Messages

I'm confused, if the interface the VM is on has no rules it shouldn't be able to ping anything.

thats right, but the group the vm is in is allowed to ping (second screenshot)

Thinking there is a configuration issue with your vlan not putting the VM on the correct network.  Would explain why your rules seem ineffective.

But it can ping the firewall and vice versa. And it obtains the ip address it is supposed to obtain via dhcp

I added screenshots of the rules on the interface I am currently on and the group interface of the VMs. The interface of the trouble VM has no rules set at all. From my machine, I can ping the firewall, google, other VMs, everything except the vm causing problems. From the VM, I cant ping anything except the firewall. From the other VMs, I can ping everything just as well as from the machine I am using right now.

When trying to trace route, it fails at the IP address of the firewall on the interface my machine is on. I think this matches with my former observations in the live view?

Thank you for the suggestion. But unfortunately that is what I already did: I deleted all the floating rules; and there was a rule which allowed me to ping the VMs (yes, also the trouble VM) enabled all the time. The problem is that the ping gets into the firewall (I can see that in live view), but it does not get out. It isnt denied or anything, the "out" part of the ICMP request (is it called a request?) just does not appear in the live view. I know that this could mean that logging for the rule blocking the "out" part just is not enabled, but I checked everywhere and there is no rule that rejects anything.

EDIT: in the meantime, I also deleted the VM and set it up again. It now runs with a live image. I also deleted the interface (on the opnsense as well as on the hypervisor), tried with different VLAN tags and with a different set of IP addresses to be used on the interface. None of this helped in any way, the result was always the same..

I am even more confused right now. As I wasnt able to find a solution, I basically deleted the whole setup with the floating rules and everything. I then proceeded to create a group with no "out" rules and some "in" rules allowing traffic to dns, ntp, that kind of stuff. But the result is still the same: I just cant ping that machine. Nothing changed, even though I reconfigured everything I thought to be concerning this problem.

I can still ping the other machines though.

Thank you very much for your elaborate answer. I think I will adjust my configuration according to your recommendations in the future!

You mean by this that you don't see any out rule for that non working VM? Or its hitting a deny?

I dont see any out rule for that VM. With the working VMs, I see the "allow-icmp" out rule that I set up (just like expected). I dont see any "block/reject" rule either, unfortunately..

I just noticed, I also got a rule that allows TCP traffic to the HTTPS port of the non-working machine. For that rule, I actually see the "in" rule as well as the "out" rule in the live view. It says that it lets this traffic pass. but when trying to establish connections to that port (calling the webserver that is listening there), the connection times out, which is even more confusing for me..

I already enabled logging for every rule I could find. When I try to ping the "not-working" VM and look into my live view, i can see the ping in the direction "in" to the firewall, but no matching ping "out". When I try to ping one of the "working" VMs, I can see my connection "in" as well as my connection "out".

First of all, thank you for your answer.

My virtual machines are attached to a network interface on the hypervisor. The vlan tag is set on the hypervisor, the VMs then obtain their IP addresses via DHCP. The network configuration of these machines and their interfaces on the hypervisor is excatly the same. Furthermore, all VLANs and their assigned interfaces on the OPNsense are configured the same way with a static IPv4 address for the OPNsense interfaces and no IPv6.

try to find out why 1 out of 5 machines do not work as expected.

Well, thats exactly my problem: i have no idea. I tripple checked (at least) that the interfaces on the OPNsense are configured the same way and that the interfaces on the hypervisor are set up equally. The VMs have the same network configuration anyway - they are set up to just get their address through DHCP, nothing else.

Why floating, why out

I thought that this is the best way to do it? The configuration of "denying all connections to the VMs, allowing the VMs internet access, allowing SSH to the VMs" is supposed to be the same accross all the VMs and their VLANs/interfaces, so I thought that floating rules would make sense. about the "why out": because I thought I wanted to deny access "out" from the opnsense to the VMs. Maybe there is a better way to do this, I would be happy to learn about it.

I got a few virtual machines. All these machines are running in their own VLAN. Those VLANs should all be separated from each other, so I installed a floating rule which blocks all requests in direction "out" with the destination <alias for all VMs>. I also allow all VMs to establish connections in the direction "in" to any destination.

I also got a rule that allows ICMP in the direction "out" with the destination <alias for VMs> and a rule that allows SSH in the direction "out" with the destination <alias for VMs>. Those should be all releavnt floating rules, I also got some interface specific rules for the different functionalities of the VMs.

My Problem: this setup works with 4 out of 5 virtual machines. I can ping them, I can connect to them via SSH, but with one machine nothing works. interestingly,this machine also cant connect to the internet , although it should be able to do this. The other machines can connect to the internet.

I can ping this VM using the diagnostic tools in the firewall and vice versa. But all connections from my laptop only reach the opnsense. When I look into the "live view", i can see the connections in the direction "in" to the firewall, but no matching connections "out".

What am I doing wrong here? I look forward to any answer!