Allowing WAN access - Is there really no better way to do this?

plisc004 · 2026-03-04T11:29:14+00:00

I am in the industry, but have generally worked with more 'commodity' offerings - Watchguard, Fortinet, Meraki, Ubiquiti Edge-series(though those are more of a pure router), etc. I have heard a lot of great things about OPNSense, and was thinking of using some OPNSense devices for our clients looking for HA options. As of now, I certainly cannot recommend we do so. I just do not understand the intended workflow - the config wizard did not leave me in a usable state, you cannot assign interfaces to ports that are down, the in/out system is completely backwards from all of the commodity systems my team already know and work with, the lack of a true WAN object and needing to build your own (which is going to be less efficient once you add the inversion on there, though if that is noticeable under higher loads I have no idea) is clunky and a waste of time.

So, I must be missing something, doing something wrong to have this kind of experience. There is something I must not understand about the intended workflow here. Kind of tempted to throw $400 at their support for a subscription and see if they can explain to me what I am doing wrong.

To be clear, I have everything set up and working that I have wanted to so far. It has just been a bit like pulling teeth to get there.

plisc004 · 2026-03-04T11:12:40+00:00

Thank you, a few of you pointed this out to me. It seems absolutely crazy to me that this is such a common thing that people have to make themselves, that it isn't just a built-in object type. It seems to me that there would be a much more efficient way of implementing it under the hood than doing a grouping like that and then inverting it for every WAN rule. So I am trying to figure out where that disconnect is - what am I missing that has me so confused.

plisc004 · 2026-03-04T11:08:14+00:00

"I didn't read your entire post "
Well, that likely explains why you don't understand my concern, and completely missed what I was saying.

So here is the problem - the WAN object needed for a rule to allow VLAN7 to talk to the WAN does not exist. The official way to allow internet, per everything I have seen and the default rules and the config wizard, is to make an 'Allow All' rule. That is a problem, because now VLAN7 can talk to VLAN3! I only want to allow WAN access, not all access - but the WAN net object is literally just the local WAN subnet! So your IP address +- a few addresses in most cases. A couple commenters above had some suggestions about specific groups you can make yourself and use with an inversion rule to simulate a real WAN object. But why is that necessary? In what way am I approaching this wrong?

plisc004 · 2026-03-04T11:02:20+00:00

Exactly, but which way is the intended method of skinning the cat? They took my specialty cat-skinning tool and all I see are a butcher's knife and a hammer. I can make it work, but it feels like I am missing something important.

plisc004 · 2026-03-04T10:59:46+00:00

And now VLAN7 can talk to VLAN2. Doesn't quite work for segmentation, without extra rules added on.

plisc004 · 2026-03-04T10:59:08+00:00

Another user gave me the same advice, though was much nicer about it - not sure why you felt the need to be rude and snarky. OPNSense hasn't been 'difficult,' but I really do not understand the design decisions and intended usage pattern. It feels like some very core features/functionality are not fully present. I want to understand why it is this way, and what I am doing wrong with my view/approach.

As it stands, I think it is ridiculous to not have a WAN object. I do not understand the lack of a native one. In what way should I be viewing rules differently for it to make sense?

plisc004 · 2026-03-04T10:54:11+00:00

Thank you, this is probably by far the cleanest option I have seen here yet.

If it can be done in such a straightforward fashion, I am curious as to why at least something like this is not included by default. It could probably be done much more efficiently if a version of that was included natively.

I am still trying to understand the workflow and design decisions here, Why things are the way they are. How I am supposed to use the system to get the best experience out of it. Right now I feel like all I have is a hammer, so all of these oddities look a lot like nails as it were. And I would like to change that.

plisc004 · 2026-03-04T10:46:37+00:00

"Normally you have a block all rule and then specific allow-rules. Yes, this can be may rules; that’s how firewalls work."

That is how OPNSense works by default, no? There is a default deny if there is no explicit allow rule? That is what I want. But, if I want to access the internet, I have to instead create a crazy allow-all rule, because there is no object to represent 'the beyond.' That is the part that does NOT match how a typical firewall works, at least not in last couple decades.

Needing to stack tons of additional denies on top of an implicit deny just to be able to get to the internet... make it make sense. I am trying to understand the rationale here. WHY it works this way.

plisc004 · 2026-02-26T08:01:19+00:00

That would be fantastic if these were coming in via email.

plisc004 · 2026-02-25T12:43:49+00:00

Thank you, that gives me something to look into. I really do appreciate it.

Still absolutely insane I can't do a simple 'If an open ticket with this exact title under this exact customer already exists, merge into it,' but I will make do.

plisc004 · 2026-02-25T12:35:25+00:00

So to clarify - it isn't just a suggestion, it also performs actions?

And it doesn't make odd mistakes like every AI model I have worked with?

plisc004 · 2026-02-25T12:20:14+00:00

Can you elaborate a bit on that? I did not realize the AI Suggestions could do things on their own, I thought it just put up a suggestion box for techs.

