Messages

Hi All,

I recently discovered that my vlans were not properly isolated.  most my stuff is on a non vlan Lan interface. I am running      OPNsense 23.7.12-amd64.  I also have adguard home setup.  I also have Private internet access VPN and tailscale VPN installed. (not sure if any of those play into my problems)

My setup.

Code Select Expand

vlan01 [Home] igc1  [LAN] 10
vlan02 [Work] igc1  [LAN] 20
vlan03 [IoT] igc1  [LAN] 30
vlan04 [Guest] igc1  [LAN] 40

What I am seeing is that my rules are not processing the traffic properly.  I have one rule second last rule to block all traffic between the private ranges.   then I have another rule before that that allows one IP address 192.168.30.21 (IOT) to 192.168.2.6 (LAN). This is what I am seeing under the firewall live view.   Why is one blocked but others allowed?  all should be processed by the allow.  but obviously, some are still making it to the block rule.

this view is filtered for source iot and destination 192.168.2.6



Rules:
Allow access to HA IOT:
-- Pass
-- quick yes
-- interface IoT
-- direction in
-- TCP ipv4
-- protocol any
-- source IoT_to_HA_src (alias to 192.168.30.21)
-- destination Iot_to_HA_dest (alias to 192.168.2.6)

block access to private ranges:
-- Reject
-- quick yes
-- interface iot
-- direction in
-- TCP vipv4
-- protocol all
-- source iot net
-- dest alias to private ranges


Alias:
private ranges: 192.168.0.0/16
IoT_to_HA_src: 192.168.30.21
Iot_to_HA_dest: 192.168.2.6

[**Update**]

Hi,

I am pretty much a nub with opnsense, but I got this all working with my setup.  I am sending a specific ip address out to the interface.  I tested a reboot tho and on reboot the interface defaults to the normal lan interface.  not using the vpn.   Not sure why.  Any thoughts?     

After the reboot I can get it working again by ssh to the router and running the "PIAWireguard.py debug changeserver" command.  After that the source ip traffic goes through the vpn again.

Thanks.

--pat

Versions   OPNsense 22.7.8-amd64
FreeBSD 13.1-RELEASE-p3
OpenSSL 1.1.1s 1 Nov 2022


**Update** 

It appears to me that the vpn interface eventually comes up after a boot.  It just takes a bit of time before it's active. Maybe 5 minutes for the cron job to kick in? If this is true for everyone  people might not be vpn protected for the first few minutes of a reboot unless they have the "kill switch"  from step 11
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

Double check you have the bridge as per the nuances of here https://docs.opnsense.org/manual/how-tos/lan_bridge.html . Hopefully just that and no hardware problem.

Yes, that's the guide I followed to setup the bridge.  ports 1 and 2 are working properly as part of the bridge.   Port zero is the wan.  I will go through and double check everything after work tho.   Thanks for the suggestion. 

So I got my device yesterday.  Installed opnsense 22.7 straight away. Got things up and running with the default Lan/Wan ports active, updates applied etc..   tried to bridge ports 3-5 to the lan.  Got that working except if I plug anything into ports 3 - 5, opensense will/and freeze, requiring a hard power cord removal and reboot with the ports 3-5 empty.  What I mean by freeze is, I have the device connected to monitor/keyboard and it won't respond and no ports respond once something is plugged into ports 3-5.

Ports 0,1 and 2 work fine if I boot without anything connected to ports 3-5.

Could this possibly be an opnsense issue?  Or is my device defective or some bios setting not correct? 

I have an email to the amazon seller outstanding, but was wondering if this might be something of a known issue.

This is the device:

https://www.amazon.com/gp/product/B0B84T8VQR/

Thanks