Messages

[My switch is set up like this]

Thank you Bart!

I think I have it all set up almost right now, it is close, but still no cigar.

The OpnSense PC is a VivoPC VM62 https://www.asus.com/Mini-PCs/VivoPC_VM62/

Ethernet NIC is
dmesg | grep Realtek

Code Select Expand

re0: <Realtek PCIe GBE Family Controller> port 0xe000-0xe0ff mem 0xf7d00000-0xf7d00fff,0xf0000000-0xf0003fff irq 18 at device 0.0 on pci3
dmesg | grep RTL

Code Select Expand

rgephy0: <RTL8169S/8110S/8211 1000BASE-T media interface> PHY 3 on miibus0

My switch is set up like this
It should be just like Bart wrote, but I have two tagged trunk ports = ports 1 & 2, not just port 1 (I'm planing on reinstalling the IPcop PC with OpnSense and let it use port 2):



I have connected the cables to the switch like this


My OpnSense has these VLANs


NOTE!! -->It works with using VLAN 222 to LAN with this setup. Like this everything works well, all users can surf and so on.


But if I try to change also WAN via VLAN like this


Connection via LAN still works to OpnSense, but WAN never gets any IP from IPS DHCP so nobody can reach Internet. It is like the connection from VLAN666 on re0 don't communicate with ports 6, 7 & 8 on the switch.

Sooo... I tried VLAN. As ordered (  ;) ) I bought a TP-Link SG108e managed switch, but I think I may be missing some knowledge to get it working.

I set up the TP-Link like this


And OpnSense like this


As I understand it, the difference between VLAN and PVID is that:
VLAN = Are the VLAN domains ID:s assignet to the port.
PVID = (Port VLAN ID) is the default VLAN id assigned to frames coming to the port.

LAN is connected to port 3
WAN is connected to port 6
I connect the re0 to port 1 or 2, and save all settings, but after that I can't connect to OpnSense any more. So I can't make any new firewall rules if that is what I need to do.

So I think I have done something wrong with my VLAN settings. Have I maybe done something wrong with choosing "Tagged" and "Untagged" ports?

Should port 1 and 2 be "Tagged" ports because OpnSense will "Tagging" the packets? And all other ports should be "Untagged"? Or is it the other way around  ::) ? 

And should that be done in the settings for VLAN 1, 222 and 666? Or only 222 and 666? I think maybe only 222 and 666.

I am asking because I not home now, and will not be until next weekend, so now I can only plan and ponder on how I will make this work. Help me, Obi-Wan Kenobi. You're my only hope...

@Raccoon: Thanks for your reply. I have now tried with switching USB NICs between IPcop and OPNsense. So now IPcop has the new J5 JUE130 and OPNsense has the older Startech USB31000SW. Lets see if it OPNsense likes that Startech NIC better... Otherwise maybe I need to go that scary, mysterious and difficult muddy path towards the world of VLAN  :o

I just saw that I had an unassigned ovpns1 interface 00:00:00:00:00:00 - XEROX CORPORATION

So I have now assigned it as OPT1 interface (opt1, ovpns1). Could this have something to do with my problems?

@Bart: If this will not get better, I may need to think about your idea. I know nothing about VLANs though :( I guess 802.1Q VLAN is the way to go, if I have understood it correctly. Do you think a TP-link TL-SG105E would also work? I see they have it in a shop very close by.

[EDIT]

EDIT: OK, changing the subject, trying VLAN. See post 6...



Well, something seems to be wrong. I don't know if it has something to with the IP-number change (see https://forum.opnsense.org/index.php?topic=9344.0 ). I have

Code Select Expand

Name           OPNsense.localdomain
Versions          OPNsense 18.7-i386
FreeBSD           11.1-RELEASE-p11
OpenSSL           1.0.2o 27 Mar 2018
CPU Type      Intel(R) Core(TM) i5-4210U CPU @ 1.70GHz (4 cores)
CPU usage        Load average 0.05, 0.05, 0.01
Uptime           1 days 17:24:29
State table size  0 % ( 573/346000 )
MBUF Usage   5 % ( 1536/26368 )
Memory usage      6 % ( 233/3465 MB )
SWAP usage   0 % ( 0/8192 MB )
Disk usage   1% / [ufs] (899M/106G)

I have installed OpenVPN (same as in https://docs.opnsense.org/manual/how-tos/sslvpn_client.html as I followed it, but I don't use 2FA.), I have activated NetFlow locally and have these plugins installed:
os-arp-scan (installed)   1.1   37.7KiB   Get all peers connected to a local network   
os-dyndns (installed)   1.8   134KiB   Dynamic DNS Support

I am connected with OpenVPN to OpnSense, and this happens from time to time (I am pinging the NAS that is on LAN):

Code Select Expand

...
...
Reply from 192.168.222.247: bytes=32 time=2ms TTL=63
Reply from 192.168.222.247: bytes=32 time=2ms TTL=63
Reply from 192.168.222.247: bytes=32 time=2ms TTL=63
Reply from 192.168.222.247: bytes=32 time=2ms TTL=63
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.222.247: bytes=32 time=2ms TTL=63
Reply from 192.168.222.247: bytes=32 time=2ms TTL=63
Reply from 192.168.222.247: bytes=32 time=2ms TTL=63
...
...

