Post by: vidarlo on April 10, 2021, 10:46:53 am
- IGB0 - LAN - 10.0.1.1/24
- IGB0_VLAN2 - 10.0.3.1/24
- IGB0_VLAN3 - 10.0.4.1/24
- IGB0_VLAN4 - 10.0.5.1/24
PF Rules are set to IPV4+IPV6 any type any source any destination allowed for now:
(https://imma.gr/102493xc08e5.jpg) (https://imma.gr/102493xc08e5)
Firewall rules for IGB0.
DHCPv4 is set to hand out for 10.0.1.10-10.0.1.250:
(https://imma.gr/102494x85875.jpg) (https://imma.gr/102494x85875)
However, clients are unable to get IP. They don't get a reply on DHCP queries. All other interfaces work just fine.
igb0 is attached to a Unifi switch, with tagged and untagged vlans. The setup was working after installation, and with pfsense previously - but at some point it stopped working. No modification was made to unifi side of network.
Any suggestions or pointers are welcome.
Post by: Greelan on April 10, 2021, 11:11:15 am
Post by: vidarlo on April 10, 2021, 11:13:23 am
It should be noted that if I set static IP on a host that is connected to the native VLAN, I can ping opnsense just fine:
Code: [Select]
sudo ip addr add 10.0.1.190/24 dev enp2s0
[~]$ ping 10.0.1.1
PING 10.0.1.1 (10.0.1.1) 56(84) bytes of data.
64 bytes from 10.0.1.1: icmp_seq=1 ttl=64 time=0.157 ms
64 bytes from 10.0.1.1: icmp_seq=2 ttl=64 time=0.133 ms
^C
--- 10.0.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1007ms
rtt min/avg/max/mdev = 0.133/0.145/0.157/0.012 ms
In addition, IPv6 RA works; hosts get IPv6 SLAAC assigned. This points to the fact that L2 connectivity is correct and functioning.
Post by: Greelan on April 10, 2021, 11:14:42 am
Post by: vidarlo on April 10, 2021, 11:16:00 am
Well, I’ve got plenty of experience of UniFi gear working and then some aspect just randomly breaking lolPlease see my update above :) L2 connectivity is verified for IPv6 and IPv4 - but dhcp is not working.
Post by: Greelan on April 10, 2021, 11:19:24 am
Post by: vidarlo on April 10, 2021, 11:35:34 am
Thanks for pointing me in the right direction :)
Post by: Greelan on April 10, 2021, 11:51:33 am
Post by: vidarlo on April 10, 2021, 11:57:22 am
Post by: franco on April 11, 2021, 07:48:43 pm
I have the following configuration:
- IGB0 - LAN - 10.0.1.1/24
- IGB0_VLAN2 - 10.0.3.1/24
- IGB0_VLAN3 - 10.0.4.1/24
- IGB0_VLAN4 - 10.0.5.1/24
Just to be on the safe side here: rules from LAN will likely override VLANs by design of pf(4). You should never use untagged and tagged together on the same interface unless you have no choice and set up your rules accordingly.
Cheers,
Franco
Post by: Maurice on April 12, 2021, 01:55:58 pm
You should never use untagged and tagged together on the same interface unless you have no choice and set up your rules accordingly.
Ehh... what?? That's the first time I've heard about this. If this is indeed true (which I have no doubt about when you say it), shouldn't there be a big (BIG, HUGE, MASSIVE) warning in the UI and the docs? I just double-checked and can't find even the slightest hint about this.
Cheers
Maurice
Post by: franco on April 12, 2021, 02:33:07 pm
There are reports here about once a month about said "weirdness" so I would say it's being reiterated regularly at least.
Cheers,
Franco
Post by: Maurice on April 12, 2021, 03:27:12 pm
"Passed down as common knowledge" and forum posts don't exactly qualify as documentation, do they? ;) I'll prepare a PR. interfaces_vlan.php might be a good place for a warning?
Post by: rhubarb on April 12, 2021, 06:52:59 pm
Just to be on the safe side here: rules from LAN will likely override VLANs by design of pf(4). You should never use untagged and tagged together on the same interface unless you have no choice and set up your rules accordingly.
??? This is a first for me, but I'm new to OPNSense.
So my Unifi Controller sits on Untagged VLAN1. If I give it gateway access to the internet with OPNSense, will this rule also pass traffic on my IoT VLAN to the internet as well?
Post by: Greelan on April 13, 2021, 12:20:22 am
Guess I am moving my VLANs to igb2...