IPS Blocking your OPNsense

Started by Prominent5335, April 22, 2025, 01:34:08 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 22, 2025, 01:34:08 AM
I just moved to a new IPS.
If I connect a computer or a switch to their router, everything (all my computers) works.
But if I connect my OPNSense Router to one of the ports of the IPS router (IP: 192.168.1.254) and try to connect through it, it does not work.
Had my internal network on the same network range. So I thought that there was an routing interference somehow. So I switched OPNSense internal IP:s to the 10.10.10.x range.
Still got the same issue.

Can anyone give any suggestions on how to troubleshoot it?

My thought's is that it might be that they are blocking DNS resolutions to other provider on the Internet except to their (that is my suspicion, as Windows troubleshooting is complaing about DNS caching issue),
April 22, 2025, 07:23:46 AM #1
If the WAN of OPN is on a private network (given the RFC1918 IP), then you need to uncheck 'block private networks' and 'block bogons' on Interfaces > WAN.
Save and apply.

You indeed can't have overlapping ranges on interfaces.
After you applied that changed, devices on LAN needs to get new IPs.
It will happen over time. You can accelerate by unplugging the network cable for a moment (or disable/enable interfaces on the devices).

Troubleshoot from OPN first. Verify it got IP on WAN. Check connectivity via Interfaces > Diagnostics > Ping. Then DNS in the same area.
When that's fine, move on to basic test on your windows client on the LAN.
April 22, 2025, 09:05:15 AM #2 Last Edit: April 22, 2025, 09:07:34 AM by meyergru
Plus, in a router-behind-router configuration, you will either have to:

1. Be able to install a router to the network behind your OpnSense (10.10.10.x) in your ISP router. Otherwise, it does not know where to send the packets back to your clients.

2. Or, configure outbound NAT on your OpnSense to "hide" the 10.10.10.x client network behind its ISP-network IP (192.168.1.254).

The first method often is infeasible, the second has drawbacks once you want to open ports for services (you must open them on both routers to work). That is why router-behind-router setups are discouraged: They are complex to manage.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
April 22, 2025, 11:36:03 AM #3
It worked after following your suggestions:
Changing IP-range of my OPNSense router for the LAN network.
Disabling the "Block private networks" and "Block bogon networks" on the WAN interface.
Thank you all for your quick and swift answers.
Print
Go Up Pages1
User actions