In System: Log Files: General I see this at the time

Code Select Expand

Aug 7 10:45:57 opnsense: /usr/local/etc/rc.dyndns: Dynamic DNS (dynamicraffe.botz.com): (Success) No Change In IP Address
Aug 7 10:45:57 opnsense: /usr/local/etc/rc.dyndns: Dynamic DNS: updating cache file /var/cache/dyndns_wan_dynamicraffe.botz.com_1.cache: 155.5.223.16
Aug 7 10:45:55 opnsense: /usr/local/etc/rc.dyndns: Dynamic DNS (raffetest.botz.com): (Success) No Change In IP Address
Aug 7 10:45:55 opnsense: /usr/local/etc/rc.dyndns: Dynamic DNS: updating cache file /var/cache/dyndns_wan_raffetest.botz.com_0.cache: 155.5.223.16
Aug 7 10:45:52 opnsense: /usr/local/etc/rc.linkup: ROUTING: skipping IPv6 default route
Aug 7 10:45:52 opnsense: /usr/local/etc/rc.linkup: ROUTING: keeping current default gateway '155.5.223.97'
Aug 7 10:45:52 opnsense: /usr/local/etc/rc.linkup: ROUTING: setting IPv4 default route to 155.5.223.97
Aug 7 10:45:52 opnsense: /usr/local/etc/rc.linkup: ROUTING: no IPv6 default gateway set, assuming wan
Aug 7 10:45:52 opnsense: /usr/local/etc/rc.linkup: ROUTING: IPv4 default gateway set to wan
Aug 7 10:45:52 opnsense: /usr/local/etc/rc.linkup: ROUTING: entering configure using 'wan'
Aug 7 10:45:51 opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (dynamicraffe.botz.com): (Success) No Change In IP Address
Aug 7 10:45:51 opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /var/cache/dyndns_wan_dynamicraffe.botz.com_1.cache: 155.5.223.16
Aug 7 10:45:49 opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS (raffetest.botz.com): (Success) No Change In IP Address
Aug 7 10:45:49 opnsense: /usr/local/etc/rc.newwanip: Dynamic DNS: updating cache file /var/cache/dyndns_wan_raffetest.botz.com_0.cache: 155.5.223.16
Aug 7 10:45:46 opnsense: /usr/local/etc/rc.newwanip: Interface '' is disabled or empty, nothing to do.
Aug 7 10:45:46 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ovpns1'
Aug 7 10:45:45 kernel: ovpns1: link state changed to UP
Aug 7 10:45:45 kernel: ovpns1: link state changed to DOWN
Aug 7 10:45:45 opnsense: /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface WAN.
Aug 7 10:45:44 opnsense: /usr/local/etc/rc.newwanip: ROUTING: skipping IPv6 default route
Aug 7 10:45:44 opnsense: /usr/local/etc/rc.newwanip: ROUTING: keeping current default gateway '155.5.223.97'
Aug 7 10:45:44 opnsense: /usr/local/etc/rc.newwanip: ROUTING: setting IPv4 default route to 155.5.223.97
Aug 7 10:45:44 opnsense: /usr/local/etc/rc.newwanip: ROUTING: no IPv6 default gateway set, assuming wan
Aug 7 10:45:44 opnsense: /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
Aug 7 10:45:44 opnsense: /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'wan'
Aug 7 10:45:44 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 155.5.223.16) (interface: WAN[wan]) (real interface: ue0).
Aug 7 10:45:44 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'ue0'
Aug 7 10:45:43 opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan
Aug 7 10:45:43 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan
Aug 7 10:45:43 opnsense: /usr/local/etc/rc.linkup: Clearing states to old gateway 155.5.223.97.
Aug 7 10:45:43 opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet detached event for wan
Aug 7 10:45:43 kernel: ue0: link state changed to UP
Aug 7 10:45:43 kernel: ue0: link state changed to DOWN
Aug 7 10:31:08 opnsense: /usr/local/etc/rc.dyndns: Dynamic DNS (dynamicraffe.botz.com): (Success) No Change In IP Address
...
...

