OPNsense Forum
English Forums => General Discussion => Topic started by: routeswitched on June 07, 2023, 01:54:54 am
-
Hi everyone this may be a dumb problem but I keep hitting roadblocks. Here is my setup:
I'm running opnsense behind my main router so my WAN is a private IP address of 192.168.1.x. I've created my lan at 192.168.11.0/24 and I have a Vlan with an ID of 15 and a network of 192.168.64.1/24. I setup everything from scratch and the only rules I created are LAN allow any any in and my vlan is allow any any in. On my wan I have also unchecked the the Block private IP's option since I'm running behind a router. For some reason I still cannot route traffic between the LAN and the VLan. I can ping the default gateway's from each side, but nothing else. Does anyone have any ideas why? I know I'm doing something wrong. I'm a long time user of pfsense and trying to make the switch but can't get this basic function to work. Just FYI at this point there is no switch in the mix. Computer connected directly to LAN of Opnsense box.
-
So I have more info now. It seems to be something with my dual 10gb nic which is an X540-2T. It's just very strange that I can ping the gateways of all interfaces, but not anything else on the network. I have the firewall rules wide open at this point with any any for all. Very weird. Maybe this nic just will not work with OpnSense.
-
It's quite confusing... So, let's try to clean this up...
You have three interfaces:
Port 1: WAN IP 192.168.1.0/24
Port 2: LAN IP 192.168.11.0/24
Port 3: VLAN 15 IP 192.168.64.0/24
How's your port 3 configured.
-
Yes sorry for the confusion. Your notations are correct. I have port 3 setup as a vlan with parent interface of the lan. The ports are as follows:
Re0: WAN setup as DHCP
ix0: LAN
ix0.15: VLAN15
I also tried setting up ix1 as another network of 192.168.165.0/24 to see if it was just a vlan issue but the same thing happens. No routing(except I can ping all gateways) which really stumps me
-
try removing the vlan and just use port 3 as another lan interface the two ports port 2 and 3 should be able to talk to each other.
-
That's a good idea, I'll give that a try and report back.
-
Still no luck, I can ping the gateways but not the host. Firewall rules wide open on LAN and the .64 network. They are both on separate interfaces now.
LAN ix0
.64 ix1
-
Oh!!! I missed this...
wow... I think the issue may be with your ix0 and ix1 driver issue...
BTW -- you cannot have an IP on the physical and a VLAN on the interface as well. It's one or the other... create two vlans and trunk the interface.
-
I'm going to see if I can work on finding drivers for the nic. However I don't quite understand your BTW part:
It was my understanding that the you basically have a LAN and and WAN interface. Then you create a vlan and assign a parent interface to that vlan(which is the LAN interface). While the LAN has IP of 192.168.11.0/24 the VLAN has an IP scheme of 192.168.64.0/24. That should work just fine.
My switch is setup to trunk the vlans and I have the ports tagged where the host are plugged into. However I do have 3 interfaces on the Opnsense firewall so I was trying to test by just removing the vlan and creating two networks on two separate interfaces. The 3 interfaces I have to play with are: See below:
ix0 LAN with IP scheme 192.168.11.0/24
ix1 WAN setup as dhcp but gets an IP from a 192.168.1.0/24 scheme
re0 Opt1 I setup this interface with a scheme of 192.168.64.0/24
Then I setup dhcp servers for the ix0(LAN interface"dhcp was preconfigured on LAN) and the re0(Opt1 interface)
Then I setup the firewall rules on the LAN and OPT1 interfaces to wide open.
This way I can remove the switch all together and plug a computer into each interface .. IE... ix0 LAN and re0 Opt1 and do some ping test. This is where I get to the point where I can ping the gateways of each other but not the host directly connected to the firewall. Just strange.
-
It's general advice with FreeBSD not to run tagged and untagged packets on the same port. Change your LAN to use a VLAN tag, too, create the VLAN on the switch side, assign all ports that should be in LAN.
-
It was my understanding that the you basically have a LAN and and WAN interface. Then you create a vlan and assign a parent interface to that vlan(which is the LAN interface). While the LAN has IP of 192.168.11.0/24 the VLAN has an IP scheme of 192.168.64.0/24. That should work just fine.
The physical interface it should either have an IP or be a bridged interface with multiple VLAN's but not both. The FreeBSD does not support Native VLAN (untagged VLAN).
-
lisense it does. Under certain constraints. A soon as a bridge interface comes into play you cannot use tagged subinterfaces. Then there's problems with software using promiscuous mode like DHCP ...
But in general you can have a native VLAN.
-
Still no luck, I can ping the gateways but not the host. Firewall rules wide open on LAN and the .64 network. They are both on separate interfaces now.
LAN ix0
.64 ix1
Are you sure it's not just a software firewall on the host?
-
Still no luck, I can ping the gateways but not the host. Firewall rules wide open on LAN and the .64 network. They are both on separate interfaces now.
LAN ix0
.64 ix1
Are you sure it's not just a software firewall on the host?
I am pretty sure that's not the case, but it will not hurt to check. Thanks for the idea.
-
It was my understanding that the you basically have a LAN and and WAN interface. Then you create a vlan and assign a parent interface to that vlan(which is the LAN interface). While the LAN has IP of 192.168.11.0/24 the VLAN has an IP scheme of 192.168.64.0/24. That should work just fine.
The physical interface it should either have an IP or be a bridged interface with multiple VLAN's but not both. The FreeBSD does not support Native VLAN (untagged VLAN).
I'll go ahead and try it this way as well. It can't hurt, and always good to learn something new.
-
Still no luck, I can ping the gateways but not the host. Firewall rules wide open on LAN and the .64 network. They are both on separate interfaces now.
LAN ix0
.64 ix1
Are you sure it's not just a software firewall on the host?
I am so sorry everyone, as it turns out it was Windows firewall blocking the traffic. Demusman you were correct. I can't believe I spent so much time on something so simple. Really one of those duh moments. Thanks everyone for the great suggestions, and I learned a lot along the way. I guess the old method of "keep it simple stupid" really does make a lot of sense.... lol :o