OPNsense Forum
English Forums => General Discussion => Topic started by: seamus on July 28, 2020, 11:50:24 am
-
NOTE: You won't find the solution here. Instead, look here: https://forum.opnsense.org/index.php?topic=18381.msg83553#msg83553 (https://forum.opnsense.org/index.php?topic=18381.msg83553#msg83553)
I've just added an embedded device to my network that configures itself to use 192.168.6.0 network. The balance of my LAN is all on 192.168.1.0 and it has worked fine for years. I've added static routes in OPNsense to accomodate the new 192.168.6.0 subnet, and this seems to be working just fine - hosts on both subnets are able to connect to each other.
But I've run into what seems (to me) to be an odd problem - from a host on the 192.168.6.0 subnet I can ping hosts on the 192.168.1.0 subnet & all works fine. I can ping hosts on the Internet from 192.168.1.0 subnet as usual. However pinging hosts on the Internet from 192.168.6.0 subnet gets no reply. I suspect the firewall is blocking, but I don't find anything in the logs that helps isolate this (maybe I'm looking for the wrong things?). It seems that nothing from the 192.168.6.0 subnet is getting through - this based on failures to download webpages using `curl` with an IP address.
I have a "pass anything" rule on the LAN interface & use automatic outbound NAT generation rules. What could be blocking my replies originating in the 192.168.6.0 subnet?
-
What does the live log say while pinging?
-
What does the live log say while pinging?
Filtering on protoname=icmp, I see 1 (one) icmp going out on WANem0 from src 192.168.6.2 (green) in response to that unsuccessful attempt
**AND**
I see 1 (one) icmp going out on WANem0 from src 136.53.77.100 (green) in response to a successful attempt originating on host at 192.168.1.178
The differences I see in these 2 log entries are the source address for the successful ping is my external IP, whereas it's the internal IP for the unsuccessful one. And there's a "(force gw)" designation in the label for the successful ping attempt.
Here's a screenshot in case that's not clear:
-
What does the live log say while pinging?
Filtering on protoname=icmp, I see 1 (one) icmp going out on WANem0 from src 192.168.6.2 (green) in response to that unsuccessful attempt
**AND**
I see 1 (one) icmp going out on WANem0 from src 136.53.77.100 (green) in response to a successful attempt originating on host at 192.168.1.178
The differences I see in these 2 log entries are the source address for the successful ping is my external IP, whereas it's the internal IP for the unsuccessful one. And there's a "(force gw)" designation in the label for the successful ping attempt.
Here's a screenshot in case that's not clear:
So nothin happening there when you make the unsuccessful ping
-
So nothin happening there when you make the unsuccessful ping
Maybe the problem is with my routing? Here's a shot of the route I added to allow the embedded device (aka pocketbeagle) to be found on the LAN:
-
So nothin happening there when you make the unsuccessful ping
Maybe the problem is with my routing? Here's a shot of the route I added to allow the embedded device (aka pocketbeagle) to be found on the LAN:
That means everything from the 192.168.6.0 network is going to that thing. So not to the Internet
-
So nothin happening there when you make the unsuccessful ping
And here's a shot of the status of all ipv4 routes:
-
So nothin happening there when you make the unsuccessful ping
And here's a shot of the status of all ipv4 routes:
That will not work
-
Delete that route. And create a Rule with Gateway selected, for the traffic you want to go to that device.
-
Delete that route. And create a Rule with Gateway selected, for the traffic you want to go to that device.
Not following you exactly...
so - delete the route for 192.168.6.0?
...and add a firewall rule with Gateway selected? Could you be a little more specific?
How will other hosts on the network find 192.168.6.0 hosts without a route on 192.168.1.1?
-
Yeah delete the route.
Create a Rule on the 192.168.6.0 interface which matches the traffic you want to go to the pocketbeagle. At the bottom of the rule page you can select a Gateway, use the Pocketeagle-Gateway there
-
Yeah delete the route.
Create a Rule on the 192.168.6.0 interface which matches the traffic you want to go to the pocketbeagle. At the bottom of the rule page you can select a Gateway, use the Pocketeagle-Gateway there
OK - I'll try that now. In the meantime, could you please look at the attached network diagram I've made to confirm it doesn't change your advice?
-
Yeah delete the route.
Create a Rule on the 192.168.6.0 interface which matches the traffic you want to go to the pocketbeagle. At the bottom of the rule page you can select a Gateway, use the Pocketeagle-Gateway there
I'm confused...
1. I don't see how to create a rule on the 192.168.6.0 network - it's the destination, and there doesn't seem to be a way to specify this network as the destination?
2. when you say "use the Pocketeagle-Gateway there", do you mean the WiFi interface on macbuntupro (192.168.1.104)?
-
On your "Painting" i see that you dont have the 6.0 Network on the OPNsense conencted. That will not work.
So Ping from every device in the 1.0 Network is working. But not from 6.0 to Internet. That is because every Packet from the 6.0 Network is going to your Pocketbeagle, but thats it.
-
Do a tracert from a 6.0 device. Than you will see where your Packets are going and where they stop
-
On your "Painting" i see that you dont have the 6.0 Network on the OPNsense conencted. That will not work.
So Ping from every device in the 1.0 Network is working. But not from 6.0 to Internet. That is because every Packet from the 6.0 Network is going to your Pocketbeagle, but thats it.
No... I added the network diagram hoping it would clarify things, but it may be confusing them. It does show a WiFi connection from the Ubuntu Linux host to the gateway at 192.168.1.1. As I explained in my original post, I am routing packets from 192.168.6.0 to 192.168.1.1 with the connections as shown in the diagram.
