OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: ala.tech on June 04, 2019, 09:01:15 pm

Title: Internet not working on Subnets
Post by: ala.tech on June 04, 2019, 09:01:15 pm

OPNSense 19.1.8
Virtual Machine
     2 vCPU
     8 GB RAM
     3 vNIC
     100 GB vDisk

Currently have OPNSense running in a dev environment with the following setup

vNIC = LAN (172.16.1.10)
vNIC = ISP 1 (DHCP)
vNIC = ISP 2 (DHCP)

                                        ISP 1 (Primary)
                                       /
Switch - LAN - OPNSense
                                       \
                                   ISP 2 (Fail over)

LAN consists of 3 subnets, with 2 of them routing to the first subnet for internet

               Subnet 1 (Layer 3 Switch, 172.16.1.1)
               172.16.1.0/24
              /                      \
Subnet 2                        Subnet 3
172.16.2.0/24            172.16.3.0/24

ISP 1 and 2 are setup in a fail over group with ISP 1 as the Primary. I have a static route set for 172.16.0.0/16 to go to 172.16.1.1.

Issue = Subnets 2 and 3 can't get internet. Subnet 1 (directly attached to the LAN interface on Firewall) gets internet.

Everything works fine for any host on the 172.16.1.x subnet. ISP failover is great, internet speeds are awesome, and NAT translations work. If the host is on either 172.16.2.x or 3.x, it will not get internet. It can ping the LAN interface of the FW and can even access the Web GUI. Routing appears to be fine. When I look at the logs, it shows traffic going out via the "Allow LAN to Any" rule, and I can see the traffic going out the ISP and coming back to Firewall, but stops there. Example:

Ping 4.2.2.1 from 172.16.2.104
See it cross Switch 2 (172.16.2.1, default route for network)
See it cross Switch 1 (172.16.1.1, default route for network)
See it go through Firewall via Allow LAN to Any (In LAN, out ISP 1)
See it hit a switch I put in between cable modem and firewall going out
See it come back through same switch
Don't see it come through the firewall.

If I do the same thing from 172.16.1.123, I can see it go all the way through and get successful replies on the Ping command.

Seems like to me it is a firewall rule. I looked things up though, and it looks like I am doing things right. I have a rule that looks like:

LAN
Proto         Source                   Port         Destination          Port          Gateway         Type
IPv4*         172.16.0.0/16         *                   *                    *            ISP_Failover      Allow

ISP 1 and 2 just have the default rules in them though in testing things I did add a NAT Translation on both which did work, but it was to a host on Subnet 1. And again, anything on Subnet 1 can get to the internet, so to my rationale it is having to do with the fact that the traffic does not originate on a subnet that the Firewall is directly connected to. I figured by specifically specifying 172.16.x.x in the rule it should allow it regardless of directly connected. Is there somewhere else I need to add those networks to allow it through the firewall? Or do I need to do something on the ISP 1 and 2 zones to allow it to NAT those?

Thanks for any input!