Why can’t I get to the internet on my new OpnSense install?!

You buy a nice new firewall appliance. You install OpnSense on it, set all the WAN and LAN stuff up to match your existing firewall, and you drop it into place. WTF, no internet…?

First of all, if you’re using a cable ISP, remember that most cable modems are MAC address locked, and will refuse to talk to a new MAC address if they’ve already seen a different one connected. So, remember to FULLY power-cycle your cable modem. Buttons won’t cut it, in many cases—you gotta unplug the power cable out of that sucker, give it a count of five to think about its sins, then plug it back in and let it re-sync.

If you still don’t have any internets after power-cycling and your modem showing everything sync’ed and online, you may be falling afoul of a weirdness in OpnSense’s default gateway configs. By default, it will mark a gateway as “down” if it doesn’t return pings… but many ISP gateway addresses (not the WAN address your router gets, the one just upstream of it) don’t return pings. So, OpnSense reports it as down and refuses to even try slinging packets through it.

screenshot of opnsense gateway configs

To fix this, go to System–>Gateways–>Single and select your WANGW gateway for editing. Now scroll down, find “Disable Gateway monitoring” and give that sucker a checkmark. Once you click “Save”, you should now see your gateway green and online, and packets should start flowing.

 

Published by

Jim Salter

Mercenary sysadmin, open source advocate, and frotzer of the jim-jam.

2 thoughts on “Why can’t I get to the internet on my new OpnSense install?!”

  1. Jim, I personally disable the gateway monitor feature on most all firewall installs for the specifically the INTERNET WAN interface. Monitoring the gateway, even if it returns pings, is pointless for internet interface. If that gateway is responding but your ISP has a problem in their network, the firewall won’t mark it as down. The monitor IP is what I prefer for that purpose and I usually chuck in a reliable public DNS IP. Another option I’ve seen others do would be to do a traceroute out of the ISPs network and see what appears to be a last or nearly last hop out of their network and using that.

    Either option is using something hardcoded and outside your control that could go down and take your interface with it even though your internet connection is still fine. Definitely a false positive risk, but losing access to that IP is likely a “more good” reason to disable the interface than not.

  2. Thanks for writing this! Found it via web search, and giving my modem time to “think about its sins” was exactly the solution I needed. Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *