Fresh install blocking most sites

[Petski]

I just installed OPNsense for the first time on a dedicated small form factor PC. After getting both WAN and LAN ports configured, it looked like everything was working from the console's point of view, but, I am finding that the majority of normal sites are being blocked. Zerohedge and Yahoo work perfectly but YouTube, eBay, and most other sites timeout attempting to load. Also, my IP phone (Ooma) won't connect either.
Details:
 - The OPNsense firewall PC is between my Cisco router (LAN) and the cable modem (WAN).
 - The Cisco router (Manages the full local LAN) and uses a PiHole server for DNS filtering. All DNS request go through PiHole.
 - FYI, PiHole has been in use for many years now with no issues.
 - I have not added any filters or rules, just whatever is included in the default install.

Any help is appreciated.  I've had to bypass the firewall until I can figure this problem out.

[coffeecup25]

You are double natting. You are not getting DNS resolution in that configuration because pihole can not work properly.

Here's a little background education, pardon me for being presumptuous.

A 'Firewall' is more a marketing term than anything else. A firewall, by my definition, is a router with extra layers of software that does this and that to protect the network. 'This and that' being technical terms. 99.5% of everyone or more only needs one router active at any given time at a location.

In the network world you have routers and switches. Only. Retail routers are a combo router and switch, often with a wifi component. The Chinese router / pc with 4 or 6 ports becomes a router with a WAN and LAN port when you load OPNsense. The remaining ports are just sitting there until configured to do something. I've read that the extra ports are best for subnetting and not as VLANs because these boxes make poor switches compared to dedicated switches. The ports may look the same but they are not the same. Each subnet is a separate network and needs to go to its own dedicated switch and / or wireless access point.

Routers carry traffic between networks. Switches carry traffic on a network and they are designed for heavy traffic. Most of what happens on a network is confined to the switch and only goes to the router if it needs to jump to another network or possibly to renew a lease.

VLANs segment a broadcast domain on a smart / managed switch so one subnet can create privacy zones. Normally, everything on the switch can access everything in the same broadcast domain. VLANs break it up. The managed / smart switch manages the VLAN entirely. It has always been this way. The VLAN capability in OPNsense, pfSense, and whatever is clever but more confusing than helpful as the extra ports are said to make bad switches as they are not designed for traffic that heavy. Unlike a retail router that is a deliberate mix of router and switch. You do not need to create a VLAN on the router to use a VLAN on a smart switch. Even a used retail router with wifi from a thrift shop can work with the VLAN on the smart switch properly as soon as you plug it in and configure it as a router.

So, decide on Cisco or OPNsense and it should work perfectly.

[drosophila]

To add: without knowing the Cisco device, I suspect that it used to be the "all in one" internet access device every ISP hands out. As coffeecup25 hinted at: OPNsense is not a full replacement for that device, because it lacks the actual switch. What your multiport OPNSense box is equates to a PC with multiple NICs. What your Cisco thing is equates to a PC with 2 NICs and a switch connected to one of these NICs. The first is much more powerful in terms of potential functionality than a simple switch, but that means it's not (at all) optimized for use as a switch. (BTW: yes, it is perfectly conceivable to have a switch integrated on a NIC, which you could place in a normal PC alongside its built-in NIC to make it work just like the Cisco thing).

So now you would need an external switch. However, you can relegate your Cisco to a switch. To make it so, you would need to:

1) create in OPNSense a configuration that mimics what is present in the Cisco, including the IP addresses(!), DHCP rules, etc.
2) disable all services on the Cisco, especially DHCP, then change the IP/subnet of the Cisco to something else (this way it will still be accessible on your LAN if your wish). You could also put it into another subnet so that it will only be accessible if you change your LAN IP appropriately for configuration purposes. Since it will not receive any updates anymore this might add a little obstacle to the casual attacker poking around your LAN. The downside of leaving any "Smart" device, especially unmaintained ones, on the LAN is that it increases your attack surface, plus the power draw for the now unused CPU and WAN parts. But you'd get these same issues with a smart switch of the same age.
3) if currently done any different, plug the OPNsense box into one of the LAN ports of the Cisco thing (NOT the WAN port)

Optional: put a sticker on the Cisco noting it's IP, because the next time you'll consider logging into it will be in 4 years. ;)

[cookiemonster]

You have some strange statements there.

A 'Firewall' is more a marketing term than anything else. A firewall, by my definition, is a router with extra layers of software that does this and that to protect the network. 'This and that' being technical terms. 99.5% of everyone or more only needs one router active at any given time at a location.

Firewall is not just marketing. It is a different type of functionality to a router and not router+extra software. They perform different purposes. For instance you can have a firewall doing no routing, only firewall duties. Yes most of the time a firewall will be ABLE to perform routing duties since the funcitonality is often included but is not just marketing.

In the network world you have routers and switches. Only. Retail routers are a combo router and switch, often with a wifi component. The Chinese router / pc with 4 or 6 ports becomes a router with a WAN and LAN port when you load OPNsense. The remaining ports are just sitting there until configured to do something. I've read that the extra ports are best for subnetting and not as VLANs because these boxes make poor switches compared to dedicated switches. The ports may look the same but they are not the same. Each subnet is a separate network and needs to go to its own dedicated switch and / or wireless access point.

