25.7.8 update, lost internet access (TCP rejected) on specific devices only ??

[MarieSophieSG]

Hello,
1.LAN RJ45 => 2 laptops
2.WAN
3.LAN RJ45 => bridge to cisco WiFi router (mostly Android devices)
4.LAN RJ45 => not tested.

Running 25.7.7, everything was good. (FW default allow all parameters)
28-Nov, Updating to 25.7.8 => 2 devices lost their Internet access (1 laptop on 1.LAN (RJ45) and 1 laptop on 3.LAN (RJ45)), while the others (Android) kept theirs.
No setup, no parameter changed during/after (compared to before, on 25.7.7)

Checking FW live view, I see these 2 laptops/IP have all TCP cnxion rejected
Since all Androids where still accessing Internet, I swap laptop1 from RJ45 on 1.LAN to WiFi on 3.LAN, same blockage; I switched laptop.2 from RJ45 on 3.LAN to WiFI on 3.LAN, same blcokage.

- How come TCP are now rejected, while everything is the same, same MAC, same static mapping IP, same rules, ...
- What should I do now ? (I tend to break things, so I prefer asking before messing around in the FW rules)

Thank you !
MSSG

[MarieSophieSG]

I've ticked the option to disable FW, but that didn't change any, these devices are still not able to access internet, while the others are unmoved, browsing as usual.
What's very frustrating is that some are on the same LAN, 3 (Android) are accessing the internet, 1 (laptop) is not.
And the more frustration, the less I'm able to think.
And as I know myself, if I start "trying" around, I'm going to break my OPN for sure :(

I really need your light here, suggesting debug path and steps .. 

[Patrick M. Hausen]

If you disable the firewall you also disable NAT, which with common consumer setups with a single possibly dynamic external IPv4 address also breaks all IPv4 Internet connectivity.

Please add some more detail. Are these three internal interfaces (1, 3, 4) configured as separate IP networks or are they joined in a bridge as a single LAN like common consumer routers?

What is the IP address of the laptop that cannot access the Internet? What is its default gateway, what is its DNS server? You can check on the laptop itself.

Kind regards,
Patrick

[MarieSophieSG]

Hello Patrick,
Thank you for your msg.

As the "disable FW" didn't change anything, I removed this right away, knowing that disabling FW does disable NAT (As clearly mentioned in the app' menu) so I'm back to normal since my last post.

All three interface are distinctives, 1.LAN is 192.168.101.101/27; 3.LAN-WiFi is 192.168.102.101/24; 4.LAN is 192.168.103.101/28
i.e: 1.LAN can't access the NAS on 4.LAN, which is a problem for later.
i.e: 3.LAN-WiFi devices can't access 1.LAN, which is wanted.

The IPs of the devices which can't access through the FW are 192.168.101.103; 192.168.102.103; (and 192.168.102.108 as I noticed later)
All other settings are identical, worked perfectly fine before the update, the DNS are the same for all interfaces; the FW rules are copied from 1.LAN with "allow-all".

[Patrick M. Hausen]

Why are you using artificially small networks (/27 and /28) instead of the more generic and default /24?

But anyway can the devices ping the OPNsense interface in their respective network? You also might want to check that the prefix lengths ("netmasks") on OPNsense and the managed devices match and the OPNsense interface is the default gateway for all the clients.

[meyergru]

Reminds me of https://forum.opnsense.org/index.php?topic=47099.0. In there, is a subnet calculator, too.