OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: errored out on September 29, 2020, 12:31:36 am
-
Just upgrade to 20.7.3 2 days ago. Did not see this issue before. FW is configured for several vlans and using policy based routing for Multi-WAN connections.
There is a rule allowing Alias on vlan y to vlan X (any port and any ip using default GW).
There is another rule (lower on list) blocking all non-routable addresses from accessing the default GW (think of deny all). This was added as traffic not meeting any rule on list would be sent to external GW group.
When looking at the live traffic, some traffic is allow through as expected using the first allow rule.
Traffic on vlan y outbound from 192.168.0.1 to 10.0.0.1 allowed.
Traffic on vlan x inbound from 192.168.0.1 to 10.0.0.1 allowed.
However, most of the traffic is using the explicity deny all rule. This is all internal traffic, I can't understand why this is happening. I have read on this forum pbr does not effect internal traffic.
Live view show traffic on vlan y from 192.168.0.1 to 10.0.0.1 blocked.
Can anyone help, this is killing several connections to servers services.
Update: It looks like this issue is effecting 2 addresses on vlan x. There are other IPs I can connect to and for the most part do not use the deny rule. Every so often I can see the traffic being denied.
Also, vlan y is using an alias for the rule rather than an IP/network. During my troubleshooting, the alias values were cleared out. I don't know how or even why this happened. I re-entered, saved, and it looks fine now.
update2: Found an even more serious problem. The firewall rules are not being followed as configured. Take a look at the anti-lockout rule. The same IP & port is being blocked several times when connected from a different source port.
-
Hello.
I think we have got the same problem.
All was ok in the previous branch 20.1.
Then we just upgrade to 20.7.
Only one vlan is working to go out (the latest).
We roll back to the previous version and all works again.
Then the 20.7.3 is out, so i test an other time ==> same problem.
I do not find any solution to make the 20.7 work with multiple wan (so multiple gatteway) and multiple VLAN. :/
Is there any solution?
Thank's
-
Have you disabled all hardware acceleration features for your physical interfaces?
-
Hello.
That's a long time i do not come back, i was stuck on the update that works.
So i could confirm that all hardware acceleration is disabled.
The problem is that it does not redirect the traffic to the correct interface.
Here is the things.
I have got 2 interface:
INT1 with gatteway GAT1
INT2 with gatteway GAT2
I have got 2 vlan
VLAN1
VLAN2
I wanted to redirect trafic from vlan1 to INT1 via GAT1
I wanted to redirect trafic from vlan2 to INT2 via GAT2.
So the goal is just to manage multiwan and multi vlan and redirect vlan to the good wan.
Before the upgrade everything work.
I have got a rule on VLAN1 (interface) where i put GAT1 on gatteway.
It succed to know that GAT1 is on INT1.
After fhe upgrade, it always works for VLAN2 that is good and goes to GAT2 VIA INT2.
But VLAN1 does not work now! It try to go to GAT1 through INT2!
It's like it does not know that GAT1 is on INT1.
I do not know what has changed from before, but it does not work now!
How should i do to make a vlan to go through in interface (by gatteway)???
Thank's
-
Ok i have found how to make it works on the latatest version.
I don t know why what i have done works before and not now, but...
Si i should had a route
0.0.0.0/0 to all the gateway.
I should put a gateway on the default output rules (that i have already done)
And i should put a not on all the interface to to affect one network to this gateway.
I don t know why before it works only with the default gateway on the rule. But now i should make it all manually.
-
Hi,
I have the same challenges to get Multiple WAN and multiple vlan on internal network using PBR to work smooth.
Can you please explain what you did to get this to work using "latest version"?