Hi Forum - hopefully and easy one!
I have got my home lab setup working using multiple vlans and an inline ISP Broadband router. I can happily ping all the SVIs from each required location. Previous I had just a LAN and WAN interface on OPNSense, but I wanted another network to access the internet. My OPNSense instance is virtualised so I have added a new VLAN on my hypervisor host, assigned to the OPNSense virtual appliance and then created a new interface in OPNSense by selecting the available MAC. The new interface is of type "opt1".
Client(192.168.2.100) <---> Switch1 (VLAN SVI:192.168.2.254) <---> Switch2 (VLAN SVI:192.168.1.253) <---> OPNSense opt1 (Int IP: 192.168.2.1)
The problem is that I can't ping out from OPNSense to the SVI of this network. If I try and ping from my switches I can ping any address (client and VLAN SVIs), but can't ping the new OPNSense interface. Is there something I have missed during the interface setup?
Hope you can help!
Matt
So, still having troubles. Even if I add the follow allow all rules in the second LAN (LAN2) interface I am still not able to ping out or in:
Protocol | Direction | Source | Port | Dest | Port | Gateway | Schedule
IPv4 -> * * * * * *
IPv4 <- * * * * * *
What is SVI? Why are the two switches in two dufferent networks? Please show for all connections if they are trunk (tagged) or access (untagged) ports.
Hi Patrick,
Apologies, there was a typo in my first post (fat fingered phone input). The Switch2 SVI should have read 192.168.2.253.
SVI - Switch Virtual Interface, or VLAN interface.
The image shows that I am able to access the internet from the "LAN" (VLAN10) network, and I can PING both switch SVIs and the client IP from the OPNSense interface diagnostics.
I am not able to access the internet from the second LAN interface "opt1" (VLAN2), PING either switch SVI or the client. I have added a *.* firewall rule to opt1 but still don't see anything if I try a packet capture.
https://ibb.co/SXMfM04x
I thought maybe it could be a routing issue but I read that OPNSense added routing for the interfaces automatically.
Quote from: signup@mattstanding.co.uk on October 25, 2025, 04:20:21 PM[...]Switch2 (VLAN SVI:192.168.1.253)[...]
Quote from: Patrick M. Hausen on October 26, 2025, 01:43:51 PM[...]Why are the two switches in two dufferent networks?[...]
Heh. The routing looked off, but the image has the expected 192.168.2.253.
I'd tend to suspect rules, then. Any blocks reported by the firewall?
Hi pfry,
I think I do see blocks but can't work out why as I have add full in/out all traffic rules on opt1.
Matt
Actually no, I don't see any blocked traffic relating to the PING diagnostic:
https://ibb.co/BMyD2bf (https://ibb.co/BMyD2bf)
https://ibb.co/jk06c4KY (https://ibb.co/jk06c4KY)
I have the standard WAN rule set:
https://ibb.co/99BM1Jzb (https://ibb.co/99BM1Jzb)
And copied the the rule that was automatically set on the LAN interface to the opt1 interface (adjusting for interface):
https://ibb.co/VWHHMJL7 (https://ibb.co/VWHHMJL7)
*Sorry, image tags aren't working, so had to add as links.
Quote from: signup@mattstanding.co.uk on October 26, 2025, 06:15:31 PMstill don't see anything if I try a packet capture
Packet capture on OPNsense itself? That would indicate a VLAN / switch issue. A packet capture would show packets even if they are blocked by firewall rules.
Do you at least see ARP requests / responses?
Cheers
Maurice
A packet capture does show any packets. It got me thinking. I went through the interfaces overview and saw that the interface mask had defaulted to a /32 mask, not /24.
I corrected and it started working straight away!
I do have other questions around rules - I can't seem to get these right to block opt1 from the LAN, but I'll have a look on YouTube and try and educate myself first before coming back here.
Thanks for all your help and patience - I'm only just just getting started with OPNSense, but love it so far!
Matt