Hi,
I can access my OPNsense web GUI either from a management interface or directly from WAN (I set a firewall rule for that), no security issues since everything runs in a virtual lab environment.
I found out that I can't access the web GUI from local PCs running in a VLAN,even though I set a pass rule for that, and the PCs can ping the local gateway (10.30.30.1) and go to the internet regularly.
here is the VLAN firewall rules:
(https://images2.imgbox.com/0c/23/L5Pbm2S6_o.jpg) (https://imgbox.com/L5Pbm2S6)
and a Wireshark capture on the trunk interface:
(https://thumbs2.imgbox.com/51/83/aWZKU7wQ_t.jpg) (https://imgbox.com/aWZKU7wQ)
I also disabled the firewall filters in the advanced option but I still can't access the web GUI from the "main" VLAN.
I don't know what it is wrong with it. Could you please help figure it out? Thanks
System: Settings: Administration
Is the Web GUI listening on all interfaces?
Quote from: bartjsmit on November 19, 2024, 12:40:36 PM
System: Settings: Administration
Is the Web GUI listening on all interfaces?
Yes it is.
Thanks
Can you access the firewall with SSH?
Quote from: bartjsmit on November 19, 2024, 12:53:45 PM
Can you access the firewall with SSH?
only from WAN or the MNG port, not from the PC on the VLAN
Maybe that VLAN has a Gateway set accidentally?
Quote from: Monviech (Cedrik) on November 19, 2024, 01:09:36 PM
Maybe that VLAN has a Gateway set accidentally?
Where?
Apart from WebGUI access, everything works as expected.
Can you see anything interesting in the wireshark capture screenshot I uploaded earlier?
Very weird issue
If only traffic targeted to a service on the firewall itself does not work, the response of the firewall might be sent to a different destination than back to the requesting client.
I havent checked the packet capture sorry, just an idea.
Quote from: Monviech (Cedrik) on November 19, 2024, 01:37:56 PM
If only traffic targeted to a service on the firewall itself does not work, the response of the firewall might be sent to a different destination than back to the requesting client.
I havent checked the packet capture sorry, just an idea.
I didn't set anything about the gateway, so it must be on the default setting.
Thanks
Well can you tcpdump/wireshark on the requesting client to see if it receives the correct responses from the firewall when initiating an ssh session for example?
Quote from: Monviech (Cedrik) on November 19, 2024, 01:47:56 PM
Well can you tcpdump/wireshark on the requesting client to see if it receives the correct responses from the firewall when initiating an ssh session for example?
Ok. I ran wireshark on the windows 7 machine while I was trying to access the OPNsense's WEBGUI
(https://images2.imgbox.com/3c/79/iYGqFKjW_o.jpg) (https://imgbox.com/iYGqFKjW)
UPDATE!!
I set MSS at 600 and now it works!
I can guess it, but I don't know exactly why.
There may be a discrepancy in the MTU at layer-2. Check for switches or network cards that are set to different values.
Quote from: bartjsmit on November 19, 2024, 06:22:45 PM
There may be a discrepancy in the MTU at layer-2. Check for switches or network cards that are set to different values.
There is a virtual Cisco switch between OPNsense and clients
Set all the internal MTU to 1500. Jumbo frames are best for dedicated storage networks/VLANs.
Quote from: bartjsmit on November 20, 2024, 08:19:55 AM
Set all the internal MTU to 1500. Jumbo frames are best for dedicated storage networks/VLANs.
I checked. The MTU is already set to 1500 on every Cisco interface. Maybe the issue is something related to the virtualization