Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - pandaBolide

#1
General Discussion / Re: Internet for my VLANs
November 17, 2023, 12:17:26 PM
BIG UPDATE :

After adding new NAT rules the connection is working !

THANKS A LOT for you guidance Patrick M. Hausen, I learn a lot today !
And thank you too netnut for you help !

Best regards,
pandaBolide
#2
General Discussion / Re: Internet for my VLANs
November 17, 2023, 12:11:00 PM
No, the selected mode is "Automatic outbound NAT rule generation," but I can opt for a manual or hybrid mode if double NAT allows me to define all my rules from the OPNsense machine.

Yes, it seems you're correct. The default OPNsense NAT is only for my LAN network (10.0.1.0/24) and not the other VLAN networks (10.0.0.0/16).

I'll try the double NAT. The default rules have "WAN" as the "NAT Address." When I attempt to add a new rule for my 10.0.0.0/16 network, in the "Translation/Target" category, I only have four choices:

  • Interface address
  • Single host or NetworkLAN address
  • LAN address
  • WAN address
But none of them is "WAN." I suppose "WAN address" is the right one, but it seems it's not working.

As usual I'll try to keep everything open for the tests and then I'll try to add new rules.

Any ideas ?
#3
General Discussion / Re: Internet for my VLANs
November 17, 2023, 11:41:24 AM
I am a big noob with the NAT but I *think* I understand the basics.

My NAT rules are managed by the router of my ISP (FritzBox!, 192.168.3.1 not 192.168.1.1 my bad), and I didn't edited/added any NAT rules.

Just to be clear, do I need to add rules in my Mikotik which is not my ISP router but the one that I am using as a L3 switch to manage my VLANs and my static routes in my 10.0.0.0 network ?

It could sound kinda stupid but I am kinda lost with how the NAT is suppose to work in my Mikrotik.
(Sorry if my diagram is à little bit confusing)

Thank you !
pandaBolide
#4
General Discussion / Re: Internet for my VLANs
November 17, 2023, 11:18:57 AM
For the tests I keep it simple and opened all :

Protocol      Source   Port     Destination  Port      Gateway  Schedule
IPV4*           *           *          *                   *           *              *
IPV6*           *           *          *                   *           *              *

(I don't use IPV6, but I added it just to be "sure")
#5
General Discussion / Re: Internet for my VLANs
November 17, 2023, 10:55:24 AM
Update :

Now I can acces the web IF I am on the same subnet than my LAN address (10.0.1.2), but when i'm try from another network like 10.0.3.0/24 I can not reach the Internet, and my traceroute is :
10.0.3.1 --> 10.0.1.2 --> *Nothing*

My route table is the same as beore for my Mikrotik, and for my OPNsense I added 2 routes (the rest is factory default):

Dest                       Gateway
192.168.0.0/16       192.168.3.1(WAN)
10.0.0.0/8              10.0.1.1(LAN)

Is my problem by any chances from the OPNsense side, or do I need to edit some things in my Mikrotik ?

Best regards,
pandaBolide
#6
General Discussion / Re: Internet for my VLANs
November 16, 2023, 09:08:00 AM
Hello netnut,

Thanks for your answer. ;D Manipulating the mask to allow only one route for the 10.X.X.X subnet is a great idea, and the OPNsense LAN side is now reachable from my LAN network.

But I still have a little problem—I can't reach the internet from my LAN. Is there a way to make that possible? Or is my network address map a mess, and should I switch to 192.X.X.X on my LAN side so I can use only one route for both sides?


Best regards,
pandaBolide
#7
General Discussion / Internet for my VLANs
November 15, 2023, 04:45:58 PM
I'm currently grappling with an issue related to my firewall.

Here's a nice diagram of my setup :



My goal is to route my VLANs to my Firewall (10.0.1.2) to gain access to the Internet.

I have 2 interfaces with 2 gateways:
WAN: 192.168.3.100/24, gateway: 192.168.3.1
LAN: 10.0.1.2/24, gateway: 10.0.1.1

For my tests, I've opened the firewall for both LAN and WAN with the following settings:
Protocol: IPV4
Source: *
Destination: *
Port: 9
Gateway: *
Schedule: *

By setting my default route to 10.0.1.2 and having only one gateway on my FW (192.168.3.1), I can access the internet from all the devices in the same network as my LAN interface (10.0.1.0/24). So the Firewall rules are working to communicate with the web. ;D

However, when I add the second gateway in my FW (10.0.1.1), I can communicate within my VLANs, but I lose the connection to the internet, even if I am in the same network as my LAN interface. :(

I need this second gateway so I can have a connection between the FW and my VLANs.

Routes of my router :
#      DST-ADDRESS       PREF-SRC     GATEWAY                 DISTANCE
0 A S    0.0.0.0/0            -                 10.0.1.2                   1
1 ADC  10.0.1.0/24        10.0.1.1        LOCAL                     0
2   S    10.0.1.0/24        10.0.1.1        LAN                         1
3 ADC  10.0.2.0/24        10.0.2.1        SERVICES                0
4   S    10.0.2.0/24        10.0.2.1        LAN                         1
5 ADC  10.0.3.0/24        10.0.3.1        TESTS                     0
6   S    10.0.3.0/24        10.0.3.1        LAN                         1
7 ADC  10.0.4.0/24        10.0.4.1        HQ                          0
8   S    10.0.4.0/24        10.0.4.1        LAN                         1

Addresses of my router :
#   ADDRESS           NETWORK     INTERFACE
0   10.0.1.1/24        10.0.1.0        LOCAL
1   10.0.2.1/24        10.0.2.0        SERVICES
2   10.0.3.1/24        10.0.3.0        TESTS
3   10.0.4.1/24        10.0.4.0        HQ


For your information,
I'm using a Mikrotik Router/Switch to manage my VLANs and perform routing. Each VLAN has an IP for the interface, which serves as the gateway for the devices in each VLAN.

The NAT rules are managed by the router of my ISP.

Thanks a lot for reading I'll be waiting for your ideas :)
Don't hesitate if you need more informations.

Best regards,
pandaBolide
#8
Thank you !
It's working now !
#9
Hello,

I'm facing a critical issue with my OpnSense firewall on the MSI Cubi N ADL-007DE: I'm unable to access the web user interface, and I urgently need to configure it via web UI. Here's the current state of my setup:

  • Using an :MSI Cubi N ADL-007DE

  • WAN Interface: 10.0.0.3/24

  • LAN Interface: 10.0.0.2/24

Problem: The web UI is inaccessible, preventing me from configuring the firewall. The firewall log shows me that all the ICMP request are blocked. The configuration is Vanilla, I just edited the Interfaces. (Which actually works in a VM but not with my Hardware). I tried a fresh Debian bridge in the same Hardware and the connection works.

I'm in dire need of assistance with the following:

Shell Commands: Can you provide guidance on how to configure OpnSense via pfctl or other shell commands? I need to set up basic rules to allow web UI access and general network traffic.

Emergency Firewall Rules: What rules should I implement in pfctl to allow access to the web UI ?

Debugging: If there are any diagnostic commands or logs I should examine in the shell to identify the cause of the web UI inaccessibility, please let me know.

I understand that configuring OpnSense via the shell can be a complex task, and I appreciate your assistance during this critical situation.

Thank you for your prompt response and support,
pandaBolide