If I in System: Log Files: General search for "ue0: link state changed to DOWN" I see

Code Select Expand

Aug 8 10:37:25 kernel: ue0: link state changed to DOWN
Aug 8 10:34:37 kernel: ue0: link state changed to DOWN
Aug 8 10:34:29 kernel: ue0: link state changed to DOWN
Aug 8 10:34:29 kernel: ue0: link state changed to DOWN
Aug 8 10:34:29 kernel: ue0: link state changed to DOWN
Aug 8 10:34:29 kernel: ue0: link state changed to DOWN
Aug 8 10:34:29 kernel: ue0: link state changed to DOWN
Aug 8 10:34:29 kernel: ue0: link state changed to DOWN
Aug 8 10:34:29 kernel: ue0: link state changed to DOWN
Aug 8 10:34:29 kernel: ue0: link state changed to DOWN
Aug 8 10:34:29 kernel: ue0: link state changed to DOWN
Aug 8 10:34:29 kernel: ue0: link state changed to DOWN
Aug 8 10:34:29 kernel: ue0: link state changed to DOWN
Aug 8 10:34:29 kernel: ue0: link state changed to DOWN
Aug 8 10:34:29 kernel: ue0: link state changed to DOWN
Aug 8 10:25:20 kernel: ue0: link state changed to DOWN
Aug 8 08:15:19 kernel: ue0: link state changed to DOWN
Aug 7 10:45:43 kernel: ue0: link state changed to DOWN
Aug 7 10:30:29 kernel: ue0: link state changed to DOWN
Aug 7 10:30:29 kernel: ue0: link state changed to DOWN
Aug 7 10:30:29 kernel: ue0: link state changed to DOWN
Aug 7 10:08:00 kernel: ue0: link state changed to DOWN
Aug 7 10:05:49 kernel: ue0: link state changed to DOWN
Aug 7 10:05:24 kernel: ue0: link state changed to DOWN
Aug 7 10:05:24 kernel: ue0: link state changed to DOWN
Aug 7 09:51:53 kernel: ue0: link state changed to DOWN
Aug 7 09:23:42 kernel: ue0: link state changed to DOWN
Aug 7 09:22:53 kernel: ue0: link state changed to DOWN
Aug 7 09:22:53 kernel: ue0: link state changed to DOWN
Aug 7 09:22:53 kernel: ue0: link state changed to DOWN
Aug 7 09:22:53 kernel: ue0: link state changed to DOWN
Aug 7 08:36:57 kernel: ue0: link state changed to DOWN
Aug 6 20:40:59 kernel: ue0: link state changed to DOWN
Aug 6 20:39:48 kernel: ue0: link state changed to DOWN
Aug 6 20:37:27 kernel: ue0: link state changed to DOWN
...
...

The NIC is a J5 JUE130 (https://en.j5create.com/products/jue130?variant=10610940932 ) and should have a AX88179 chipset (that is found here https://www.freebsd.org/releases/11.1R/hardware.html#ethernet ). "dmesg | grep AX" gives

Code Select Expand

ugen0.2: <ASIX Elec. AX88179> at usbus0


I use a USB NIC as the mini PC only have one NIC on board. I have done the same with IPcop for five years without problems, but it have a Startech USB31000SW (https://www.startech.com/se/en/Networking-IO/usb-network-adapters/USB-3-to-Gigabit-Ethernet-NIC-Network-Adapter~USB31000SW ) also with AX88179 chipset. Maybe that NIC is better?

I am sorry to say that I don't know much about FreeBSD, so I wonder if anyone of you could help me on how to start with finding the error? I don't even know how to see more than one page of logs at System: Log Files: General...

Hi!

I'm going from IPcop to OpnSense. I had setup OpnSense, and it worked well with OpenVPN, portforwarding, DynDNS, NTP etc.

IPcop had 192.168.222.254 and OpnSense had 192.168.222.251.

During the big day when I wanted switch firewalls I came to the part where I was supposed to change the gateways on about ten devices with static IP-addressees. I thought it was easier to just switch addresses between IPcop and OpnSense.

So IPcop has now 192.168.222.251 and OpnSense has 192.168.222.254. I did this from remote, and it worked like two minutes and after that OpenVPN stopped working. I could connect with OpenVPN and I could ping 192.168.222.254, but I couldn't connect to anything else in 192.168.222.0/24 or even open the OpnSense configuration web page. I saw a notice that said

There were error(s) loading the rules: /tmp/rules.debug:31:no translation address with matching address family found. - The line in question reads [31]: nat on ue0 inet from (re0:network) to any port 500 -> ue0:0 static-port # Automatic outbound rule

The rules I have are the same as in https://docs.opnsense.org/manual/how-tos/sslvpn_client.html as I followed it, but I don't use 2FA.


So I tried to open all rules I could find and just re-save them without changing anything, but it didn't help. Then I opened the OpenVPN rule, changed "source" from "*" to "OpenVPN net". After that I couldn't ping anything on LAN, not even 254. So I changed "source" back to "*" and now OpenVPN works OK again :-) Now everything is good again!

Or is it? Now I am worrying that maybe I also broke something else, but I just have not seen or realized what yet. What do you think, should I reinstall OpenVPN again? Or should I maybe reinstall the whole OpnSense again? Or are there something else I should do (mind you, I am not only an OpnSense/FreeBSD noob, I'm also very bad at exorcism if you intend to suggest it ;-)