Blocking/Allowing InterInterface Traffic

[t84a]

Do the clients get their IPs and netmasks plus DNS server via DHCP? Your phone being connected via WiFi does not show if it has an IP/netmask or if it can resolve DNS.

Yes

[meyergru]

If that is true, I don't know what could be wrong. You say:

a. The interfaces are set up correctly with an IP and an RFC1918 network/netmask. None of these ranges overlap. You did. not  block bogons or RFC1928.
b. The clients are configured via DHCP and they get an IP in the correct range with the correct netmasks and gateway and you have verified them to get these.
c. They also can resolve names via DNS (which is strange considering the same firewall rule is used to DNS access and outbound traffic).
d. NAT is set to automatic, which should be just fine, unless your routing is broken because of wrong gateways or netmasks.
e. Outbound firewall rules "allow all" are in place. There are no overriides in the floating rules.

Yet no external IP can be reached, effectively no rules seem to match, which is why the default deny all rule blocks traffic.

I would go over each and every of these settings again, if I were you, because something does not add up.

[EricPerl]

This thread is not focused (1 interface, then another). We might want to concentrate on one use case, fix it, then move on to the next.

A few observations:
O1: The OP indicated 2 WAN interfaces. Multi-WAN is its own can of worms. Is it currently used?
O2: The rule in post #8 does not have logging enabled. it won't show up in logs.
O3: The screenshot in post #11 looks like accessing the Wi-Fi hotspot of the camera. Is that the case?
If your phone is connected to it, what's surprising here? It's entirely between the camera and the phone, isolated from everything.
O5: This kind of FW output is difficult to interpret without context. You should know what the local IP maps to (a camera?).
The destination seems to be an AWS EC2 node. Is there a website you can connect to to view what your camera is streaming?
How was this setup? Reply traffic would imply a Port Forward from your FW to the camera. Does that exist?

[t84a]

1 have 3 interfaces.  LAN1 I want full access to LAN2 and LAN3.  LAN2 and LAN3 should be set up identically so they can access the internet only and specifically not be able to access LAN 1.

O1. I have 2 WAN ports but only one connected.  I have T Mobile as a backup provider but it's metered so I don't want to connect it until I figure out WAN Failover.  In Untangle, it was simple and automatic.
O2. I enable logging by clicking on it i and Apply.  It resets.  Why?  I have no idea.  You had me enable logging before. Post #9 shows blocking.
O3. Not a hotspot, an access point connected to OPNSense.  That access point is wired to Port 3.
O5. I'm not sure that matters.  When I connect to LAN2 or LAN3 from my PC, I get no internet access unless I put in a rule for Pass All.

[EricPerl]

OK, let's sort out outbound first on either LAN2 or LAN3, then reproduce on the other.

If you can, let's keep the Wireless AP out of the loop for now. We can add it when wired works.

It looks like you've established that a pass all works. That's something.
OTOH, it doesn't match your requirements (you want Internet only). Let's fix that.
That's precisely what the 2 rules in reply #2 should achieve.
Is the alias you use similar to the one I showed in reply #7?

If you still have issues, show the resulting rules from your side, for the interface you choose to fix first.
A screenshot from the interfaces > overview can't hurt either (you can blank out the public IPs). We can double-check IP ranges.

[cookiemonster]

I suggest if you don't mind me intervening, to clear one or two steps behind. To basics. (Sorry Eric to interfere)
meyergry has tried but the responses have only implied an answer. Not that clear that those basics are correct.
I'm referring to each interface being setup as we expect it. Has a valid range and dhcp setup.
OP - can you confirm the IP ranges of each interface (that would save having to show screenshots). And that each has dhcp setup, and DNS enabled also on each.
Thinking is that the right rules will be set as per the latest suggestion from EricPerl but they won't be of much use if these settings aren't yet correct.

[EricPerl]

I interfere here and there too. No issues with me. With many of us in different time zones, I don't mind when someone takes over. I'm about done for a while...
I was hopeful wrt IP ranges and DHCP because of this:

...
O5. I'm not sure that matters.  When I connect to LAN2 or LAN3 from my PC, I get no internet access unless I put in a rule for Pass All.

In all fairness, I asked for a screenshot because one recent "long" threads ended with an erroneous /16 and the OP didn't know it was wrong...

[t84a]

DHCP. DNS Servers are left blank.

[t84a]

Interface Overview

[EricPerl]

Nothing jumps at me on the IPv4 front, apart maybe from routes on WAN. I expected to find one entry for the local subnet, but it's probably in the collapsed part.
Is there any significance to the IP we see there?

I have no direct experience with IPv6.
Given the existence of "Prefer IPv4 even if OPv6 is available" in settings, I assume the default is IPv6.
It would be a shame to troubleshoot v4 if v6 is used.

[meyergru]

This is no "interfering" and I don't mind: I am at a loss to what causes this and you are correct in questioning the basics here (as I did as well). Any ideas are welcome.

1. I think we focus on internet connectivity on all three LANs before blocking any inter-VLAN traffic. But we have been shown two firewall rules only, one allowing all traffic and an RFC1918 alias, which seems to be unused?

2. The WAN and Loopback routes are collapsed and those look strange to me: The default route 108.166.149.2 is not the gateway 173.20.240.1. Yet, with LAN1 reported working, it seems to work.

3. IPv6 seems unconfigured apart from link-local IPs, but could be a problem anyway, it should be deactivated completely, also in the interfaces global settings. The "Prefer IPv4 even if OPv6 is available" should be set in this case.

[cookiemonster]

thanks chaps.
- ipv6 - maybe "IPv6 Configuration Type" is set to something other than "none" in each interface. If ipv6 not used, it should be changed to "none".
- Gateway != default route : I wonder if gateway priorities have been set, after all this seems a partially-setup multiWAN set. Odd nonetheless.
So in sum, agree with a topsy turvy as we call them in England, an odd set of settings.
So my humble opinion, if the OP wants an educational exercise why it does what it does, this might be long haul.
If instead wants to make it functional, I suggest to the OP to start from scratch with the as you say, focusing in inter-interface and desired internet access, leaving multiWAN well alone from it, IPV4 only.

[t84a]

I really appreciate everyone's help.  I guess I can take some small comfort that there's something bigger going on.  I set it back to Pass All and everything works.  I disabled the other WAN interface first to see if that would fix it and it did not.  Maybe if I get some time, I'll put the Untangle hardware back on and reinstall OPNSense on my Protecli box and start over although my configuration is really just out of the box settings.  Thanks again for all your help.

If anything pops up and you want more screenshots, please post.

[t84a]

Just a thought. Does a log exist that tracks every change that I made to any configuration?

[meyergru]

You can compare the differences between any of your last configurations yia System: Configuration: History.

What do you mean by "I set it back to Pass All and everything works."? You only showed one firewall rule to that extent here. We were chasing ghosts here if that was not the only rule and you did not have internet access with that.

If it was not the only manual rule on that interface, then please show all interface rules. As I wrote, your first goal should be to enable internet access from all interfaces, then block specific inter-VLAN traffic without losing internet access.