-
Do a tracert from a 6.0 device. Than you will see where your Packets are going and where they stop
Unfortunately, the 6.0 device/pocketbeagle does not have `traceroute` installed - or anything similar AFAICT. It's a "catch-22": no traceroute w/o Internet, no Internet w/o traceroute.
-
On your "Painting" i see that you dont have the 6.0 Network on the OPNsense conencted. That will not work.
That's surprising. According to this document https://lantan.pl/wiki/_media/sieci:multiple-subnets-one-interface-pfsense.pdf (https://lantan.pl/wiki/_media/sieci:multiple-subnets-one-interface-pfsense.pdf), you can do this in pfSense. Do you know the reason this capability was dropped?
Also - I wonder what this is telling us? https://docs.opnsense.org/manual/firewall_settings.html#static-route-filtering (https://docs.opnsense.org/manual/firewall_settings.html#static-route-filtering)
-
On your "Painting" i see that you dont have the 6.0 Network on the OPNsense conencted. That will not work.
So Ping from every device in the 1.0 Network is working. But not from 6.0 to Internet. That is because every Packet from the 6.0 Network is going to your Pocketbeagle, but thats it.
No... I added the network diagram hoping it would clarify things, but it may be confusing them. It does show a WiFi connection from the Ubuntu Linux host to the gateway at 192.168.1.1. As I explained in my original post, I am routing packets from 192.168.6.0 to 192.168.1.1 with the connections as shown in the diagram.
You can't set your gateway to an address which is not in the Subnet of the device itself. That will not work
-
On your "Painting" i see that you dont have the 6.0 Network on the OPNsense conencted. That will not work.
So Ping from every device in the 1.0 Network is working. But not from 6.0 to Internet. That is because every Packet from the 6.0 Network is going to your Pocketbeagle, but thats it.
No... I added the network diagram hoping it would clarify things, but it may be confusing them. It does show a WiFi connection from the Ubuntu Linux host to the gateway at 192.168.1.1. As I explained in my original post, I am routing packets from 192.168.6.0 to 192.168.1.1 with the connections as shown in the diagram.
You can't set your gateway to an address which is not in the Subnet of the device itself. That will not work
I'm ending this thread... your negativity wins - congratulations! You apparently believe I am making this up. FYI, I have better things to do than create imaginary networks, and report results that I didn't actually see.
-
On your "Painting" i see that you dont have the 6.0 Network on the OPNsense conencted. That will not work.
So Ping from every device in the 1.0 Network is working. But not from 6.0 to Internet. That is because every Packet from the 6.0 Network is going to your Pocketbeagle, but thats it.
No... I added the network diagram hoping it would clarify things, but it may be confusing them. It does show a WiFi connection from the Ubuntu Linux host to the gateway at 192.168.1.1. As I explained in my original post, I am routing packets from 192.168.6.0 to 192.168.1.1 with the connections as shown in the diagram.
You can't set your gateway to an address which is not in the Subnet of the device itself. That will not work
I'm ending this thread... your negativity wins - congratulations! You apparently believe I am making this up. FYI, I have better things to do than create imaginary networks, and report results that I didn't actually see.
Sorry but I can't tell you positive things when you do that wrong.
Just trying to help you. And if you don't want that help and already know how to set it up there shouldn't be a problem in your system.
Here are just people who try to help.
And I think it's not okay if someone is trying to find the bugs in your network, tell you the bugs and you say that these people just spreading negativity.
-
If you don't want to learn about your network and want to find bugs. These and all other Firewall systems are not right for you.
Pay someone who will set it up for you, that's an alternative as well
-
Sorry but I can't tell you positive things when you do that wrong.
Just trying to help you. And if you don't want that help and already know how to set it up there shouldn't be a problem in your system.
Here are just people who try to help.
And I think it's not okay if someone is trying to find the bugs in your network, tell you the bugs and you say that these people just spreading negativity.
I appreciate help... really I do. But you weren't helpful. When someone says, "That will not work" a few times, but they are making guesses, I call that negativity. And you were making guesses. How do I know that? Because it does now work - just as I've shown it in the diagram, and configured as I described. Is there more than one way to do it? I'd say that's very likely, but this does work. How? I'll leave that for you to research.
-
Hello,
Grumpy old me talking here... let's take a break and start fresh tomorrow shall we? ;)
Cheers,
Franco
-
Sorry but I can't tell you positive things when you do that wrong.
Just trying to help you. And if you don't want that help and already know how to set it up there shouldn't be a problem in your system.
Here are just people who try to help.
And I think it's not okay if someone is trying to find the bugs in your network, tell you the bugs and you say that these people just spreading negativity.
I appreciate help... really I do. But you weren't helpful. When someone says, "That will not work" a few times, but they are making guesses, I call that negativity. And you were making guesses. How do I know that? Because it does now work - just as I've shown it in the diagram, and configured as I described. Is there more than one way to do it? I'd say that's very likely, but this does work. How? I'll leave that for you to research.
You will always have to try things and at the end you will see that it doesn't work.
You have to try different things step for step to find a bug. That has nothing to do with just making guesses, I am working every day with Opnsenses that's the way you find your bugs. If you don't want that help. Okay. But don't be bad to the people that just want to help you - for FREE!!!
And here is no person who can do some magic stuff and after that everything is working.
To the next persons who try to help:
Always say "you are doing it so good.... But it doesn't work.
-
And I'll not research for your problems again. Maybe the next step will not work as you hope to, attack someone else then please.
So I'm out of that topic here.