New Install Problem - Not able to open websites on lan through firewall

Started by bulldog3346, October 14, 2018, 08:10:20 PM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
October 14, 2018, 08:10:20 PM
I am brand new to Opnsense.  Replacing IPCop used for 2 years.  I followed the install wizard.  Wan using dhcp server of my cable modem (Charter-Spectrum), has an ip and all other necessary configuration. Lan has a static ip, though I have enabled dhcp on the lan for all other clients.  My testing client is able to obtain an ip and dns and gateway information.  I am able to ping the wan dns servers, and other addresses on the web by ip and by name. However, I am not able to open any websites from the testing lan client.  I have set up rules for http and https from lan to wan and from wan to lan without any luck.  I have installed version 18.7 with latest updates on a dell pe 1950 with 2 zeon quad 2.6Ghz processors, 8GB RAM, 2 Intel gigabit nics, set to auto negotiate on both.   I would greatly appreciate any help to fix this issue.  The machine that IPCop is running on is beginning to fail, so it is critical to get the opnsense machine in production.  Thanks in advance - Frank
October 15, 2018, 12:24:04 AM #1
Well normally the rules that get generated automatically allow to reach anything from LAN..

Are you able to ping and resolve different sites directly from the OPNsense host?
October 15, 2018, 12:42:43 AM #2
Change your NAT-OUTBOUND

to

Hybrid outbound NAT rule generation
(automatically generated rules are applied after manual rules)
October 15, 2018, 06:35:54 PM #3
I change the NAT outbound to hybird but still no joy.  Should I reset to factory and try again?
October 15, 2018, 06:38:45 PM #4
Yes, I can ping and resolve different site directly from the opnsense server.
October 19, 2018, 04:55:33 PM #5
I have re-installed and reset to factory defaults to reconfigure using the configd wizard.  http and https will not be routed across the lan-wan gateway.  I am at a loss.  While I like many of the features of opnsense, it is not working for me.  I really could use some help.
October 19, 2018, 08:18:54 PM #6
Hello,

You don't need rules from wan to lan if you only have clients on lan side.

bmail
October 19, 2018, 10:12:36 PM #7
If you can ping extern hosts by IP and DNS but are not able to reach websites via HTTP/S, than this kind of traffic might get blocked/dropped somehow.

When you approve the question from Evil_Sense then I would look into the Firewall logs when you try to access an external website from a local client in the LAN and see how your firewall handles this.

Greetings, David
October 20, 2018, 08:33:42 PM #8
Hi there,

I faced the same challenge when I went from ipcop to opnsense about 3 years ago. As opnsense is a stateful firewall (other than ipcop), the rule logic is somewhat different from ipcop. What could help you a lot is this article:

https://forum.opnsense.org/index.php?topic=4436.0

Its in German, hope you can read it ....

BR br
October 21, 2018, 12:40:51 AM #9
Quote from: Fatmouse69 on October 19, 2018, 10:12:36 PM
If you can ping extern hosts by IP and DNS but are not able to reach websites via HTTP/S, than this kind of traffic might get blocked/dropped somehow.

When you approve the question from Evil_Sense then I would look into the Firewall logs when you try to access an external website from a local client in the LAN and see how your firewall handles this.

Greetings, David

Yes, I can ping by fqdn and ip from the client side, but can't open websites.  Your help would be greatly appreciated.

Frank
October 21, 2018, 02:27:37 AM #10
Quote from: bringha on October 20, 2018, 08:33:42 PM


https://forum.opnsense.org/index.php?topic=4436.0

Its in German, hope you can read it ....

BR br

Frank/
BR br

This was very helpful!!  This now makes more sense to me.  I will tackle this again tomorrow morning.  I have more hope now that I will be successful.

BTW: I studied German in college and was somewhat fluent afterwards.  But, that was 40 years ago.  So, google.translate came to the rescue

Cheers,
Frank

October 21, 2018, 08:07:35 PM #11 Last Edit: October 22, 2018, 02:27:48 PM by Fatmouse69
Quote from: bulldog3346 on October 21, 2018, 12:40:51 AM
Yes, I can ping by fqdn and ip from the client side, but can't open websites.  Your help would be greatly appreciated.

Frank

As I mentioned check your logs. Any denied traffic should be listed there (requires logging of your firewall rules -> enable this option for each rule if any doubt which one to take).
Second, list your rules here for further help.
Third, you do not have any further services running (e.g. Proxy)?
October 21, 2018, 11:28:56 PM #12

Bulldog3346 -> Fatmouse69

Quote from: Fatmouse69 on October 21, 2018, 08:07:35 PM


As I mentioned check you logs. Any denied traffic should be listed there (requires logging of your firewall rules -> enable this option for each rule if any doubt which one to take).
Second, list your rules here for further help.
Third, you do not have any further services running (e.g. Proxy)?

Thanks for the offer.  At the moment, I have to reinstall OpS as something seems to have gotten stomped on from the several resets to factory settings.  However, the rules I tried that did not work was LAN -> WAN allow port 80 and 443 to WAN and WAN -> to LAN allow 80 and 443 to LAN.  I did check

Cheers,
Frank
October 21, 2018, 11:30:59 PM #13
Bulldog3346 -> bringha

Quote from: bringha on October 20, 2018, 08:33:42 PM

https://forum.opnsense.org/index.php?topic=4436.0

Its in German, hope you can read it ....

BR br


I had a chance to read and re-read the above conversation.  However, I am still unclear on what side, WAN/LAN, some of these rules are written.  If the LAN, by default, allows everything to go to the WAN side, and the WAN side by default allows nothing to pass to the LAN side, shouldn't the HTTP and HTTPS allow rules, and any other protocol needed to go to from the WAN to LAN, be written on the WAN gateway side and not the LAN as described in the conversation in the above link. 

Wouldn't make more sense to write rules on the WAN side to allow the  protocols port 80, 443, 53, mail protocol ports, and any others needed on the LAN side.

Or, are there hidden default rules on the LAN side coded in - to 1. allow everything out of the LAN to the WAN   2. Block everything coming into the LAN from the WAN. Would that explain writing the rules on LAN side.  However, isn't necessary to write complimentary and converse rules on the WAN side to allow the various protocols to pass traffic to the LAN.  This is what I first attempted to do, but I still could not open websites with a browser (firefox) from a LAN client, though I could ping the same websites, by name, with dns resolving the addresses to ping.

I agree with Stefan on the German board that someone should write a white paper explaining the architecture of Opnsense and how the firewall really works.  As well as, how to write rules to allow the various ip protocols to pass into and out of the firewall.   Opnsense for Dummies, for dummies like me :).

Cheers
Frank
October 22, 2018, 04:25:57 PM #14
Since it's a statefull firewall the default configuration allows to access anything from LAN (like browsing etc.).

Think of it like a normal Consumer NAT router.

To be able to access a web or mail server from outside (WAN) that resides behind the Firewall, you would need the respective ports to be forwarded (NAT forwarding).
Print
Go Up Pages1 2 3
User actions