OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: CruseOPNsense on September 30, 2022, 02:35:39 am
-
Hello, this is my first OPNsense setup and I'm unable to ping the VLAN I've established. This is a fresh install with the default LAN subnet 192.168.1.0/24 and WirelessVLAN (VLAN TAG: 15) at subnet: 192.168.15.0/24. I've followed some guides and YouTube videos online to establish my configuration as follows:
Establishing VLAN Interface:
(https://imgur.com/0oO70V6.png)
Enabling the Interface:
(https://imgur.com/qLHltYj.png)
Setting a Static IP:
(https://imgur.com/BVfU8p2.png)
Firewall Rules Assigned to VLAN:
(https://imgur.com/Qqsr8mq.png)
Ping from Firewall:
(https://imgur.com/Eil3TDv.png)
Ping from Computer on VLAN:
(https://imgur.com/XNIxqrq.png)
Items to note:
- Firewall is not connected to the internet
- Don't believe its a hardware issue as this is the second host I'm trying this on
- It is a physical bare-metal install of OPNsense 22.7
I appreciate all the help in advance; again, this is my first time installing OPNsense so I may be missing something easy.
-
Hi these questions comes into my mind.
Are you sure that your PC is on the correct VLAN?
Do you get an IP Address by the DHCP server?
Did you configure this on your WLAN router?
I had to configure this also on my WLAN Access Point and on my switches to tag the Packets correctly.
amichel
-
Hey @amichel, thank you for the reply; my answers are below:
Are you sure that your PC is on the correct VLAN?
I believe so, I manually assigned its IP within the VLAN subnet (192.168.15.0/24)
Do you get an IP Address by the DHCP server?
No, I manually assigned its IP address
Did you configure this on your WLAN router?
Currently, there there are no Access Point's (AP) or switches on my network. I have the computer connected directly to the OPNsense box (Added a network diagram below)
(https://imgur.com/qGCrGMe.png)
Thanks again!
-
So I added a switch to the network:
(https://imgur.com/3zqLJfS.png)
When I plug into any port other than the switches uplink (Port: 1) or Port 4 (VLAN Port: Untagged; Port PVID: 15), I get a DHCP address from the OPNsense firewall no problem. With that address, I'm able to ping the 192.168.15.1 gateway without an issue (While I'm assigned a 192.168.1.0/24 address). When I try to get a 192.168.15.0/24 address or assign the address manually, I'm unable to reach the 192.168.15.1 gateway.
I'm a networking noob, but to me it seems that there is no route assigned for the 192.168.15.0 subnet. Anyone have any ideas on where I should look next to troubleshoot?
-
Just assigning an IP on the vlan subnet doesn't mean you're using that vlan. You would have to tag the vlan on your nic in order to use it when not using the switch.
With the switch, you should have the LAN untagged and the vlan (15) tagged on the trunk port. Then untag the vlan15 on an access port and plug pc into that port.
-
I believe that is how I have it configured, I've included screenshots below. This is on a ZyXel GS1900-48. Port 48 is the uplink from the opnsense (Set to Trunk) and Port 4 is my access port (I.e. port the computer is connected to).
VLAN Ports 1:
(https://imgur.com/x7ssh01.png)
VLAN Ports 15:
(https://imgur.com/EJsS1xG.png)
Ports:
(https://imgur.com/zK6idUF.png)
-
Vlan 1 should be "excluded" on port 4 but that shouldn't cause the issue you're having.
Do you have the dhcp server enabled on vlan 15?
Try it, it's a good test to see if you're actually connected.
Also, use the packet capture when pinging, you can usually trace the ping that way and see where you lose it.
If you don't get a dhcp address, you probably missed something in the switch.
If you have an intel nic you can install their ProSet driver and that will allow you to tag a vlan so you can then plug directly into the opnsense interface and access vlan15 from it.
All else looks good as far as I can see, your pics are so big I can't see the whole pic without scrolling over and that makes it easy to miss something.
-
Interesting,
I just decided to learn OPNSense and figured this would be a good starting point to learn.
I spun up 3 VMs and put them on a virtual network.
First VM has two network interfaces and running the latest version
(https://i.imgur.com/NMLn1pr.png)
Other two are Windows Machines with IP Addresses 192.168.1.2 and 192.168.15.2 (Static IP addresses)
I can ping with the 192.168.1.2 Windows machine but I cannot route traffic or ping to or from the 192.168.15.2 machine to the OPNSense VM. I can change the IP to x.1.3 and get traffic fine.
I followed the steps outlined in the post and still getting the same issues. Would be interesting to see what I am missing.
-
Interesting,
I just decided to learn OPNSense and figured this would be a good starting point to learn.
I spun up 3 VMs and put them on a virtual network.
