OPNsense Forum
English Forums => 24.1 Production Series => Topic started by: lilsense on February 24, 2024, 07:04:06 pm
-
I am unable to connect to pihole on a local network but I am able to from another LAN.
local machine's IP: 10.10.10.234
pihole IP: 10.10.10.10
I am able to connect to the pihole from IP: 10.13.10.119
when troubleshooting and looking at live logs I see:
__timestamp__ 2024-02-24T12:50:44-05:00
ack 3692531448
action [block]
anchorname
datalen 0
dir [in]
dst 10.10.10.234
dstport 60517
ecn
id 0
interface vlan03
interface_name INTLOCAL
ipflags DF
ipversion 4
label Default deny / state violation rule
length 60
offset 0
protoname tcp
protonum 6
reason match
rid 02f4bab031b57d1e30553ce08e0ec131
rulenr 21
seq 87346160
src 10.10.10.10
srcport 80
subrulenr
tcpflags SA
tcpopts
tos 0x0
ttl 64
urp 65160
When I click on the rid to show me the rule, it just pops up and vanishes.
-
Wi-Fi with AP isolation turned on ? That would prevent prevent clients in the same LAN to talk to anything but the GW
-
the vlan 10.10.10 is wired. the 10.13.10 is wireless but the AP isolation is not on the opnsense.
-
There's no FW involved between hosts in the same lan/vlan. You could tak out the FW and the traffic would continue to flow between the hosts in said (v)lan.
If one of your machines sends the traffic to the default GW that means said machine sees itself in a different network segment, so not everything might be in 10.10.10.0/24
-
All the VLAN devices are on a Trunk. Also, I have no issues connecting to any other device on the 10.10.10.0/24 subnet which is quite odd.
-
If we're talking about a /24 LAN then check your PI's netmask config. No router should see that kind of traffic being blocked as it should never reach the router. Unless your communication partner sends everything to the router instead of the network segment itself.
If we're not talking about a /24 or a value smaller, please provide that info.
-
It's set properly and I can access that IP from various subnets.
-
You obviously can't access you own subnet from your PI. Terms like "properly" don't seem to fit here, don't you agree?
-
Can Pihole can reach all the VLAN's and devices... all the devices are able to use the Pihole to get on the net with the exception of one.
-
Does the rid field work for anyone?
I am unable to pull any information using this field.
-
You're way off track chasing rids, you've been told twice already.
Fastest way to solve this is to create a DHCP reservation for the pi, and then set the pi interface to DHCP
-
It's already there... but Thanks.
I'll roll it back again to when everything was working 23.1.11.
-
For this particular issue any firewall from any manufacturer should be 100% as "defective"
Either that or there's something else happening there you're not saying...
-
Can can reach all the VLAN's and devices...
I care for your problem as much as you do for my answers. So, good luck
-
It's very easy to brush off saying "blah, blah..." Yet not answering as to why the firewall is logging the block of an intra-vlan communication. It's even worst when you have to rely on the GUI more than the command line...
Edit: Identified rules blocking:
block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"
not sure what groups they are under or if this is the last rule as the IP's do not fall into any cat????
edit2: more info
block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
[ Evaluations: 8232 Packets: 83 Bytes: 6006 States: 0 ]
[ Inserted: uid 0 pid 76503 State Creations: 0 ]
block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"
[ Evaluations: 8329 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 76503 State Creations: 0 ]
-
So how do I delete these two rules... Not sure how they got there
-
Those rules cannot be uninstalled, they magically appeared when you installed OPNsense and have been there making your machine a firewall ever since. Removing it would make the machine a router passing any traffic from an interface to the other.
-
Well he can not magically remove it indeed but he can disable the firewall, making out of OPN a router ;). On the other hand doing this as mentioned by newsense you will loose FW capabilities and become wide open to everything.
Look you definitely have somewhere a misconfiguration. 2 Hosts on a same broadcast domain will not communicate over a GW. Communication within the same VLAN happens on the same VLAN, the host are able to resolve the ARP thus get proper MAC for destination IP, which means they send the packet directly in between each other without need of intervention of L3.
Also your live log doesn't give any sense to me. You say a PC is not able to connect to a Pihole.
This means destination 10.10.10.10 port 80
But you clearly see from that live log entry you provided destination is your PC 10.10.10.234 port 60517
__timestamp__ 2024-02-24T12:50:44-05:00
ack 3692531448
action [block]
anchorname
datalen 0
dir [in]
dst 10.10.10.234
dstport 60517
ecn
id 0
interface vlan03
interface_name INTLOCAL
Which means this is the returning packet most likely. Do you see any packet being dropped with destination 10.10.10.10 port 80? Because if not only Pihole tries to always talk over GW if yes both of your devices tent to talk over a GW, and not directly over the L2. Which points to a fact for some reason they are not on the same broadcast domain. Or for some reason they forward the traffic to GW instead forwarding it directly to each other within the VLAN.
I am using a Pihole as well, it has a static IP/MASK and does VLAN TAGGING. And devices talking to this Pihole communicate directly, packets that go and come for the Pihole are not being seen hitting the OPN at all.
Regards,
S.
-
Look you definitely have somewhere a misconfiguration.
We cannot conclude this as OP very strongly wants this to be a VLAN/OPNsense issue
-
I call netmask/prefix-length misconfiguration.
-
I call netmask/prefix-length misconfiguration.
+1, as its most likely the cause of such issues.
Regards,
S.
-
Thanks Seimus.
I went back and look at the VLAN configuration and the interface was on the wrong VLAN. Now, I am not sure how this could happen as no network changes have been made... but Thanks for the Tagging reminder.
didnt work... I'll redo the connections... It's not the subnets or the prefix. It looks like the switch has many misconfigured ports which is very odd.
-
Thanks Seimus.
I went back and look at the VLAN configuration and the interface was on the wrong VLAN. Now, I am not sure how this could happen as no network changes have been made... but Thanks for the Tagging reminder.
didnt work... I'll redo the connections... It's not the subnets or the prefix. It looks like the switch has many misconfigured ports which is very odd.
Thats the potential second most case of problems (VLANs) :). Let us know what you figured out.
Regards,
S.
-
oh, well that was not it, either... I am going to roll back to 23.1 as my other apps are not working as well as I did not realize...