Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: 9axqe on July 31, 2023, 04:09:49 PM

Title: Firewall Group for LAN
Post by: 9axqe on July 31, 2023, 04:09:49 PM
I am trying to set up a firewall group for my LAN. Both interfaces work, plugging a device provides DHCP in the appropriate range of IP of the LAN subnet (I picked two different IP ranges for each interface)

LAN1 has IP 192.168.1.1
LAN2 has IP 192.168.1.2

problem: when plugged into LAN2, I cannot access the web interface under 192.168.1.1 somehow. I can't even ping it.

Both interfaces are in a group, hence they share firewall rules.

Any idea what I could have forgotten? I also am not sure where it's defined which IP the web GUI is reachable under.
Title: Re: Firewall Group for LAN
Post by: CJ on July 31, 2023, 04:19:34 PM
What are you attempting to do?  Is there a reason to use two separate interfaces instead of LAGG, Bridge, or a separate switch?

How did you set up the firewall group and rules?
Title: Re: Firewall Group for LAN
Post by: Patrick M. Hausen on July 31, 2023, 04:23:37 PM
You cannot have one interface with 192.168.1.1/24 and another with 192.168.1.2/24. You need to create a LAN bridge.

https://docs.opnsense.org/manual/how-tos/lan_bridge.html
Title: Re: Firewall Group for LAN
Post by: CJ on July 31, 2023, 04:32:27 PM
Quote from: Patrick M. Hausen on July 31, 2023, 04:23:37 PM
You cannot have one interface with 192.168.1.1/24 and another with 192.168.1.2/24. You need to create a LAN bridge.

https://docs.opnsense.org/manual/how-tos/lan_bridge.html

I was assuming they meant 192.168.1.1 and 192.168.2.1 but was waiting for confirmation and more info. :)
Title: Re: Firewall Group for LAN
Post by: 9axqe on July 31, 2023, 07:43:04 PM
Quote from: CJ on July 31, 2023, 04:19:34 PM
What are you attempting to do?  Is there a reason to use two separate interfaces instead of LAGG, Bridge, or a separate switch?

How did you set up the firewall group and rules?

I have the OPNsense router and next to it there is:
powerline adapter (single ethernet box)
Home Automation bridge (must stay here, otherwise some smart home devices loose the DECT ULE connection)

I could of course buy a small switch, but why should I, there are 4 ports on the DEC695.
Title: Re: Firewall Group for LAN
Post by: 9axqe on July 31, 2023, 07:43:52 PM
Quote from: Patrick M. Hausen on July 31, 2023, 04:23:37 PM
You cannot have one interface with 192.168.1.1/24 and another with 192.168.1.2/24. You need to create a LAN bridge.

https://docs.opnsense.org/manual/how-tos/lan_bridge.html

Ah, that was the issue. Ok, I'll attempt to create a bridge then.

thank you!
Title: Re: Firewall Group for LAN
Post by: 9axqe on August 01, 2023, 09:34:03 AM
LAN bridge seems to work, last question, about firewall rules:

I assume they should all be applied to the bridge interface right, not the physical interfaces? (assuming I have the same firewall requirements for all interface member of the LAN bridge)
Title: Re: Firewall Group for LAN
Post by: Patrick M. Hausen on August 01, 2023, 09:42:44 AM
Yes, assign "LAN" to the bridge interface and the firewall rules to "LAN". Make sure to set the two tunables from the documentation.
Title: Re: Firewall Group for LAN
Post by: 9axqe on August 22, 2023, 08:08:54 AM
I never replied, but this worked, thanks!
Text only | Text with Images