First VM has two network interfaces and running the latest version
(https://i.imgur.com/NMLn1pr.png)
Other two are Windows Machines with IP Addresses 192.168.1.2 and 192.168.15.2 (Static IP addresses)
I can ping with the 192.168.1.2 Windows machine but I cannot route traffic or ping to or from the 192.168.15.2 machine to the OPNSense VM. I can change the IP to x.1.3 and get traffic fine.
I followed the steps outlined in the post and still getting the same issues. Would be interesting to see what I am missing.
Check your firewall rules.
Vlans have no rules by default which is the same as block all.
-
I did setup the rules as shown
(https://i.imgur.com/zw3eERz.jpg)
-
You should really start your own thread with this.
-
You should really start your own thread with this.
If you think that is a good idea I'll pick a different subnet and do a similar VLAN setup so it's not 100% the same on a virtual setup.
-
Vlan 1 should be "excluded" on port 4 but that shouldn't cause the issue you're having.
Do you have the dhcp server enabled on vlan 15?
Try it, it's a good test to see if you're actually connected.
Also, use the packet capture when pinging, you can usually trace the ping that way and see where you lose it.
If you don't get a dhcp address, you probably missed something in the switch.
If you have an intel nic you can install their ProSet driver and that will allow you to tag a vlan so you can then plug directly into the opnsense interface and access vlan15 from it.
All else looks good as far as I can see, your pics are so big I can't see the whole pic without scrolling over and that makes it easy to miss something.
I do have DHCP enabled on VLAN 15; what other aspects should I look for on the switch?
When I plug in my client directly into the OPNsense box, I'm unable to reach VLAN 15 (I have a diagram above of when I tested that).
-
I do have DHCP enabled on VLAN 15; what other aspects should I look for on the switch?
When I plug in my client directly into the OPNsense box, I'm unable to reach VLAN 15 (I have a diagram above of when I tested that).
So do you receive an address from the dhcp server when using the switch?
As I said above, you can't just plug into the router and expect to use vlan15. You would need to tag the pc's nic with vlan15 in order to access it. Otherwise you'll just be using the pvid of the interface which is the LAN in your case.
-
I do have DHCP enabled on VLAN 15; what other aspects should I look for on the switch?
When I plug in my client directly into the OPNsense box, I'm unable to reach VLAN 15 (I have a diagram above of when I tested that).
So do you receive an address from the dhcp server when using the switch?
As I said above, you can't just plug into the router and expect to use vlan15. You would need to tag the pc's nic with vlan15 in order to access it. Otherwise you'll just be using the pvid of the interface which is the LAN in your case.
I understand that, when I plug it directly into the OPNsense box, I receive a DHCP address under the 192.168.1.0/24 subnet. Even when I assign a static IP while plugged directly into the OPNsense box, I'm unable to reach the VLAN. When I'm plugged into the switch port, I receive an APIPA address.
-
Even when I assign a static IP while plugged directly into the OPNsense box, I'm unable to reach the VLAN.
What IP are you assigning?
Can you assign a vlan to the pc nic?
What model switch are you using? There may be more you need to do for vlans. Different switches use different terminology.
-
I know when I've had VLAN issues it had to do with the configuration of the switch, especially with regards to what VLAN untagged packets are sent to on each interface. If you forget to change that setting when you change the VLAN for the interface you might have issues.
Not sure whether that is helpful or not...
-
Even when I assign a static IP while plugged directly into the OPNsense box, I'm unable to reach the VLAN.
What IP are you assigning?
Can you assign a vlan to the pc nic?
What model switch are you using? There may be more you need to do for vlans. Different switches use different terminology.
I'm attempting to assign an IP within the subnet (192.168.15.101).
I'm not quite sure what you mean by "can you assign a vlan to the pc nic?"
I'm using a ZyXel GS1900-48, I followed this guide to setup my VLAN:https://www.youtube.com/watch?v=mmuuyZyaEBI (https://www.youtube.com/watch?v=mmuuyZyaEBI)
-
I'm attempting to assign an IP within the subnet (192.168.15.101).
Again, that will NOT work! You can't just assign an address and expect to be on that vlan. You need to tag that nic.
I'm not quite sure what you mean by "can you assign a vlan to the pc nic?"
I'm using a ZyXel GS1900-48, I followed this guide to setup my VLAN:https://www.youtube.com/watch?v=mmuuyZyaEBI (https://www.youtube.com/watch?v=mmuuyZyaEBI)
Plugging directly into a trunk port, which the LAN interface is once you assign vlans, will only let you access the untagged vlan unless you tag the nic interface. So don't plug into the opnsense interface anymore!! It won't lweet you connect to vlan 15.
You need to follow this:
https://mysupport.zyxel.com/hc/en-us/articles/360008607580--Switch-How-to-configure-VLAN-on-GS1900-xx-switches-firmware-2-40-and-newer-
-
Choose ICMP as protocol in your firewall rule. Ping = ICPM