OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: mahmoux.xp on March 11, 2018, 10:30:43 pm

Title: can't communicate with any vlans
Post by: mahmoux.xp on March 11, 2018, 10:30:43 pm
 Hi all
I have this setup
10 vlans 192.168.1.0/24 - 192.168.10.0/24
Core Switch 192.168.1.1 - 192.168.10.0
Opnsense (ver 16.x) 192.168.1.20
static route on core switch ip 0.0.0.0 sub 0.0.0.0 nxthop 192.168.1.20
opnsense was providing internet to its own sub-net only (192.168.1.0/24) and could not communicate with any vlans until I entered static routes for all my vlans and it worked like a charm for over a year
even after upgrading to version (17.x) it was ok
NOW after upgrading to version (18) back to zero
it can't communicate with any vlans AGAIN
I treble check every thing
recreated static route entries
disabled proxy and nat rules
only one firewall rule to allow any to any
but still can't give internet to users in other vlans exept 192.168.1.0/24
Why is that happened or how can I fix it????????
I downloaded sophos xg home and configured it with the same concept, and with my static routes and it works  great, even more it has very nice web filtering policies and reporting, and it can block SSL websites with out a certificate to be installed to users but it is still in test and afraid from it

But I don't need to build another firewall from scratch
please help
Title: Re: can't communicate with any vlans
Post by: elektroinside on March 12, 2018, 08:17:12 am
Is there any possibility to reinstall v18 from scratch? From what you said, you already wiped the old setup and switched to Sophos. So maybe you can retry with a fresh OPNsense install?
Title: Re: can't communicate with any vlans
Post by: mahmoux.xp on March 12, 2018, 11:34:08 am
Is there any possibility to reinstall v18 from scratch?

thanks for ur reply, of course I did that but forgot to mention it, twice actually, once performed config after checking for updates and another performed config after before checking for updates. so far no succes and now clue
and tried to modify any option related to vlans on opnsense but no success, but my vlans is on core switch
I'm pretty shure my config is right as the same concept working on previous versions and on another firewalls (tmg & sophos), so it is a big chance it is a bug or some option needs to be modified else ware
Title: Re: can't communicate with any vlans
Post by: bigops on March 12, 2018, 04:26:32 pm
While installing OPNsense rules for the interfaces did you check the block bogon networks and private networks while creating the interface?  This will prevent inter-vlan communications since corporate VLANS are normally on private ranges.  Another thing that you can check would be to see if the port connecting to the Firewall is Trunk instead of access ports. 
Title: Re: can't communicate with any vlans
Post by: mahmoux.xp on March 13, 2018, 08:07:20 am
While installing OPNsense rules for the interfaces did you check the block bogon networks and private networks while creating the interface?  This will prevent inter-vlan communications since corporate VLANS are normally on private ranges.  Another thing that you can check would be to see if the port connecting to the Firewall is Trunk instead of access ports.

1- no I didn't activate (Block Bogon/Private networks) on LAN interface but activated them on WAN and WAN 2 Interface only (see the attached pictures)
2- this is the same port that used by (opnsense 16,17, tmg, sophos) and works great only on opnsense 18 the issue appeared making it impossible to be usable in my network
Title: Re: can't communicate with any vlans
Post by: bigops on March 13, 2018, 03:15:45 pm
I have seen similar challenges with a competing product to OPNsense.  From what I have seen is that if you have VLANS both in the switch and OPNsense sometimes routing gets messed up and it seems to be an issue with the underlying BSD platform.  From what I can see from your post you are trying to route from the switch. 

In such a scenario you'll have to remove all the VLANs from the OPNSense and ust put one VLAN to the firewall, a separate one from  your internal network, and configure the default route on the switch to go to the firewall.   The downside to this is that you will loose ability to filter interVLAN traffic and the filtering should be done on the switch.  Also if you are using the firewall for DHACP this will further complicate things and you will need a separate DHCP Server. 

Another approach is to move the VLANS to OPNsense and then use the switch for Layer 2 functions only.  This would give you the most robust configuration.