OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: Shihatsu on May 25, 2021, 04:02:53 pm
-
Heya, I am quite new to OPNSense. I will use the Firewall as router in my network. It will take the control, while I use a Mikrotik Switch as my backbone. For added security in my Homelab I intend to use VLANs, and currently I am doing the first steps.
Basic VLAN-Setup on the Mikrotik is done, and I have my VLANs added on the OPNSense. Here comes my problem: I have added the VLAN, assigned it to the LAN-port, set up the IP-range and acivated DHCP on the VLAN. I then tagged a port on the Mikrotik accordingly and connected a test client to this port. The client then performs a DHCP discovery succesfully and gets an IP within the correct range of the newly created VLAN. But here is the thing: The client cannot get any network connection. I f I ping the .1 address of the segment from the client I get timeouts, if I nmap the network it is only answered by the client itself. If I ping the same addresses from the default VLAN or the firewall itself I get positive responses. Whats the issue here?
-
You need to create firewall rules on the VLAN interface on OPNsense to allow traffic
-
You need to create firewall rules on the VLAN interface on OPNsense to allow traffic
A, thanks for pointing it out, I forgot to mention that I copied the two "allow all" rules from the LAN interface onto the VLAN interface, I just changed Interface to the VLAN Interface and soruce to the VLAN net. I did this both for IP4 and IP6.
-
Sounds like a switch issue then. Have you also tagged the VLAN on the switch port that is connected to OPNsense?
-
Well, I tagged every port (that is currently in use) for the respective VLAN ID to make it easier at the moment, so - yes it is tagged. I also believe that this tagging is working, because I can ping the respective 10.2.0.1 "gateway" IP of the VLAN from my default VLAN (1) which is 10.10.0.x. - the diagnosis part is that whats difficult here - how to know what is wrong and whats not. Any help much appreciated.
-
Not sure that ping proves that, but maybe show your firewall rules
-
Here are my rules:
(I have two rules, this is just the IPV4 rule, the v6 is the same, but different tcp/ip version ofc
-
Based on all you have said, I can’t find anything wrong on OPNsense, sorry
-
If it is an option, you can try and use a separate dedicated interface for VLAN.
Sent from my iPhone using Tapatalk
-
This sounds goofy but did you click apply settings in the upper right after added your firewall rules? I refuse to admit how many times this has gotten me. ::)
-
I don't think this is the case since you were able to pull DHCP but does that switch need to have trunking enabled on the uplink port that connects to your firewall?
Have you verified that the client has the correct default gateway and proper routes in place?
-
Sorry for my late reply, I just dumped the goram Switch and jumped the rope over to a decent one (a Mikrotik CRS 328, which suits my needs far better and is easier to handle. Thank you nevertheless for your help!
In the meantime I have killed my OPNsense and replaced it with... well, two OPNsenses in HA mode - I just love this capability of the OPNsense. But with new possibilities there are new questions: How do I do VLANs in an HA scenario? The documentation about this is sparse, to say the least. Sparse in non existent or nearly impossible to find. From what I have found I learned to basic things:
VLANs aren't synchronized from the Master to the Backup and I need some kind of VIPs. Is there any documentation or howto about it? I'd rather avoid "trial and error"...