OPNsense Forum

English Forums => General Discussion => Topic started by: wgseaton on March 29, 2021, 04:20:40 pm

Title: VLAN blocked from LAN and no rule
Post by: wgseaton on March 29, 2021, 04:20:40 pm

I am new, I created a Guest VLAN and configured DHCPand the interface to LAN.
Set the VLAN firewall rule to allow Guest Net to any.
I have Unifi AP configured with Guest VLAN and connecting to the Guest network i get a Guest Network IP.
I can go out the Internet from the Host on the Guest Network.
I can ping from the LAN the host on the Guest Network.
I Can Not ping the host on the LAN i use to ping the host on the Guest Network.
I can not find any rule to block access.
I can not any rule the LAN can reach the VLAN different from the VLAN rules.

Any Ideas what I am doing wrong, or is that automatically blocked.

Title: Re: VLAN blocked from LAN and no rule
Post by: rhubarb on March 29, 2021, 05:27:08 pm

What is in the WAN field of your Allow All Rule?

Title: Re: VLAN blocked from LAN and no rule
Post by: pankaj on March 29, 2021, 07:36:54 pm

@wgseaton

Did you create a rule (incoming) on LAN to allow ICMP pings to LAN net? To keep things easy, please this rule at the very top for LAN rules for this testing.

Title: Re: VLAN blocked from LAN and no rule
Post by: Greelan on March 29, 2021, 09:52:21 pm

Quote from: pankaj on March 29, 2021, 07:36:54 pm

Did you create a rule (incoming) on LAN to allow ICMP pings to LAN net? To keep things easy, please this rule at the very top for LAN rules for this testing.

Such a rule will make no difference

@wgseaton, are you sure pings to the LAN host are allowed by that host? Can you ping the LAN host from another host on LAN net?

Title: Re: VLAN blocked from LAN and no rule
Post by: wgseaton on March 29, 2021, 10:21:31 pm

I can ping the host from another host on the LAN.
I am not sure what WAN Setting is being ask for, the rule is any source any destination any protocol on both the VLAN and the LAN.
I added an ICMP rule but still fails.

Title: Re: VLAN blocked from LAN and no rule
Post by: rhubarb on March 29, 2021, 10:26:20 pm

The WAN setting is closer to the bottom when you edit the rule.  If you have selected anything but "default" then the router may not route to internal networks.

Title: Re: VLAN blocked from LAN and no rule
Post by: rhubarb on March 29, 2021, 10:30:58 pm

Sorry, "Gateway" (not WAN) is what I was asking about.

Title: Re: VLAN blocked from LAN and no rule
Post by: Greelan on March 29, 2021, 11:07:45 pm

@wgseaton, show us your VLAN FW rule. Also as a sanity check, confirm you are not blocking private networks on the LAN interface

Otherwise could very well be an AP issue. Eg check that you don’t have some sort of guest isolation in your UniFi controller for the VLAN

Title: Re: VLAN blocked from LAN and no rule
Post by: wgseaton on March 31, 2021, 02:48:44 am

It was a Routing issue.  I had a learning setup and the primary gateway was on the same interface as the LAN so it appears the to VLANs could route to the Internet and to each other but not the LAN.  I changed it so both Internet Gateways are on seperate ports and all could talk to all.  I added rules to block the VLAN from each other and the LAN and all is working. Thanks for the point in right direction.

Title: Re: VLAN blocked from LAN and no rule
Post by: rhubarb on April 01, 2021, 04:04:20 pm

I'm glad you fixed it.  Using the Gateway Field enforces policy based routing and ignores default routing rules. I'm new to this as well, and this is the most confusing part of OPNSense thus far. The Firewall Section of the documentation was worth a read multiple times.

For other readers, a note in the documentation ("When using policy based routing, don’t forget to exclude local traffic which shouldn’t be forwarded. You can do so by creating a rule with a higher priority, using a default gateway.") is essential to know.