No internet access after upgrading to 25.1, but VPN Server can be accessed

[dkrausahma]

Hi all,

i just upgraded to from 24.x to 25.1 and am seeing now that i do not have any outgoing internet access anymore. Not from any machine in LAN nor from the opnsense machine itself via console. I have a VLAN interface sitting on the WAN interface. Funny enough, I have a VPN server running on OpnSense and i can access it without any problems from outside. Also netshares on systems in the LAN are possible once i connect to the VPN Server. But every outgoing traffic is not possible. I run into timeoouts. So seems to be a configuration issue and not a hardware issue. I did not see any required manual settings in the release notes that would be required after upgrading and in the past all updates ran very smoothly with everything back online once done.

I do not really see any hints in the log file (except issues that are bound to the fact that outgoing traffic is not posibble) but then again i am not highly familiar with opnsense. Any hints where i should tend my attention to?

Any help much appreciated, thanks.

D.

[bartjsmit]

ping 8.8.8.8 give anything?

https://www.cyberciti.biz/media/new/cms/2017/04/dns.jpg

[dkrausahma]

Yes, that was my first hope, that it could be a DNS issue. But ping does not work, as long as it running against external ressource.

Both WAN and VLAN interfaces have their respective IP addresses (which is of course expected since i can access the server from outside via VPN).

Nice image, btw.

D

[dkrausahma]

To add to this:

When doing a ping 8.8.8.8 i also see the proper entry in the Firewall Live views even though ping comes not to an end.

[dkrausahma]

So, i checked the firewall rules and they all look fine. As can be seen in the live view the ping is passed.

I also checked the gateways after reading about a similar issue somebody had with an earlier release upgrade. I did set the VLAN and WAN interface explicetly to "Upstream Gateway" but this did not change the behaviour. I still can not access the internet, not from the LAN nor from the firewall host itself.
 

[dseven]

You said something in your original post that made me pause - "I have a VLAN interface sitting on the WAN interface". I thought it was just a choice of words, but now you say "I did set the VLAN and WAN interface explicetly...", so I'm again wondering how your WAN interface is configured. You should not have a VLAN interface "sitting on" your WAN interface. If your ISP requires a VLAN tag, you should have configured a VLAN with your physical NIC as the parent, and assigned that VLAN *as* your WAN interface. I'm wondering if you have somehow two interfaces that are trying to act as WAN. How, exactly, are your interfaces configured?

[dkrausahma]

Thanks for your response.

I suppose it was my (wrong) choice of words. My ISP requires a VLAN tag which i configured under devices/vlan (vlan config.png). It requires the WAN NIC (em0) as parent.

In the gateway section (gateways overview.png) i am able to select both of the gateways and activate the "Upstream gateway" to give it more priority. I also changed the priority number from 255 to 254 assuming that this will make OpnSense use those. Since this did change anything i restored it back to the initial configuration done by OpnSense. WHich has been working for quite some while now.

[dseven]

I believe that's your problem. You appear to have both the physical NIC (em0) and the VLAN (vlan01) configured with IP addresses. em0 should not be assigned to an interface that has IP configuration. You may not need it to be assigned at all (only if you need to set some parameters at the NIC level). Only the interface to which vlan01 is assigned should be configured for IP, and there should be only one gateway. (unless your have some really obscure ISP setup....)

[dkrausahma]

Hi dseven,

i trust your recommendation however this setup has been running since 2019. 4 NICs (wan, lan, wifi and DMZ, even though the last is not used). Additionally we have a running VPN Server to access the network from outside and which i am doing right now. And the network itself is part of a Site2Site VPN thus an additional OpenVPN Client interface. In 2021 i had to add the VLAN configuration. When creating a VLAN it requires me to specify the parent interface, so naturally i took WAN (which was configured for IP). Ever since then i see two different IP addresses for the WAN and the VLAN interface. However the VLAN interface is the one that is visible to the outside world, or said differently: When i do an "curl http://ifconfig.me" i see the VLAN IP.

Not being a network guy i tend to follow your advice (so going into the WAN interface configuration and changing "IPv4 Configuration Type" from DHCP to None. That is what i understand, or?

However, as said, the current setup has been running for years and i have done several OpnSense updates. And there never any issues. After rebooting it just worked out of the box.

I will give it a try, though.

Thanks.

[dseven]

I'm not sure which interface you're referring to when you say "WAN" - you should change the IPv4 (and v6) configuration type for the interface associated with em0 to "None", and delete the gateway associated with that interface. The interface associated with vlan01 should be configured as your ISP requires....

[dkrausahma]

Hi dseven,

it works again, you saved my day!!!g
I set the WAN interface (em0) from DHCP to "None" for both, ipv4/6. I removed (actually just disabled) the Gateways for WAN (DHCP & DHCP6) and (while at it) also enabled IPV6 on the VLAN Interface. The Gateway overview now shows the two gateways for the VLAN Interface (DHCP/DHCP6) as active, the two WAN Gateways as "defunct" and i can access the internet again.

I still stick with my "It used to work all the time...." but the problem is solved. I can now access the Internet and have the good feeling that the messy setup with VLAN and WAN both configured for IP has been properly cleaned up so that only VLAN is configured for IP.

Again, thanks a lot for your support.

Best,
D.