Regarding the extra ports. Why would be best for subnetting? Subnetting is about altering the network mask to partition the network in a way different to the default mask like making a class C /24 into a /25 one. Then "not as VLANs.." a VLAN is about using tags in frames to carry that traffic over a link. I can't see the relation you are making to unused ports on the appliance.

Each subnet is a separate network and needs to go to its own dedicated switch and / or wireless access point.

yes a subnet is a separate network but it doesn't need a separate switch. That's where the managed switch comes into play, because it is what will tag/untag traffic. Unless you are in your description calling a network a subnet. Network =! subnet. Exception would be default-independent ports converted to switched ports.

Routers carry traffic between networks. Switches carry traffic on a network and they are designed for heavy traffic. Most of what happens on a network is confined to the switch and only goes to the router if it needs to jump to another network or possibly to renew a lease.

Not only to renew a lease. Pretty much all other networking services need to be managed somewhere, typically the router: DHCP yes, but NATing, DNS, etc.

VLANs segment a broadcast domain on a smart / managed switch so one subnet can create privacy zones. Normally, everything on the switch can access everything in the same broadcast domain. VLANs break it up. The managed / smart switch manages the VLAN entirely. It has always been this way. The VLAN capability in OPNsense, pfSense, and whatever is clever but more confusing than helpful as the extra ports are said to make bad switches as they are not designed for traffic that heavy. Unlike a retail router that is a deliberate mix of router and switch. You do not need to create a VLAN on the router to use a VLAN on a smart switch. Even a used retail router with wifi from a thrift shop can work with the VLAN on the smart switch properly as soon as you plug it in and configure it as a router.

Again VLAN != subnet. Privacy is a benefit but not really the main purpose of either.
 

The managed / smart switch manages the VLAN entirely

I'd say not entirely. Something has to route between VLANs. That is normally the router's job hence the trunk goes to OPN. Unless of course another device or even the said managed switch can (not all do).

Even a used retail router with wifi from a thrift shop can work with the VLAN on the smart switch properly as soon as you plug it in and configure it as a router

Really? This router needs to be VLAN-aware. Rarely basic like the ISP-provided routers/wifi devices are VLAN-aware.

I'm not trying to be contrary, but terminology is important.

[Petski]

drosophilia,
So, if I understand you, my best option is to spin up the Kea DHCP server in OPNsense and port my DHCP configuration and MAC address binding tables to it. Then either demote or replace my Cisco RV325 small business router with a switch since it is no longer supported or receiving updates.  Question, does ONPsense replace the need for using  PiHole? It has been a wonderful addition to my network for years now and I immediately notice it's absence whenever I am not on my home network. I would still like to have the DHCP server point to PiHole as a pre-fiter if ONPsense does not keep updated advertising block lists.

[coffeecup25]

drosophilia,
So, if I understand you, my best option is to spin up the Kea DHCP server in OPNsense and port my DHCP configuration and MAC address binding tables to it. Then either demote or replace my Cisco RV325 small business router with a switch since it is no longer supported or receiving updates.  Question, does ONPsense replace the need for using  PiHole? It has been a wonderful addition to my network for years now and I immediately notice it's absence whenever I am not on my home network. I would still like to have the DHCP server point to PiHole as a pre-fiter if ONPsense does not keep updated advertising block lists.

Adguard Home is a standard feature. It's also a DNS blocker like pihole. Using it inside of OPNsense is generally preferable because it's one less point of failure, as you can see first hand from the experience you documented above. Adguard Home is not the adblocking feature in Unbound, which is far less flexible.

[coffeecup25]

cookiemonster,

Oh where to begin.

For an old pro, I notice you did not catch the double nat problem in the original post. It stood out like a blinking red light. 90% of the post was unnecessary to describe the problem, although it implied other issues.

Yes, I know the difference between a 'subnet' and a 2nd network. It's common - very very common - to use the terms interchangeably. Only a small minority of people get confused like you did.

Running a subnet out of an open port into a simple switch is common common common. I do it and it works perfectly. My IOT network comes off of it. I used to use a smart switch to break up LAN but the switch became unstable, as reported earlier, and I went the subnet route. Very simple and very stable. (The switch probably needed a firmware update is my guess.)  And, just in case you think you found a gotcha - LAN goes to a different simple switch than IOT. Both on the same simple switch would mean they share a broadcast domain and no amount of rule making on the router would separate the traffic.

If I had used a smart switch for the 2nd network it would have been utterly ridiculous. Makes no sense since 2nd network / subnet did the job already.

I know subnet math, or at least did when I took basic networking over a decade ago. Most people, I assume, learn it, admire how clever it is, and then forget it unless they go to work for a major corp with a giant network.

I see the old pros still like to run an exclusive club. What a shame. The real problem is perfect newbies to networking can't tell the difference and swaggering old pros shine the brightest, for better or worse.

[cookiemonster]

didn't try to "catch" you and I was not intending to advice on the actual problem.
It's for the benefits of newcomers that the terms are clearer so they don't walk away with a misconception.