point (DECO5 in bridge mode) into OPT1.  I have also tried it in OPT2 for testing purposes.

The DECO5 device gets assigned an appropriate IP address on the network, and all wireless devices connecting to DECO5 are assigned appropriate IP addresses. Still, none of them have internet access through the WAN port.

The logs appear to indicate that all DNS requests get blocked.  The firewall logs have a ton of blocked messages all trying to get to DNS servers on port 853.

I thought this configuration would use the LOCAL DNS server (for everything connected on a network), and only things that were not locally cached in Unbound server would need to be looked up. I assumed all those requests would originate from the firewall (not connected clients).

If I plug the same access point into LAN port everything works as expected.  As far as I can tell all the interfaces have been assigned and enabled.  All three interfaces are set up the same way as far as having a static IP with a .1 address, and DHCP server running on each network.

The automatic outbound NAT looks like it includes all the interfaces in its automatic rules.

So I am not sure why LAN network works as expected, but OPT1 and OPT2 networks do not.

I have seen other posts about outbound NAT, but not necessarily with my same configuration with DNS.

Is there something different with the OPT(x) interfaces that I am overlooking?

[doktornotor]

I would say you did not configure any firewall rules on those OPT interfaces...

[Gemneye]

Are there automatic rules that get configured for LAN that do not exist for OPT1 and OPT2, since everything connected to LAN works as expected?  Unbound is configured to listen on those 3 interfaces.  I am assuming client DNS requests go to the DNS server (UDP port 53 to the .1 interface for each network, and would not require a firewall rule).  I assume DNS requests that are not found in the local Unbound cache go out to the internet over TLS on 853.  I assume this connectivity is covered by automatic outbound NAT rules.  If my assumptions are correct, I do not understand where the firewall rule is necessary.

[doktornotor]

You need to allow outgoing traffic on any other created interface except for the default LAN. No rules => no traffic.