[NOOB]. Lost all internet connection/ping [SOLVED] Source network match interfac

[MarieSophieSG]

Bingo !
I totally forgot to add the DHCP lease on top of setting up the interface /24
IGC0_ETH1_Switch1 (front office) 192.168.101.101/24 DHCP 192.168.101.102-192.168.101.122
IGC2_ETH3_Cisco    (front office) 192.168.102.101/24 DHCP 192.168.102.102-192.168.102.122
IGC3_ETH4_Switch2 (back office) 192.168.103.101/24 DHCP 192.168.103.102-192.168.103.122

I know can access the WiFi router (AP, no DHCP) on 192.168.102.102 from 192.168.101.107

Getting closer !!
Now time for a full backup before I start messing around again ....
Original backup is about 1.7GB, but when I do a manual BU it's only 13MB, is it normal ?

[Patrick M. Hausen]

Original backup is about 1.7GB, but when I do a manual BU it's only 13MB, is it normal ?

I don't understand. Navigate to System > Configuration > Backups and download the configuration. With "Do not backup RRD data" checked typical size is way under a megabyte.

Configuration is all you need - reinstall, restore config, done.

What are you using to backup?

[MarieSophieSG]

Original backup is about 1.7GB, but when I do a manual BU it's only 13MB, is it normal ?

I don't understand. Navigate to System > Configuration > Backups and download the configuration. With "Do not backup RRD data" checked typical size is way under a megabyte.

Configuration is all you need - reinstall, restore config, done.

What are you using to backup?

Oh ! yes, of course, silly me .... only the config file, not the entire system ! haha ...
OK, so it's -obvioulsy- absolutely normal to have a much much smaller file than the original one
Thank you !
Yet again .. as I do the B-U locally, if I reinstall, there won't be any B-U available anymore, these would only work in case of Default-Reset, and then restore B-U

[Patrick M. Hausen]

Oh ! yes, of course, silly me .... only the config file, not the entire system ! haha ...
OK, so it's -obvioulsy- absolutely normal to have a much much smaller file than the original one
Thank you !

I doubt there will ever be a 1.7G config backup file, so what *did* you backup?

Yet again .. as I do the B-U locally, if I reinstall, there won't be any B-U available anymore, these would only work in case of Default-Reset, and then restore B-U

And again I do not understand - the point of the config backup is to download it from the firewall and place it on your laptop or your file server or a USB drive stored in the safe, whatever. Then if the boot drive of OPNsense fails or you mess up badly: reinstall, connect laptop to LAN, find UI at 192.168.1.1, import config, done.

[MarieSophieSG]

Oh ! yes, of course, silly me .... only the config file, not the entire system ! haha ...
OK, so it's -obvioulsy- absolutely normal to have a much much smaller file than the original one
Thank you !

I doubt there will ever be a 1.7G config backup file, so what *did* you backup?

My mistake, it's not a backup (as named in the GUI) but a snapshot.
First one "RN", mounted and active is 1,7GB,
Second one (manual) is 12,9MB
Third one is (manual) is 87,4MB

Yet again .. as I do the B-U locally, if I reinstall, there won't be any B-U available anymore, these would only work in case of Default-Reset, and then restore B-U

And again I do not understand - the point of the config backup is to download it from the firewall and place it on your laptop or your file server or a USB drive stored in the safe, whatever. Then if the boot drive of OPNsense fails or you mess up badly: reinstall, connect laptop to LAN, find UI at 192.168.1.1, import config, done.
[/quote]
Yes, once again you are absolutely right, I just didn't get to this, I have the BU set to keep several records as I keep messing around and often need to revert locally, but I haven't go as far as download it ... now it's done, I have the latest on my Laptop1, and as soon on my Laptop3 (just in case)

Sorry for the confusion  :-[

[MarieSophieSG]

One last post on this thread (I hope !)

All LAN are stock, FW rules stock (copied from LAN1) DHCP on, etc ...

LAN1 has access to the internet, LAN2 and LAN3 don't.
LAN1 192.168.101.101/24; DHCP 192.168.101.102-122
Laptop1 static 192.168.101.102
LAN2 192.168.102.101/24; DHCP 192.168.102.102-122
Cisco WiFi AP (bridge) static 192.168.102.102, no DHCP
Three devices connected, they all get an IP from 192.168.102.103-122 range, but no internet
LAN3 192.168.102.101/24; DHCP 192.168.103.102-122
Laptop3 static 192.168.103.102 but no internet

What am I missing again ? should I do a bridge between all three LAN (that's how I got them Internet last time I think ?)
Or a port forwarding or a special NAT or something ?
I'm sure it's once again something obvious, right in my face, but I just can't find it and I'm afraid to break my LAN1 cnxion again ...

