OPNsense Forum

Hello,

i dont know what is Firewall behaviour on OPNSense but on other Firewalls my config work.

I have 4 Vlan on the Switch, 3 for Clients and one for Default Gateway /30 mask 2 ip. (one Switch, one OPNSense)

On the Switch is IP from Port 5/OPNSense as Default Gateway configured untag Vlan and 3 Tag Vlan Clients
On the OPNSense Port 5 as untag IP and 3 Tagged Vlans with configured IP.

Logic:

GW Vlan : 192.168.100.1 Switch and  192.168.100.2 OPNSense, IP 192.168.100.2 Defrault GW on the switch.

Every Vlan has IP *.*.*1 on the Switch and IP: *.*.*.2 on the OPNSense.

Clients has IP's from Switch Vlan as Gateway and use Default Gateway to Connection WAN.

My Problem:

i can configure any Firewall Rules on the Vlan interfaces or deaktivate any rule on tagged Vlan, except "Default Gateway" which is Untag.
No packet Count... no Block, nothing....

Only One Interface Filter Traffik this is WAN! if im define Rule on the Default Gateway in/or out no filtering no count.
it only count pass traffic from Alias which has all Vlans include, and Block vlan if i'm remove it from Alias.

The Rule "Firehol" to block in or out block nothing except it is on the WAN interface.

This Setting worked on any other Router like Ubiquiti or Draytek... maybe i'm wrong with my logic, please help.

If you have no rules on an interface, all traffic is blocked. Post some screenshots or firewall rules dump, have really hard time reading the description. Also, you should not normally have gateways on LAN interfaces attached to the firewall.

what i know:

normally traffik goes out from vlans over Default Gateway and come back to Vlans over Vlan interfaces.
Asyncronious Routing.
In my Case i can leave Vlan interfaces without any Rule all traffic goes over Default Gateway back.

example:

Client Vlan 192.168.100.10 > Default GW  Switch 192-168.400.1 > 192.168.100.2 Gateway/OPNSense

and back

Wan > 192.168.100.2 Vlan IP on the OPNSense and to Client like 192.168.100.10

But Route Backwards does not go over Vlan IP! it go over parent Interface!

LAN <-> LAN trafic between clients on a "dumb" switch will never hit the firewall (router).
VLANx <-> VLANx traffic between clients on a VLAN-capable L2 switch will never hit the router.
On a L3 switch with routing enabled, even inter-VLAN traffic traffic will not hit the router normally. See e.g. the diagram here: https://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-intervlanrouting.html

Again, you do not put gateways on (V)LANs attached directly to the OPNsense box.
And yet again, assigned interface with empty ruleset blocks all traffic, it's even written directly in the GUI.

P.S. 192-168.400.1 is invalid and "obfuscating" RFC1918 IPs is totally pointless, just do not do that.

Sorry you didnt understand what i mean.

I know enough about L2/L3 Routing and Vlans.

my Switch is L3 and has Vlan as default GW to OPNsense, port 1 is untag and 3 times tag with client vlans.
the same on Opnsense interface 5 ist untag and 3 Vlans tag.

It Work all!!!

but Vlan interfaces on the OPNsense may be empty without any rules because traffic goes over parent Interface to the clients!

On the parent interface i have Rule "local Network alias with all vlan subnets inside" allow to any, but if i remove one vlan from Alias traffic stop to this vlan.

Any Rule assign to vlan interface itself does not work.

Yeah, when traffic does NOT hit the firewall it is NOT blocked there. Tried to explain about 5 times already. Apparently to no avail. So indeed the rules on the VLAN interfaces can be empty, since there are no packets arriving there to be matched and eventually blocked.

QuoteI know enough about L2/L3 Routing and Vlans.

:o ;D :-X

As a last attempt here, assuming the setup below and a Cisco switch as an example:

VLAN10:
Subnet: 192.168.10.0/24
GW: 192.168.10.1 - this is the IP of the VLAN10 interface, do NOT set it as gateway on OPNsense, only to be used by clients via DHCP/manual config.

