Text only | Text with Images

OPNsense Forum

Archive => 24.1, 24.4 Legacy Series => Topic started by: bread on June 22, 2024, 10:45:04 PM

Title: Connect to another subnet
Post by: bread on June 22, 2024, 10:45:04 PM
Hello,

I try to migrate from ipfire to OPNsense and understand that it's just completely another world.
I read some threads about my question, but still understand nothing. Sorry for this basic question.

I have 6 NICs and 6 subnets and want to connect from LAN to wLAN subnet to access a wifi router (want to build an access point on it). I made a floating rule for devices group (my LAN laptop within) to access the internet. "Devices to any".
As I understand, now I should get access from these devices to any address on any interface including the internet. Am I wrong?

I get internet connection for my laptop, but I can not even ping the connected device on another subnet. I see it in the arp table, which is connected via DHCP to wLAN interface, but can not even ping it.

By the way, there is a rule for ICMP, so I can ping 1.1.1.1 or whatever.

Best regards
bread
Title: Re: Connect to another subnet
Post by: Papasan on June 23, 2024, 12:55:01 AM
Have you checked the Firewall->Log Files->Live View for any blocked traffic ?

Cheers,
Erik
Title: Re: Connect to another subnet
Post by: cookiemonster on June 23, 2024, 01:12:51 AM
you need to create a rule on the interface you want to reach, with source the interface "net" where the traffic comes from.
For instance you have LAN1 and LAN2. They will have an automatically created net i.e LAN1 net and LAN2 net that appears as an alias for rules.
So say you want to allow traffic from LAN1 to LAN2, then you need to go to Firewall > Rules. Select LAN2.
Then create a rule with Interface LAN2. Action: Pass ; Direction: In ; Source: LAN1.
The rest of options select as needed. Majority defaults.

QuoteI made a floating rule for devices group (my LAN laptop within) to access the internet. "Devices to any".
As I understand, now I should get access from these devices to any address on any interface including the internet.
Devices to any here means to go out to internet. Traffic between interfaces need a specific rule to allow in from others.
Title: Re: Connect to another subnet
Post by: bread on June 23, 2024, 12:38:33 PM
Quote from: Papasan on June 23, 2024, 12:55:01 AM
Have you checked the Firewall->Log Files->Live View for any blocked traffic ?

yes, it shows me that the device on wLAN is alive and tries to ping 1.1.1.1 (connection status check) all the time.
If I try to ping this device, nothing appears in the logs.
If I try to ping the firewall, I see this in the logs.

Quote from: cookiemonster on June 23, 2024, 01:12:51 AM
you need to create a rule on the interface you want to reach, with source the interface "net" where the traffic comes from.
For instance you have LAN1 and LAN2. They will have an automatically created net i.e LAN1 net and LAN2 net that appears as an alias for rules.
So say you want to allow traffic from LAN1 to LAN2, then you need to go to Firewall > Rules. Select LAN2.
Then create a rule with Interface LAN2. Action: Pass ; Direction: In ; Source: LAN1.
The rest of options select as needed. Majority defaults.
I made a rule on wLAN with
IPv4 + IPv6
Source: LAN net
Destination: wLAN net

but still got no connection

Ah,ok. So all connections between the subnets are closed per default. "any" means within the subnet AND out of it towards the internet, but NOT towards other subnets.

By the way, is there any possibility to quote directly come part of the thread? "Insert quote" inserts the whole text.

/Edit:
I also made a rule on WLAN interface directly between the client and the access point:
Source: Client in LAN
Destination: AccessPoint in WLAN

And nothing happens.
Does it has smth to do with the gateway setting within the rule?
Title: Re: Connect to another subnet
Post by: cookiemonster on June 23, 2024, 11:09:49 PM
QuoteAh,ok. So all connections between the subnets are closed per default. "any" means within the subnet AND out of it towards the internet, but NOT towards other subnets.
That is correct with the small clarification that there is no need for the any rule within the subnet as that traffic doesn't get to the router, but is done with the switch that you presumably have plugged into it, or a wireless AP, which functions as one.

What I wrote is the principle so if it still "doesn't work" we'll need to go to the specifics.
Can you please post/show your network and interfaces somehow, like a little diagram?

ps
QuoteI made a rule on wLAN with
IPv4 + IPv6
Source: LAN net
Destination: wLAN net
This is a rule that looks fine to allow traffic from LAN devices towards the wLAN network. Should work although IPv6 is only necessary if you are actually using IPv6. Gateway left at default is correct if you are only using one.
Title: Re: Connect to another subnet
Post by: bread on June 23, 2024, 11:21:40 PM
meanwhile I'm on another point.

My WLAN Interface has is somehow strange.
If I change my AP to another Port, I get connection and everything is ok.
So it seems to be a problem with the special Port.
DHCP works on this Port, I can see it in the ARP table. But no connection to this port works.
Its definitively not about the FW rules, because I allowed everything within Private_Networks, could connect everywhere, not NOT to the WLAN port.

Maybe it's damaged, but I hope not, because DHCP works.

Some Ideas?
Title: Re: Connect to another subnet
Post by: Patrick M. Hausen on June 23, 2024, 11:26:53 PM
Quote from: cookiemonster on June 23, 2024, 11:09:49 PM
QuoteAh,ok. So all connections between the subnets are closed per default. "any" means within the subnet AND out of it towards the internet, but NOT towards other subnets.
That is correct with the small clarification that there is no need for the any rule within the subnet as that traffic doesn't get to the router, but is done with the switch that you presumably have plugged into it, or a wireless AP, which functions as one.
Sorry, @cookiemonster - not quite correct. Destination "any" means "any", i.e. the Internet and all other locally connected subnets.

That's why we need either destination invert for e.g. RFC1918 networks or explicit deny rules to isolate subnets.
Title: Re: Connect to another subnet
Post by: bread on June 23, 2024, 11:40:22 PM
Meanwhile I migrated the Interface Settings from WLAN to another port and I get the same result!
So the Ports are OK, it has smth to do with the settings of the Port, which is called WLAN in my case. If I migrate these settings, I can not ping another Port, which was reachable till then.
Title: Re: Connect to another subnet
Post by: Patrick M. Hausen on June 23, 2024, 11:48:39 PM
May I suggest keeping this discussion to the German language thread where there is much more progress being made? Even if I am not online, there are a whole bunch of German speaking regulars in this forum.

Everything else failing, why don't you join the German usergroup on next Friday at 17:00 CEST?

https://forum.opnsense.org/index.php?topic=18183.0

I am sure we can help "live" there.
Title: Re: Connect to another subnet
Post by: cookiemonster on June 23, 2024, 11:56:00 PM
thanks for the correction @Patrick M. Hausen .
I might try to join and get lost in the usergroup. I'm trying to learn the language.
Title: Re: Connect to another subnet
Post by: bread on June 24, 2024, 12:04:50 AM
QuoteMay I suggest keeping this discussion to the German language thread where there is much more progress being made?

yes, sorry. It was another topic at the beginning, but then, the problem gets closer to the same one.
So, I think, we can end up here and try to solve it in german. Thanks!
Although the name of the topic there doesn't suite anymore.. just got more problems  :D

/Edit:
made an extra topic for the WLAN-Port problem (but in german):
https://forum.opnsense.org/index.php?topic=41220.0
Text only | Text with Images