My VLAN interface isn't passing traffic and I don't know why.

[RNHurt]

I just installed a new OPNSense system at my wife's school and everything seems to be working fine, except the Guest WiFi VLAN interface.  The Guest Wifi VLAN is supposed to be for those in the building that have personal devices, or guests that don't need to talk to the internal network (printers, etc.)

Here are the steps I went through:

• Go to Interfaces --> Other Types --> VLAN and hit the add button
• Fill out all the information (Tag, PCP, etc.)
• Go to Interfaces --> Assignments and add it to the WAN Interface
• Go to Firewall --> Rules --> LAN and clone the "any" rules and change the settings to use the new VLAN Interface
• Go to Services --> DHCPv4 --> OPT1 and enable DHCP

Everything looks good and the interface comes up without any errors.  However, when I try to connect I don't get a DHCP connection.  So, I manually gave myself and address (10.0.1.69) and tried to ping a couple of things.  I can ping the firewall at the VLAN interface (10.0.1.1) but I can't ping 8.8.8.8.  Also, DNS lookups don't work on the VLAN but they work fine on the LAN interface.

I know that I'm probably missing something obvious but I spent 3 hours yesterday trying to track down the problem and couldn't make it work.  Do you have any thoughts about what I might be doing wrong?  I've installed firewalls before but am new to OPNSense.

[franco]

> Go to Firewall --> Rules --> LAN and clone the "any" rules and change the settings to use the new VLAN Interface

Can you explain this? You said you use a VLAN as a WAN, but then you talk about LAN and OPT1 so you seem to be doing multiple things at once and I'm not sure what works and what doesn't vs. what is supposed to work and what can't.


Cheers,
Franco

[RNHurt]

I'm actually not really sure what I'm doing anymore. 

My goal is to have people on the VLAN be able to access the Internet but not the LAN.  So, in order to do that I tried to configure the VLAN just like the LAN, including the Firewall Rules.  The most simple way to do that was to clone the LAN rules and modify them slightly to use the VLAN interface.

I was under the assumption that the VLAN Interface should be attached to the WAN Interface.  Is this not correct?

[RNHurt]

Maybe a picture will help show what I'm trying to do.  As you can see, the School is on the left and the Internet is on the right.  I have two Interfaces into the school; LAN & OPT1(VLAN) and one interface out of the school; WAN.  The LAN & WAN are the standard interfaces that OPNSense creates when you install it.  The OPT1(VLAN) interface is supposed to be for guests to use to get to the Internet but not our internal school resources (printers, SAN, etc.)



                                                            XXXXXX  XXXXX
                                                          XXX     XX     XXX
+-------------------+                                    X                 X
|                   |   LAN    +------------+            X                 XXXX
|                   +---------^+            |           XXX                    XXXX
|      School       |          | OPNSense   +---------> X                         XX
|                   +---------^+            |   WAN     X                          X
|                   |   OPT1   +------------+           X       Internet           X
|                   |  (VLAN)                           X                          X
+-------------------+                                   XXXXXX                    X
                                                           XXX                    XXXX
                                                            X                      XX
                                                             XX                   X
                                                              X X X X X XXXX X X X