VLAN20:
Subnet: 192.168.20.0/24
GW: 192.168.20.1, same as above

VLAN30:
Subnet: 192.168.30.0/24
GW: 192.168.30.1


0. Disable IP (inter-VLAN) routing on the switch, since apparently you expect the inter-VLAN traffic to go through your firewall and filter it there. Do NOT proceeed until that is done.

1. Remove any VLAN gateways configured on your OPNsense local VLAN interfaces. Do NOT proceeed until that is done.. 

IPv4 Upstream Gateway: Auto-detect
Dynamic gateway policy: NOT checked.
System - Gateways - Single: Remove any bogus previously created cruft there, only WAN intefaces should have a GW there.

2. Configure the switch properly.

Port 1 trunked, connected to OPNsense box:
Ports 2,3,4 one VLAN each.

cisco-switch(config)# configure terminal
cisco-switch(config)#interface gigabitEthernet 0/2
cisco-switch(config-if)#switchport mode access
cisco-switch(config-if)#switchport access vlan 10
cisco-switch(config-if)#interface gigabitEthernet 0/3
cisco-switch(config-if)#switchport mode access
cisco-switch(config-if)#switchport access vlan 20
cisco-switch(config-if)#interface gigabitEthernet 0/4
cisco-switch(config-if)#switchport mode access
cisco-switch(config-if)#switchport access vlan 30
cisco-switch(config-if)#interface gigabitEthernet 0/1
cisco-switch(config-if)#switchport mode trunk
cisco-switch(config-if)#switchport trunk allowed vlan none
cisco-switch(config-if)#switchport trunk allowed vlan add 10,20,30
cisco-switch(config-if)#exit
cisco-switch(config)#exit
cisco-switch#


Then, and only then, something's gonna be arriving on those VLAN interfaces defined on OPNsense as clients on  different VLANs try to talk to each other - and the traffic rules will apply there.

first, my vlan interfaces on the switch are properly configured!

example 192.168.100.0/24 Vlan100 interface ip on the switch is 192.168.100.1 and on the OPNsense 192.168.100.2
all others Vlans the same.

only Vlan 400 has ip range 192.168.0.1/30 and ip on the OPNSense has 192.168.0.2/30

on the switch ist static route 0.0.0.0/0 with 192.168.0.2 as gateway.

Port 1 is trunk with vlan 400 untag and vlan 100,200,300 tag.

On the OPNsense interface 5 the parent interface 192.168.0.2 and vlan interfaces with above described 192.168.100.2 and so on

this configuration work with ciso switch, router, netgear, ubiquiti, zyxel, draytek, tplink and so on....

please dont teach me abc.

Yeah, /30 has 2 usable IPs. Way to go... One VLAN == one subnet., Not five /30s with zero usable IPs for clients, and all clients on all VLANs using the same subnet. Sigh. WTH is that obsession with gateways? That is not how you do it. And once again - stop doing L3 on switch when you expect to filter packets on firewall.

You have no clue what you are doing, sorry.

Quote
please dont teach me abc.

Regret to have wasted my time on this.  :o >:(

Problem was identified by block Ethertype 8100 on the upstream switch Port.

Create Vlan interface on OPNSense make this as 802.1ad which is QnQ and not Regular 802.1q Vlan.
there is the reason why i cannot block anything, because is Vlan inside Vlan.

change to 802.1q bei existing Vlan is without effect.

any Fix for this behaviour?

Sure, hire a network admin.

I was wrong with QnQ.

But my Problem is Solved, now I am able to filter any Vlan traffik with my Setting without requrement to set OPNSense as default Gateway for Vlans.
My Switch do intervlan Routing and OPNsense filter Traffik from Wan to Vlans, exactly so and not others!

Fixed by myself with try and Error.

QuoteYeah, /30 has 2 usable IPs. Way to go

I believe he is referring to a Transit Network.
Usually used between routers in an effort to control asymmetric routing amongst other things