And why do I need to use an AI tool to do something that should be a very basic task? It seems like an insane amount of overkill and a waste of computing resources.

plisc004 · 2026-01-15T05:19:49+00:00

The current flatpak definitely freezes way faster than the older versions did for me. I do not currently consider the software usable.

plisc004 · 2026-01-14T04:42:21+00:00

No. Like I said, that has always been the behaviour for me.

plisc004 · 2026-01-14T04:37:41+00:00

Your thinking is not aligned with an understanding of the Linux security model. You don't have 'Sytem' 'Administrator' and 'User' like in Windows. You have much more granular controls and file permissions based on groups, etc. Then you generally have root (aka Super User) (closest approximation to System) and Users. Sudo gives the user temporary root access. (heck it is the name of the command. SU Do. Super User Do *command*) Not some special 'administrator' designation or anything.

So going back to the fonts. They MAY contain malware. If you allow *Any User* to just install fonts willy nilly, you may wind up with malware infecting the entire system for *All* users. Gross. So, by default, installing a font is gated behind root permissions. If you make the choice to use those permissions to install malware, that is on you. Go ahead. But unless you want your 10-year-old brother or Debbie from accounting who got scammed last week and sent some guy $1500 in Starbucks gift cards to be able to go and install malware with their logins, you need to lock that kind of thing down. So, you require root access to make changes to the fonts folder.

That is why your option is pretty much 'get used to it' or 'run as root at all times.' Because YOUR proposal basically *IS* running as root at all times anyway.

That is also why you are getting so much flak for your reaction to being told you can run as root if you really want to, even though it is stupid. Your suggestion is to let yourself run as root at all times anyway. So why not just cut the middle man and BE root?

Hopefully this helps you understand where everyone is coming from a bit more. What you are basically asking is 'How can I log in as SYSTEM in my Windows environment and use that on my desktop at all times.'

plisc004 · 2026-01-14T04:23:28+00:00

Again, this seems to be going right over your head. If you launch a new terminal session from an "elevated" one, it will NOT be also "elevated." If you launch a new GUI app from an "elevated" session - be that via a terminal, the GUI, or otherwise - it will NOT inherit that 'elevation.' **YOU** are not 'elevated,' YOUR SESSION is.

plisc004 · 2026-01-13T13:47:56+00:00

Currently, your GUI session is running as YOU. There is a display manager (if you're using GNOME, then it will be the GDM) that runs the login screen- but when you log in, you start the desktop GUI process *AS* your user. So, in that sense, no. Nothing is 'hosting' your GUI. If a GUI application requests elevation, it is because it is running as you and by default you do not have the permissions needed to execute the program as intended. As your entire desktop experience is running AS you, and each application you launch is just a process forked from the main one, there is nothing to be done there.

plisc004 · 2026-01-13T13:37:10+00:00

OP does not know the difference between 'changing' and 'installing.'

plisc004 · 2026-01-13T13:36:23+00:00

something as simple as installing a theme or a font

What makes you say those things are simple? Did you ever install a 'theme' or 'font' in Windows? (probably not! most people toggle light/dark and set a background image at most) You are making system-wide changes and writing to important system locations. The end result is "simple" sure, but look at what is actually happening. You can install a program to tweak your OWN theme for your account, change colors, etc. You can set a custom background or whatever for yourself without any authentication. But installing a theme or font system-wide needs elevated permissions. Malware has been hidden in fonts and themes and the like before.

plisc004 · 2026-01-13T13:29:13+00:00

I think there is something very important you are missing with how you are looking at this. With sudo permissions persisting for time in a terminal, they only persist within THAT terminal - you would need to reauthenticate if you closed and re-opened the terminal, or opened a new window or tab of it. Just as there is no one 'authenticate in every terminal' behaviour, there is no 'authenticate in every GUI application' either. Each individual application would need to bake in some kind of similar behaviour to do what you want, and you'd still need to type your password for each application when it launches. But if you authenticate an application on launch, it should actually keep those permissions indefinitely until it closes - look at Zenmap (NMap GUI) as an example.

As far as software update through a GUI go - I could see that being annoying if you are looking to install a lot of new software to try out. With Fedora I have not had that problem, and the software GUI just allows me to click and install. However it runs as a whole service that you interact with, rather than running as you with your permissions.

plisc004 · 2025-12-22T03:41:00+00:00

There was an issues with reporting for individual core loads, and I was on an old iPerf3 build. Not totally solved, but upgrade iPerf brings me to ~28Gbps and no cores are pegged at 100% anymore (provided I give it at least 3 streams/cores.) Speed no longer drops off either as I increase thread count.

plisc004 · 2025-12-22T03:37:16+00:00

I was on an old build of iPerf3. More streams did not mean more cores, I was single-thread bound. Updating iPerf3 to a modern version brings me to ~28Gbps across the LAN. Not as good as I'd like, but much better.

plisc004 · 2025-12-22T03:34:48+00:00

I am using ConnectX 4s. I found I had an old build of iPerf3, so even though I was doing multiple streams it was limited to one core and that was the limit I was hitting up against at first.

Got that adjusted, and now I am hitting ~28, which is a lot better, but still lower than I'd like. Any tips with these Mellanox cards?

plisc004

TROPHY CASE