OPNsense Forum
English Forums => General Discussion => Topic started by: Germano on June 11, 2018, 01:59:37 pm
-
Hello everybody,
here I have a problem that I can not solve.
Ip opnsense 10.10.10.10
IP Interface Switch vlan default: 10.10.10.1
-> Vlan 20: 10.10.20.1
My routing on my L3 M4300 Netgear Switch works. of my Vlan 20, I ping in my Vlan 10 except my Opnsense.
I have to add a static route but impossible to understand
Gateways> add> Name GW Vlan interface: lan IP: 10.10.10.1
System-> routes> add address: 10.10.20.0/24 gateway: GW VLAN
after applying the parameters. it does not work.
I try to play with the rules of nat but ditto it does not work.
would you have a procedure or info to set my route please. the frame of Vlan 20 goes through my vlan 1 which re-route to my gateway. and the gateway refuses comminication.
Thank you in advance for your assistance.
-
j'ai créé des règle pour mon vlan 20 je ping maintenant mon pare feu mais cela ne sort pas.
et dans mon live view je n'ai pas de Deny rules.
-
Help please
-
I didn't test it, so I'm not 100% sure, but by default OPNsense does not reply to ping from other IP addresses than those from LAN - and since on the switch you have a route (and not a NAT) between VLAN 20 and VLAN 10, when you ping from VLAN 20 in VLAN 10, say from 10.10.20.100 to 10.10.10.10, the source address which OPNsense observe is 10.10.20.100, and not 10.10.10.1.
So it might not reply to this ping request, since 10.10.20.0/24 is not its LAN network. I'd say you leave the routes (static, NAT) alone, they're not the problem.
Really hope I've helped.
Cheers!
-
Hi hutiucip,
the rules are created on the arp table of my Switch. so when I ping from my vlan 20 to vlan 10 it responds and vice versa. today my ping has my firewall and nothing comes out. My firewall responds to ping. but no DNS resolution is possible. on the other hand if I ping the IP revolution DNS 'orange.fr' my ping is OK TTL = 64ms except that it is my firewall that resolves and not my machine.
thanks
-
10.10.10 is WAN or LAN? Do you have a different Default Gateway?
-
Ip opnsense 10.10.10.10 IP Lan
IP Interface Switch vlan default: 10.10.10.1
-
Do you also have a WAN? A bit more precise please
-
Do you also have a WAN? A bit more precise please
I think OP problem originates from what I have said before, and also because of DNS multicast proxy (or route - Unbound domain override).
Since he can ping public domains, I'm sure he has a WAN, but for this case I would say it's irrelevant.
What do you think? :)
-
So , You suppose,
Proxy DNS in activate mode ? My Opnsense version is 18.1.9.
i don't have mdns-repeater available .
what static route are you talking ?
-
Again, I stick to my opinion, which might be wrong, I accept:
Your SWITCH does the routing between VLANs. This means that the source and destination IP addresses are NOT changed. Hence, the source address of ping will be 10.10.20.X, outside of the LAN network of OPNsense, so OPNsense will drop the ping packet.
Sorry if I'm wrong, but if I'm wrong I assure you I'm sincerely wrong!
-
This is why you can ping from any client in VLAN 10, but not from the device from VLAN 20.
LE Also, this is why you can ping any client from any client in between VLANs, but not OPNsense from different VLANs than 10.10.10.0
PS Sorry for double posting.
-
Yes my switch is routing between vlan. but I found for the DNs resolver part. OpenSense> system setbox 'Allow DNS server list to be overridden by DHCP/PPP on WAN'
now in my vlan 20 , DNS resolution is ok.But when I ping ex: ns0.ovh.net request time out.
In live view, i saw the ping of my Pc LAN 10.10.20.3:53 193.70.18.144:53
in Unbound DNS i allowed VLAN 20 ( 10.10.20.0/24) in Access list.
I think that opense does not translate Nat DNS query to IP Switch
-
I think that opense does not translate Nat DNS query to IP Switch
It shouldn't: it is supposed to ROUTE it, not NAT it. Meaning, OPNsense should set DNS reply packet to 10.10.20.3 as destination (and via 10.10.10.1 as GW - route), and not to 10.10.10.1 as destination (NAT).
It's weird, I admit. If I get to figure out something else, I'l come back.
-
Actually I created a gateway in 10.10.10.1 and a static route (10.10.20.0/24 GW 10.10.10.1)
but if I leave like that the firewall blocks me all. therefore I do not know what to put as LAN / Wan rule.
I did the test by disabling the firewall and it blocks me.
-
I switched to Hybrid NAT mode and created a rules
NAT> Outbound
Interface Source Port Source Destination Port de Destination NAT Address NAT Port Port statique Description
WAN any * * * Adresse de l'interface * NON
But I have another issue, a Deny rule in liveview, see attached. I don't understand the rule to make
-
I don't know. Sorry, I really don't know! :)