New Install Problem - Not able to open websites on lan through firewall

[Fatmouse69]

Thanks for the offer.  At the moment, I have to reinstall OpS as something seems to have gotten stomped on from the several resets to factory settings.  However, the rules I tried that did not work was LAN -> WAN allow port 80 and 443 to WAN and WAN -> to LAN allow 80 and 443 to LAN.  I did check

I am curious if reinstalling has changed anything. You should be set up now with a fresh OPNsense without any further custom rules and imho this should work for you ootb.

[bulldog3346]

Since it's a statefull firewall the default configuration allows to access anything from LAN (like browsing etc.).

Think of it like a normal Consumer NAT router.

To be able to access a web or mail server from outside (WAN) that resides behind the Firewall, you would need the respective ports to be forwarded (NAT forwarding).

Bulldog3346 -> Evil_Sense

Thank you, this too was helpful.  You may have opened the door of understanding.

Frank

[bulldog3346]

[quote author=Fatmouse69 link=topic=9947.msg45825#msg45825 date=154022687

I am curious if reinstalling has changed anything. You should be set up now with a fresh OPNsense without any further custom rules and imho this should work for you ootb.
[/quote]

Unfortunately, same result, ping by name works, http,https no go.  Gonna try again shortly.

Frank

[bringha]

I think we need start one step back ....

Can you provide a drawing of your network config, what is connected to what and IP network addresses you have used on your interfaces, modem, client, ....

Br br

[bulldog3346]

I think we need start one step back ....

Can you provide a drawing of your network config, what is connected to what and IP network addresses you have used on your interfaces, modem, client, ....

Br br

Here is a diagram of my network, it's pretty basic as you can see.

Frank

[Evil_Sense]

Could you try to attach your test device directly to the OPNsense Firewall to rule out the cisco switch?

[bringha]

... and before: What is the network address in the WAN DHCP network ....

Br br

[bulldog3346]

... and before: What is the network address in the WAN DHCP network ....

Br br

WAN DHCP gets various addresses e.g., 24.x.x.x, 69.x.x.x 75.x.x.x so can't give you a specific one

[guest19228]

you can also do a very basic check at the opnsense firewall itself. Ssh into it, go to the shell and enter

Code Select Expand

curl https://google.com. When you get that response:

Code Select Expand

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML> the Wan side of your firewall is working. The next step then should be to eliminate  all other hardware between the firewall and your test device as already suggested.

[bringha]

WAN DHCP gets various addresses e.g., 24.x.x.x, 69.x.x.x 75.x.x.x so can't give you a specific one

Just to be clear: The WAN Port of your opnsense gets an address out of one of these networks?

Br br

[bulldog3346]

WAN DHCP gets various addresses e.g., 24.x.x.x, 69.x.x.x 75.x.x.x so can't give you a specific one

Just to be clear: The WAN Port of your opnsense gets an address out of one of these networks?

Br br

Yes, that is correct.

[bulldog3346]

WAN DHCP gets various addresses e.g., 24.x.x.x, 69.x.x.x 75.x.x.x so can't give you a specific one

Just to be clear: The WAN Port of your opnsense gets an address out of one of these networks?

Br br

For example, the current IPCop's WAN address is: 75.128.246.112/23

[bringha]

Next, please check whether you have under System->routes all the routes you require to get traffic at the right places

Then, please check whether your DNS is configured correctly and is accessible from the clients

All that as suggested by others with ONE client directly connected to the LAN interfaces of the sense ....

Br br

[bulldog3346]

you can also do a very basic check at the opnsense firewall itself. Ssh into it, go to the shell and enter

Code Select Expand

curl https://google.com. When you get that response:

Code Select Expand

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML> the Wan side of your firewall is working. The next step then should be to eliminate  all other hardware between the firewall and your test device as already suggested.

I tried a re-install today.  I didn't directly connect my test client to the firewall, I'll try that tomorrow.  However, I was able to successfully do the above test from the Ops server.  However, I was not able to ping clients on LAN.  Nor, was I able to open the Web GUI from a test client on the LAN.  I must be doing something wrong when configuring the LAN interface from the menu.  When ask to give the address of the gateway for the WAN, I entered the ip address of the LAN interface, I then answered no to the question to use the LAN gateway address for DNS.  Are these responses correct?  Why am I not able to ping the LAN from the Server, or ping the server from a LAN client now?   I will try to connect a client directly to the Ops server tomorrow.  I will not be defeated!!

[Fatmouse69]

Hi bulldog,

When ask to give the address of the gateway for the WAN, I entered the ip address of the LAN interface (...)

the gateway of your OPNsense WAN interface should not be its LAN interface. When you only have one WAN interface then set this option to Auto-detect (default).

(...) I then answered no to the question to use the LAN gateway address for DNS.

Imho this should be set to yes, if you want your OPNsense to act as a DNS forwarder/responder.
What DNS settings do you have set under System > Settings > General?

Kind regards, David