OPNsense Forum

Running 22.1

I have an issue where I have a VLAN, igb1_vlan10 and I can reach the LAN address of 192.168.1.1 (the fw) but I cannot reach a LAN host such as 192.168.1.253, can't even ping it.

I have 2 VLAN's igb1_vlan10 and igb1_vlan20.  I can send packets between VLAN's just fine and access hosts on the VLAN's from each other.  I can reach the Internet without issue from the LAN and all VLANS.

Not sure what I'm missing.  Can anyone provide a suggestion?

PS: Just to add to this I have opened all VLAN's and the LAN to all traffic and protocols without success.

Thanks.

dchp might be a issue
if you have or even have not fixed this u can msg me i have discord can send pics of what i did and in return maybe you can help me figure out rules . cuz fire wall rules are a pain yes .

Is there any solution to this? I have the same kind of issue.

i have 2 Vlans I am trying to get communication to travel between but its not working. what i am trying to accomplish is remotely access devices sitting on this vlan like WAPs and network printers.

Vlan10 --> Vlan20
10.20 --> 20.1 = ping requests received
10.20 --> 20.10 = ping requests not received

Check windows firewall.
You're going between 2 different subnets so you would need an exception in the windows firewall.

i tried turning off the windows firewall and it is still doing the same.

It would probably have been better to open a separate thread. The only similarity is traffic across vlans.
In any case, allow and deny rules need to be created. Can you show your rules for the VLAN ?

only rule in play at the moment

action: pass
direction: in
protocol: ipv4*
source: *
port: *
destination: *
port: *
gateway: *

i am guessing no one has a solution to this problem.

Sorry, missed that. But what is this, what is it trying to tell?

QuoteVlan10 --> Vlan20
10.20 --> 20.1 = ping requests received
10.20 --> 20.10 = ping requests not received

Which interface this rule is for?
action: pass
direction: in
protocol: ipv4*
source: *
port: *
destination: *
port: *
gateway: *

Vlan10 --> Vlan20
10.20 --> 20.1 = ping requests received
10.20 --> 20.10 = ping requests not received

these are the IP addresses. "xx.yy.10.1, xx.yy.10.20, xx.yy.20.1, xx.yy.20.10". x and y are the same for these.

action: pass
direction: in
protocol: ipv4*
source: *
port: *
destination: *
port: *
gateway: *

this rule is applied to both. when i get it working properly talking to each other i will make some other rules, because i will be able to tell what is affecting what things. right now it has access to internet. they just arent passing traffic between the vlans.

Try this to pass traffic from Vlan 10 to 20:
On VLAN20 set a firewall rule:
action: pass
interface: VLAN20
direction: in
tcp/ip : ipv4
potocol: any
source: VLAN10 net
port: *
destination: VLAN20 net
port: *
gateway: default
That would be a firewall rule to incoming traffic from vlan10 to vlan20.

Quote from: cookiemonster on October 08, 2022, 11:36:30 PM
Try this to pass traffic from Vlan 10 to 20:
On VLAN20 set a firewall rule:
action: pass
interface: VLAN20
direction: in
tcp/ip : ipv4
potocol: any
source: VLAN10 net
port: *
destination: VLAN20 net
port: *
gateway: default
That would be a firewall rule to incoming traffic from vlan10 to vlan20.

How could vlan10 ever be a source on vlan20 interface??
Reverse the source and destinations.

Well, I probably thought that because it is what the firewall is telling me. I start a ping from VLAN10 to VLAN20 and this is what it shows on the firewall.

firewall:diagnostics:sessions
dir  proto     source              destination
->  icmp     xx.xx.10.20:1    xx.xx.20.10:1
<-  icmp     xx.xx.10.20:1     xx.xx.20.10:1

I tried reversing the firewall rule as suggested it is not allowing any traffic from one vlan to the other still.

action: pass
interface: VLAN20
direction: in
tcp/ip : ipv4
potocol: any
source: VLAN20 net
port: *
destination: VLAN10 net
port: *
gateway: default

You have to have a rule on both interfaces if you want traffic both ways.

The way it works is if a device on vlan 20 needs to access a device on vlan 10, you need a pass rule on vlan 20 interface. This will create a state and allow traffic.
If you want  all devices on both vlans to access each other, you need to add a pass rule on vlan 10 to vlan 20 also.

What exactly do you want?

Post pics of your vlan configs.

Quote from: Demusman on October 09, 2022, 01:15:48 AM

Quote from: cookiemonster on October 08, 2022, 11:36:30 PM
Try this to pass traffic from Vlan 10 to 20:
On VLAN20 set a firewall rule:
action: pass
interface: VLAN20
direction: in
tcp/ip : ipv4
potocol: any
source: VLAN10 net
port: *
destination: VLAN20 net
port: *
gateway: default
That would be a firewall rule to incoming traffic from vlan10 to vlan20.

How could vlan10 ever be a source on vlan20 interface??
Reverse the source and destinations.

Ok my mistake.

Quote from: cookiemonster on October 09, 2022, 09:58:54 PM

Quote from: Demusman on October 09, 2022, 01:15:48 AM

Quote from: cookiemonster on October 08, 2022, 11:36:30 PM
Try this to pass traffic from Vlan 10 to 20:
On VLAN20 set a firewall rule:
action: pass
interface: VLAN20
direction: in
tcp/ip : ipv4
potocol: any
source: VLAN10 net
port: *
destination: VLAN20 net
port: *
gateway: default
That would be a firewall rule to incoming traffic from vlan10 to vlan20.

How could vlan10 ever be a source on vlan20 interface??
Reverse the source and destinations.

Ok my mistake.

here ya go. i took out all the rules on the Vlan interfaces themselves because not working anyway.

Vlan group has just a default rule setup.

no traffic is being passed between Vlans.

Where do we go from here.

https://drive.google.com/file/d/11Q0ISTmTSDEbgI9mXWPRLasFrPECVHVj/view?usp=sharing

https://drive.google.com/file/d/1cXuynNP1K-Kk6ZY0C6Tp4BDQ7T-hQSkw/view?usp=sharing

First, get rid of the group. Put the rules on the interfaces themselves.
Then, add an any,any rule on the LAN and all vlans.
Traffic will now pass.
Then, tune the rules to what is needed.

I have taken the vlans out of group and put individual rules on them. Still no traffic.

https://drive.google.com/file/d/1U43_eoNqqj4x34QV5ACD0ogxXYQjdu7P/view?usp=sharing

Did you put the same rule on the vlan interfaces?
Post pics of everything applicable.

Also, show a drawing of how everything is connected. You can use this: https://cloud.smartdraw.com/editor.aspx?templateId=aab5d49c-57b2-4cf4-bb77-bf83ea54a750&flags=128

Did you put the same rule on the vlan interfaces?
yes.

Also, show a drawing of how everything is connected
its not that serious of a network that you need a flow chart.

[PFSENSE] => [SWITCH] => [Computers,APs,Printers,etc.]

Simple. One firewall. One Switch.

No, it's not that simple.
What ports are connected to each other?
What ports are tagged with vlans?
What ports are untagged with vlans?

Show how everything is connected.