Please help me make semse

Started by c2k, May 31, 2025, 01:21:16 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 31, 2025, 01:21:16 PM
I'm new when it comes to OPNSense, but not when it comes to firewalls. I'm trying to set an OPNSense box to replace my current router, which will be relegated as an AP at some point.
I cannot understand how the rules are processed. Despite allowing all the ports (those are floating rules, I am still seeing blocks sometimes on the same bloody port. To my understanding the default block would imply there is no prior rule match, hence the block.

I've use the NAS as example, but I'm having the same issues with all the devices behind that router.

May 31, 2025, 01:51:43 PM #1
As the rule description implies, it is also applied to packets with no proper state.

So it could be that the connection was just already closed, when the client sent this packet. If that's the case the client will open a new connection and traffic can flow again. So if you don't have issues with accessing services in your network you can simply ignore this.
May 31, 2025, 01:56:58 PM #2
I have massive issues, nothing is working properly, if at all, otherwise I wouldn't have bothered :)
May 31, 2025, 02:11:13 PM #3
From your graphic, it's even not expected, that the traffic from the client to the server passes OPNsense. The traffic should take the short way and go directly from the client to the other router.
Is the drawing wrong or did you add static routes to direct the packets to OPNsense? This would work though.

You should rather connect it this way:
client > OPNsense > other router > server
May 31, 2025, 02:30:26 PM #4
Well, the gateway for the entire 10.0.0.0/22 is OPNSense, so that's normal. The client traffic goes GW (FW), which is where the static route kicks in, and points towards the other router.

I am still investigating, but I think you were somewhat correct in your first post with those being "faulty" packets. The issue appears to be that the connection is being closed without the client "knowing".

So, my old router is on 10.0.3.1, and the unreserved DHCP leases go into the same /24 subnet. When I connect to one of those, everything works great.
When I connect via the DHCP reservation, it's an IP in the 10.0.1.0/24 space. I hypothesise that either the /22 mask is not passed from OPNSense to the other router (IP assigned via DHCP reservation) or the router, being your average home stuff, completely ignores it and slaps a /24 mask.
May 31, 2025, 02:38:43 PM #5
Quote from: c2k on May 31, 2025, 02:30:26 PMWell, the gateway for the entire 10.0.0.0/22 is OPNSense, so that's normal.
That's pretty the same as statically routing the traffic. This leads into asymmetric routing:
packets from the client passes OPNsense, but responses from the server does't.

If you want to run it this way, you have have to masquerade traffic on OPNsense. You can to this with Firewall > NAT > Outbound:
interface: LAN
source: LAN net
destination: 192.168.12.0/23
translation: interface address (LAN)
May 31, 2025, 06:28:27 PM #6 Last Edit: May 31, 2025, 06:32:02 PM by EricPerl Reason: Additional info
I assume there's no NAT on the internal router and that OPN is the edge router, right?
If that's the case, traffic from client to NAS is expected to hit OPN.

In terms of getting consistent routing across internal nets, how about advertising a classless route via DHCP?
FWIW, I have not tried.

Edit: there's a related guide here: https://homenetworkguy.com/how-to/use-static-routing-to-second-opnsense-router-with-nat-disabled-for-homelab/
I have not read in details but his stuff is usually reasonable.
June 11, 2025, 10:37:09 PM #7
The "router" wasn't NATting, but that was where the problem was. For the old Asus to act as a regular router without batting. I had to disable NAT acceleration, which by the look of things it seems it forced the device to process everything via software. By the look of things, it wasn't great at that :)
Print
Go Up Pages1
User actions