New Install Problem - Not able to open websites on lan through firewall

[bulldog3346]

Imho this should be set to yes, if you want your OPNsense to act as a DNS forwarder/responder.
What DNS settings do you have set under System > Settings > General?
[/quote]

I think that if a specific address is not entered for the WAN gateway, the default is none. Though I can't remember, though I should, I've gone through enough times   However, I thought it may be incorrect if I gave it the LAN gateway address. 

I will say yes to the question, Opnsense as DNS.  In System> Settings> general, I gave the DNS addresses of the servers provided by my inet provider.  I will give it another go.  Thanks for these insights.

Cheers,
Frank

[Fatmouse69]

I think that if a specific address is not entered for the WAN gateway, the default is none.

I have a rather similar setup than you and for my case, setting a GW explicitely did not work. Only if I disabled it I was able to establish an Internet connection for clients in my LAN. Moreover and independently of that, the documentation of OPNsense (when you click the info icon of your WAN interface IPv4 Upstream Gateway section) says:

If this interface is a muti-WAN interface, select an existing gateway from the list or add a new one using the button above. For single WAN interfaces a gateway must be created but set to auto-detect. For a LAN a gateway is not necessary to be set up.

Although this states that a GW needs to be created it also states that this configuration point needs to be set to auto-detect in your case (single WAN interface). As I mentioned, I only got it working without an explicit Gateway configured though.

Hopefully you will finally get it up and running

[bulldog3346]

Although this states that a GW needs to be created it also states that this configuration point needs to be set to auto-detect in your case (single WAN interface). As I mentioned, I only got it working without an explicit Gateway configured though.

Hopefully you will finally get it up and running

Okay, I am with you now, I was referring to the config wizard that comes up on the terminal at install, and  now I realize that you were referring to the config wizard in the GUI interface.  that is where I found the setting to which you referred.

Yesterday, I had it sort of working, but no luck with the browser.  I took the day off to get a break from it.   So, tomorrow morning I will see if it now will work.

Cheers,
Frank

[Ciprian]

Hi!

Try setting the "Enable Forwarding Mode" to Yes (Checked) in Unbound DNS (Services: Unbound DNS: General).

If not enough, disable Harden DNSSEC data (Services: Unbound DNS: Advanced).
If still not enough, disable DNSSEC completely (Services: Unbound DNS: General).

Logic behind setting Forwarding Mode to ON: during the wizard, you get asked which DNS servers you want to use, so you set something there, maybe your provider's DNS, or Google's, or OpenDNS's etc.
By default, Unbound is set without Forwarding Mode (Disabled), and so it should directly resolve using root DNS servers. For unknown reasons, this doesn't work, so enabling Forwarding Mode would force Unbound to resolve using your previously set public DNS.

Logic behind Hardened DNSSEC settings: Depending on your chosen DNS forwarding servers, many of these DNS forwarding services don't cope well with DNSSEC, so try disabling Hardened DNSSEC at first, and then, if needed, DNSSEC completely.

Hope it helps.
Cheers!

[bulldog3346]

Hi!

Try setting the "Enable Forwarding Mode" to Yes (Checked) in Unbound DNS (Services: Unbound DNS: General).

If not enough, disable Harden DNSSEC data (Services: Unbound DNS: Advanced).
If still not enough, disable DNSSEC completely (Services: Unbound DNS: General).

Logic behind setting Forwarding Mode to ON: during the wizard, you get asked which DNS servers you want to use, so you set something there, maybe your provider's DNS, or Google's, or OpenDNS's etc.
By default, Unbound is set without Forwarding Mode (Disabled), and so it should directly resolve using root DNS servers. For unknown reasons, this doesn't work, so enabling Forwarding Mode would force Unbound to resolve using your previously set public DNS.

Logic behind Hardened DNSSEC settings: Depending on your chosen DNS forwarding servers, many of these DNS forwarding services don't cope well with DNSSEC, so try disabling Hardened DNSSEC at first, and then, if needed, DNSSEC completely.

Hope it helps.
Cheers!

      Thanks for this info. I'm afraid I did not give you the correct net diagram previously.  I have attached a more accurate one here.   As you can see, I have a windows 2008r2 server on the network that among other things is set up as a DNS forwarder linking it to my ISP's provided external DNS servers.  Perhaps this is the problem?  On one test windows 10 client (not directly connected to OpnSen) when I run the network diagnostic tool, it tells me it can not find the DNS.  On another client, the diagnostic reports it can not connect to wpad."my.domain.name."  In both cases the diagnostic also reports that the network is configured correctly otherwise.  The network properties tool shows: :Connected to Internet."
     So, perhaps my internal dns and OpnSen dns are not playing well with each other. I tried your above suggestions without joy.  I even disabled Unbound dns on OpnSen.  Should I disable one or both, or should I configure OpnSen with only my internal dns as the dns to use along with the Unbound dns?  Any ideas? 
    This last attempt was the closest I got to getting OpnSen running.  BTW, I have opted not to test this with a client directly attached to the OpnSen server.  My Cisco switch (24 port, gigabit) is pure vanilla configed, with no vlan, qos, limiters, etc.  The IPCop server has no problem working with it. 
     So, it is pretty clear to me that the issue I am now having has to do with dns.  As I understand stateful firewalls, it only allows incoming packets from the inet to pass to the LAN that are in reply to requests made by clients on the LAN side.  All other incoming packets are dropped. 
     Success is only a few clicks away, I can taste it.

Cheers,
Frustrated, but not yet defeated, Frank

[guest19228]

For the gateway part of the discussion - you should not need to set any gateway in your opnsense.  According to your picture the WAN side is configured via DHCP from the ISP/Cable modem it will get the default gateway from there. The LAN side does not need any gateway set as long as you have no other router in the LAN.
Just for my understanding:
You stated you can ping by name and ip internal AND external instances from your internal machines. So DNS and routing cannot be the problem. You also mentioned curl from CLI from the opnsense server works.
In your last reply you wrote something about wpad. Does this mean you have set up a web proxy? If I assume right please provide details for your proxy configuration.
As ping is icmp it is bypassing the proxy so it will work even when something is wrong with the proxy. Curl from the opnsense cli works it is probably not using the proxy.

[bulldog3346]

For the gateway part of the discussion - you should not need to set any gateway in your opnsense.  According to your picture the WAN side is configured via DHCP from the ISP/Cable modem it will get the default gateway from there. The LAN side does not need any gateway set as long as you have no other router in the LAN.
Just for my understanding:
You stated you can ping by name and ip internal AND external instances from your internal machines. So DNS and routing cannot be the problem. You also mentioned curl from CLI from the opnsense server works.
In your last reply you wrote something about wpad. Does this mean you have set up a web proxy? If I assume right please provide details for your proxy configuration.
As ping is icmp it is bypassing the proxy so it will work even when something is wrong with the proxy. Curl from the opnsense cli works it is probably not using the proxy.

We did it!!  Opnsense is now running and has been put into production!  Thanks to all of you for your guidance and instruction.  The opnsense server it running like a top.  Thank you for putting up with this knucklehead.   Both my test machine's browser (firefox) were set to: "auto detect proxy settings."  So, I changed that that to no proxy. 

I disabled the dns server running on my WinServer, and turned on relay on the unbound dns.  I set dns in the lan dhcp server to the dns servers provided by my ISP.  Left everything else default. 

Cheers and beers,
Frank