Setup:
- OPNsense 24.10_7
- Created a VLAN 100
- Created an assignment called LANVLAN, IP address 192.168.43.1.
- Added firewall rules for LANVLAN from the LANVLAN net to anywhere.
- Set up the DHCP server for LANVLAN.
Also important: the Web GUI is set to listen on all interfaces.
A client on the VLAN gets an IP address. The firewall rules also work - I can access external hosts through the WAN. I can also SSH into the OPNsense router, etc. I cannot access the Web UI through a web browser, nothing happens until it times out. Now the fun part:
~ % curl -v http://192.168.43.1/
* Trying 192.168.43.1:80...
* Connected to 192.168.43.1 (192.168.43.1) port 80
> GET / HTTP/1.1
> Host: 192.168.43.1
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Location: https://192.168.43.1/
< Content-Length: 0
< Date: Sun, 03 Nov 2024 10:54:48 GMT
< Server: OPNsense
<
* Connection #0 to host 192.168.43.1 left intact
As you can see, connections to the HTTP port work and as expected, the client is redirected to HTTPS. But then:
~ % curl -v https://192.168.43.1/
* Trying 192.168.43.1:443...
* Connected to 192.168.43.1 (192.168.43.1) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* Recv failure: Connection reset by peer
* LibreSSL/3.3.6: error:02FFF036:system library:func(4095):Connection reset by peer
* Closing connection
curl: (35) Recv failure: Connection reset by peer
Just hangs until it times out. So the connection is dropped. There is no firewall rule blocking it, it seems that the WebUI itself is dropping the connection. This can be confirmed by changing the WebGUI to use HTTP rather than HTTPS in the
Administration settings (remember that HTTP works, see above). So, rather than getting a redirect, we now expect to get the login page. However:
~ % curl -v http://192.168.43.1/
* Trying 192.168.43.1:80...
* Connected to 192.168.43.1 (192.168.43.1) port 80
> GET / HTTP/1.1
> Host: 192.168.43.1
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
* Recv failure: Connection reset by peer
* Closing connection
curl: (56) Recv failure: Connection reset by peer
Given that HTTP worked before setting the Web UI to HTTP, it seems like the Web UI itself is dropping connections coming from the VLAN?
Figured out the issue. I was testing with macOS' VLAN support. Turns out it is just very broken, I think it was something in the TLS connection that caused the failure (maybe related MTU size?). There were also other ways the connection would get dropped. For instance, when SSHing into OpenWrt and then running top would often also break the connection. Tested now with a switch with VLAN tagging and it works as expected.