Messages

>  but I think one of the important pieces here is that OPNsense in a lot of places asks the user to manually enter data when OPNsense already knows the answer:

I don't agree and the past discussions are all over the forum and GitHub to read through. I don't enjoy starting at the "but what if we just did it this way". This is not how projects work when they span multiple decades in total.

What is the correct way for OPNsense customers to give feedback?

I've searched for Github issues and forum discussions, and I can't find any discussion about why the user is required to input a specific prefix name for VLANs or why OPNsense doesn't offer a default IP range for an IPv4 subnet.

I'm not arguing that my preferred flow is correct. I'm just giving a datapoint as an OPNsense customer of 4 years that this is really confusing and I don't see any reason for it. I get why in different scenarios, other OPNsense users might want something different than my expected defaults (e.g., defaulting the VLAN to enabled), but I have a hard time understanding why anyone would want to manually type a specific prefix into the UI when the UI already knows what it must be.

You summarized my feedback as me asking for a wizard, and I was clarifying that that wasn't entirely what I was saying.

If you're using clicks, you're not a modern OPs.
Its not a Windows Machine where you Click anything and hopefully not build a SecurityFlaw....

If you wan't to administer OPNSense over a modern Way (like API) I suggest to read the Manual.
There's a way to use the API for that (that's how I do it with versioning and a Git repo in my local Network only for this task).
It Takes 2-3 Minutes and voila a new VLAN is there.

I have pretty simple needs, so the value of OPNsense to me is that it offers a web UI to cover my needs.

The example you shared doesn't seem to achieve the same thing I shared in the video in that it doesn't enable DHCP or assign an IP range. I'm sure I could do it with more scripting, but if I'm going to write custom code to manage VLANs, I feel like I'm probably better off using FreeBSD/OpenBSD and scripting on top of pf directly rather than try to manage pf indirectly through a thick OPNsense layer.

[vlan]

Basically what people are asking for is a setup wizard. We'll be extending the existing wizard with a few use-case type presets in 26.1 but nothing that resembles a non-first-time setup yet.

Not sure if this is in response to the blog post or subsequent discussion, but I think one of the important pieces here is that OPNsense in a lot of places asks the user to manually enter data when OPNsense already knows the answer:

• On the create VLAN device page, OPNsense insists the user manually prefix the name with vlan
• On the DHCPv4 page, OPNsense makes the user type the IP range assignment instead of defaulting to the full range of the subnet

I also feel like there are low-lift opportunities to improve the default options, like when the user assigns a static IPv4 to a VLAN, the default is a /32, when it feels like /24 is likely a more common choice. I think on a lot of these "whatever the user chose last time" would be a pretty good default.

One of the things I've noticed recently in using OPNsense is that it's particularly labor-intensive to create a basic VLAN. I decided to measure how many clicks and keystrokes it actually takes, and it turns out for my flow it's:

• 26 mouse clicks
• 71 keystrokes
• 6 distinct dialogs
• 3 separate workflows

I shared more details and a full video of my VLAN creation flow in this post:

• Add a VLAN to OPNsense in Just 26 Clicks Across 6 Screens

As per the ICMP: do you have another rule on Floating or the interface they are originating that has the WAN interface enforced as Gateway? I don't suppose so but let's just check.

Ah, that was it! Thanks so much!

I had a rule on VLAN A that specified WAN_DHCP as the Gateway to allow VLAN A hosts to access the Internet.

If I move the WAN_DHCP rule to the end, pings from VLAN A can reach VLAN B.

I didn't realize that the firewall rules could influence packet routing.

Instead, I've created an alias for internal_networks with Content 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Then, I created a rule on VLAN A that's:

Protocol: IPv4
Source: any
Destination: internal_networks (invert)
Gateway: any

That seems like it's a less messy way of allowing Internet access on VLAN A.

What upstream gateway is set on the VLAN interface assignments?

They are both set to "Auto-detect".

I'm having some trouble with inter-VLAN routing within the same OPNsense system.

I've set up VLANs for the first time on my OPNsense box (running opnsense-business, 22.10.2, amd64).

I have two VLANs on the OPNsense system, both with the same parent (igb1):

VLAN A: 10.0.10.1/24
VLAN B: 10.0.20.1/24

I have two hosts:

Host A1: 10.0.10.101 (on VLAN A)
Host B1: 10.0.20.103 (on VLAN B)

I want to allow a host on VLAN A to send traffic to hosts on VLAN B. More specifically, I want hosts on VLAN A to be able to make HTTP requests to port 1313 on a specific host on VLAN B, but I'm having trouble getting even a simple ping to work.

I tried adding a firewall rule to VLAN A:

Action: Pass
Interface: VLAN A
Direction: In
TCP/IP Version: IPv4
Protocol: any
Source: VLAN A net
Destination: VLAN B net

But pings from Host A1 to Host B1 fail. I tried setting up the inverse rule on VLAN B's firewall, but I get the same result. From my direct LAN, I can ping both A1 and B1 successfully.

Interestingly, if I check for ICMP messages in Firewall > Log Files > Live View, I see this:

Code Select Expand

wan 2023-03-26T15:42:02-04:00 [my public IP, redacted] 10.0.20.103 icmp let out anything from firewall host itself (force gw)

And if I traceroute from A1 to B1, I see that the packets seem to go to the gateway on VLAN A out to the WAN interface:

Code Select Expand

$ sudo traceroute 10.0.20.103
traceroute to 10.0.20.103 (10.0.20.103), 30 hops max, 60 byte packets
1  10.0.10.1 (10.0.10.1)  0.213 ms  0.166 ms  0.130 ms
2  [redacted] ([my ISP gateway].1)  14.033 ms  14.010 ms  13.952 ms
3  [redacted] ([my public IP])  2.603 ms  2.470 ms  2.665 ms

Somehow, packets from VLAN A to VLAN B are being routed from VLAN A's gateway to OPNsense's WAN interface instead of to VLAN B on the same physical interface. I haven't added any routes to OPNsense beyond the defaults.

Does anyone have suggestions about what I'm configuring incorrectly?