[Patrick M. Hausen]

No bridge unless you want them all to become a single interface - which you said you don't.

Can you check if the devices in e.g. LAN2 get the proper netmask and default gateway in addition to their IP address?

Assuming both are correct (255.255.255.0 and 192.168.102.101, respectively), next check if they have 192.168.102.101 as their DNS server.

If that is correct, too, from one of the devices try:

- ping 192.168.102.101
- dig/nslookup/whatever they use google.com

Last show that cloned firewall rule for LAN2, please.

[MarieSophieSG]

Once again, TY for saving me before the mess ... no bridge !

These are Wireless only device, mostly Android, I'm not sure how to perform most of the cmd required, but as I disconnect and "forget" network and reopen WiFi and let them "discover" network and re-connect and it asks me a password and get the IP.

But the blackberry (LAN2 through WiFi AP) has 150Mbps on the 5GHz
IP  :  192.168.102.104
GW: 192.168.102.101
SubMask 255.255.255.0
DNS: 192.168.102.101
and an IPV6 address
Everything looks normal

Laptop3 on the LAN2 (WiFi) has 300Mbps
IP  :  192.168.102.105
GW: 192.168.102.101
SubMask 255.255.255.0
DNS: 192.168.102.101
and an IPV6 address
Everything looks normal
Can ping 192.168.102.102 (router), but not 192.168.102.101 (LAN2)
nslookup 8.8.8.8 timed out
Server unknown
address 192.168.103.101

Laptop3 on LAN3
IP  :  192.168.103.102
GW: 192.168.103.101
SubMask 255.255.255.0
DNS: 192.168.103.101
and an IPV6 address
Everything looks normal
Can not ping 192.168.103.101 (nor any other IP of the network)
nslookup 8.8.8.8 timed out
Server unknown
address 192.168.103.101

[Patrick M. Hausen]

There are automatic rules in place enabling DHCP and SLAAC so address acquisition works. If the laptop on LAN2 and LAN3 cannot even ping your firewall's addresses in these LANs, it's probably the firewall rules.

So please share them. Screen shots. Thank you.

[MarieSophieSG]

IGC0 ETH1 LAN1 (Front Switch)


IGC2 ETH3 LAN2 (WiFi)


IGC3 ETH4 LAN3 (Back switch)

[Patrick M. Hausen]

You have the source network from LAN1/igc0 in the rules for LAN2 and LAN3 - you need to change these source definitions to the objects matching these interfaces ...

[MarieSophieSG]

You have the source network from LAN1/igc0 in the rules for LAN2 and LAN3 - you need to change these source definitions to the objects matching these interfaces ...

Tadaaahhh !!
Such a tiny detail so easy to forget/oversee ...

For those who read this thread because being in the same situation:
By default, OPNsense does everything needed for WAN and LAN one (Default rules)
Including the very important "Allow all" at the bottom of the list, after the "automatically generated rules"
When you enable another interface LAN2, you have to give it an IP (for the interface) which is NOT in the same range LAN1 is
i.e: If your LAN1 was set to 192.168.1.1/24
Then your LAN2 can NOT be 192.168.1.2/24 (as then both would have the same DHCP pool)
=> it must be 192.168.2.1/24
Once you have set this IP, you have to enable DHCP for this interface (search DHCP in the search bar oe go to "services" then "ISC DHCPv4" and select your interface) i.e: 192.168.2.1-192.168.2.10
Then you have to copy the last two rules at the bottom of the list of LAN1 (assuming LAN1 is working)
In these two rules, you have to change the source as the copy from LAN1 doesn't adapt automatically to the new interface.
The corrected rule must have same interface (ie: LAN2 => LAN2) in the "Interface" section and in the "source" section. choose the "net" one, not the "address" one
In Firewall, Rules, LANx (or OPTx, or whatever the name you gave it)

My tablet, printer, phone (LAn2, WiFi) and Laptop3 and Laptop4 and printer (LAN3, switch2) are all connected,
Wow, such a grant help, thank you, thank you ! especially @Patrick

[erica.vh]

Thank you for the run-up conclusion of this post, I was about to ask the same question !