Allow Wan traffic to Lan

[iyassamy]

Hello everyone

I am new to OPNsense

Can anyone tell me how to allow traffic from WAN to LAN

I have set firewall rules to allow it
Disable the NAT

But I still can't ping a host on the LAN

Can someone tell me how it is done. ?

[Ciprian]

Be aware that OPNsense does NAT by default regarding traffic between internal (LAN/ OPT) interfaces and external (WAN) interfaces, so disabling the NAT is necessary but not sufficient: you would need ROUTE entries for your internal IPs in order to reach them from WAN (supplementary to FW rules -- as FW rules do not replace route rules).

Think of it as there are 2 different "gardians" on OPNsense, one being the router, and the other being the firewall: they both have to know where your packets are intended to, and to agree to direct (the router)/ permit (the firewall) those packets.

More then this, your internal IPs HAVE to be public IPs, as RFC 1918 private IPs are not routable over the internet/ WAN -- private IP ranges are simply dropped on routers over the internet. If you do have private IPs, your only option is to NAT/ Port-Forward them in order to reach them from WAN.

[iyassamy]

Thank you for your quick reply. and your detailed explanations, much appreciated.

What I want to achieve is to set the OPNsense as an internal firewall.

I will be between a web-server and a database server, and it won't be connected to the internet.

[Ciprian]

If you mean to use OPNsense as an internal router, then do as in the attached image

[iyassamy]

Still can't ping hosts from ""wan"" subnet

From ""lan"" subnet no issue

:(

If it helps here are some screen shots

[iyassamy]

..

[iyassamy]

..

[Crab]

Not sure anyone is viewing this topic.. I've posted nearly the exact same issue..

It is not true that routers will not route Private IP traffic. Sure, if you have routers on the Internet they will only pass public IP traffic, but in educational settings, we are using lots of Cisco gear that routes private IPs just fine.  In the situation in this thread, I have found disabling the firewall will cure the issue, but then you have no firewall. However, this proves the routing is working just fine.

The problem is that the solicited return traffic from the LAN seems to be dropped. I haven't put a packet inspector on the LAN side to gather more data to see exactly what is happening. But it seems that if traffic is originated from the WAN side, it won't get returned. If it is originated from the LAN side, things work fine. It appears to be strictly a firewall issue, as disabling packet filtering cures the issue.

So I don't see a solution in this post. I don't believe the answer given is valid in this context. It is quite common inside large organizations to use private IP addresses between sub-orgs and want to have a security appliance; and it is great for educational labs where one is testing the appliance.

Dave

[Crab]

Yes.. Internal IPs.  DO NOT have to have public IPs.. Although the "Internet" rules/policies state private IPs are not allowed on the Internet, it requires ACLs and other mechanisms to specifically filter them out at the ISP level. Routers will route ANY addresses just fine.

[micmh4ck]

Hello,

I was facing the same issue, and i was able to fix it by adding a floating rule as follow :
Protocol : ICMP
Source: WAN net
Destination: LAN net

You can then add an other rule for the protocol you want to allow.
My outbound NAT is set to Hybrid, but i have no manual rules, so it's the same as automatic

Note that floating rules applied to every interfaces, so you don't have to repeat this rules on the WAN interface.

Hope it helps  ;D
Micmh4ck