[NOOB]. Lost all internet connection/ping [SOLVED] Source network match interfac

[MarieSophieSG]

This post is in the Tutorial section, puposedly labelled [NOOB] I hope it will help some of you to follow my newbe adventure through simple setup try and errors !

Hi,
After messing around for couple of days as I still couldn't get my WiFi router to work properly on LAN2, I decided to do a full reinstall
Backhoe lab table, screen+keayboard, reinstall from USB (the same first time)
Set up the four ETH (Wan, Lan1,2,3)
Set up full-traffic rules (to start) on all four interfaces

Now I have complete acces to the WiFi AP, but Not longer have any access to the outside !
Pings from laptop1 (on Lan1) Laptop2 (Lan2, direct and through WiFi AP) and Laptop3 (Lan3) nothing
Pings from OPNsense, nothing
I have a public address from my ISP though
NAT is left stock (auto) and FW are default too (except the added: "allow all to/from all for IPv4&v6)
I even tried with FW disabled, no avail

What's your first thought?  (Besides annoying nwebe..)

For those who wonder, I posting from my cell ... :-\

[MarieSophieSG]

NAT outbound is default:
WAN; source all LAN+ 127.0.0.0/8 to NAT address WAN dest.Port 500 with static address (auto created for ISAMP)
WAN; source all LAN+ 127.0.0.0/8 to NAT address WAN dest.Port * w/o static address (auto created)

I just switched to "hybrid" and created a manual one:
WAN,  any source, any port, any, any, any NAT address, any NAT port, still no cnxion

[cookiemonster]

I suggest start again and begin with a known good configuration. That is default selection of WAN and LAN will have the automatic rules that block all in unsolicited & allow all out, as if it was a consumer router.
Because from

Set up full-traffic rules (to start) on all four interfaces

Now I have complete acces to the WiFi AP, but Not longer have any access to the outside !

Nobody can guess what those rules are that then what follows

now I have complete acces to the WiFi AP, but Not longer have any access to the outside !

is impossible to guess.
As you are progressing in your learning and setup, may I suggest to start keeping a diagram of your setup. You can then share if you want when you ask and it'll be easier for you and everyone to figure out what needs to be done.
P.S. the AP should be like any other device. It connects to a port on your router somehow; directly or via a switch, and then it becomes part of that network and subject to its rules.

[MarieSophieSG]

I suggest start again and begin with a known good configuration. That is default selection of WAN and LAN will have the automatic rules that block all in unsolicited & allow all out, as if it was a consumer router.
Because from
As you are progressing in your learning and setup, may I suggest to start keeping a diagram of your setup. You can then share if you want when you ask and it'll be easier for you and everyone to figure out what needs to be done.
P.S. the AP should be like any other device. It connects to a port on your router somehow; directly or via a switch, and then it becomes part of that network and subject to its rules.

TY
Apparently I wasn't clear enough, sorry
It's all default! No need to guess, I just reinstalled !
and let the auto-created rules play
And Even deactivated the FW (no change)
The only rule I created after re-enabling the FW were
A Nat allowing all to all
And for each interfaces à all-to-all (which I call full access) IN and OUT, both v4&v6
Meaning no restriction stall, besidides the auto-created ones

Can ping internally in every direction, even reach my WiFi router AP
And I have public address
But no cnxion

Where do I need to go to see the tentative traffic, to guess where is fails ?

[MarieSophieSG]

The ping job I've left running is saying: "send: no route to host"

[pfScrub]

Are you behind isp gateway? Is DHCP enabled? Are you getting arp from WAN side entities?


Sent from my iPhone using Tapatalk

[pfScrub]

if you have static IPs do they all have fqdns and acme certs? If you are using your isp's static IP, maybe try and match their domain to yours and use dnsmasq with their servers if you have no need of nginx?


Sent from my iPhone using Tapatalk

[MarieSophieSG]

I was hopping to not have to unplug everything and revert to were it was 2d ago,
So I got my Puutty ready and did a "factory default" through the OPNs menu ... it did get its 192.168.1.1 alright, and disabled about everything, including DHCP and SSH, so ... no way to reconnect to it, so I went to bed and now I'm waiting for my parent to wake up so I can access the technical room to get the RS39 out to the test bench ...

[MarieSophieSG]

Are you behind isp gateway? Is DHCP enabled? Are you getting arp from WAN side entities?


Sent from my iPhone using Tapatalk

The FW box (RS39) was plugged straight to the ISP MoDem (hence me saying I get the Public IP) and the WiFi router was plugged to LAN2 192.168.102.101 in AP/Bridge (no DHCP, fixe 192.168.102.102/24)

Now back to square one, the Cisco router is plugged to the ISP MoDem, with DHCP on,
The RS39 is plugged to LAN1 192.168.102.107 of the WiFi router
Laptop1 is plugged to RS39 LAN1 192.168.101.101 and get 192.168.101.102 and access the GUI no problem
DNS are temp. Set to 8.8.8.8 and 8.8.4.4, nothing esle has been changed (no "allow all" rule in the FW)

But the old router, which previously was accessing the internet without much problem, is not longer accessing it ... that would explain it all, but I'm now in a much bigger problem if I fried the house internet !

[MarieSophieSG]

Back to RS39, ISP mdm plugged to WAN, laptop1 plugged to LAN1
GUI access ok,
No public address
Restart the modem
I have a 192.168.100.1 WAN IP, that's not right
Restart
Ok, now I have a public address
RS39 ping ggl:  217packets 0% loss

[MarieSophieSG]

if you have static IPs do they all have fqdns and acme certs? If you are using your isp's static IP, maybe try and match their domain to yours and use dnsmasq with their servers if you have no need of nginx?


Sent from my iPhone using Tapatalk

Even though it seems to be always the same public IP, I've left the WAN to DHCP

[MarieSophieSG]

Since ping is fonctionnal, now starting to tweak and add rules

Set DNS to my server of choice,
Re-ping,
Set "allow all" rules in FW for both (floating) WAN and LAN1
Will see ...

[MarieSophieSG]

That's weird !
Even before changing the DNS and such,
I've opted the "Enables local gathering of statistics." in Reporting:Settings and hop ! Internet came up all the sudden !
Before that, I've set a floating rule "allow all"  (from all to all, IPv4&v6) from/to all ports) but it didn't bring the internet
So now, LAN1 has access to Internet, time to bring back LAN2 and LAN3

BUT before that: Update and add plugins ...

[MarieSophieSG]

Update done, now running 24.7.5-amd64 and lost internet again

I still have a WAN public IP,  but no internet traffic and ping (from the box) shows some packet lost

But i still have access to update and plugins download, so the box has access to the outside, just not (no longer) LAN1 after updating 27.7.4 => 27.7.5

Edit: ssh to console to option 13 revert, but the oldest of the 18 still has the update in, so I guess I have to unpluge it all and go back to the workbench to reset again ?
Unless you have an other idea ?

[Patrick M. Hausen]

Show your rules on LAN1 and your outbound NAT configuration, please.