Messages

I removed the IP address from the second bridge vmbr1, and it fixed the issue. It seems like the firewall was blocking on-and-off traffic from VLAN 192.168.50.1/24 to 192.168.1./24. When I SSH from VM1 (192.168.50.222) to Proxmox (192.168.1.100) or any VM on the subnet 192.168.1.0/24, it blocks traffic, but not permanently. After a few minutes, it unblocks and then blocks again, causing the issue to be on and off. I don't know the explanation; I guess something has to do with routing, but because of you guys, now I know I don't have to include the IP address in the second bridge.
I have a little knowledge of networking and am planning to prepare for the Network+ certification sometime soon. Is there any OPNsense tutorial or YouTube video that I can learn more about it? I prefer video since I am a visual learner.
Thank you so much for helping. I must say this is one of the best forums that I have ever used. Keep doing the great work. Thanks

Yes, it's a physical device. It's a Dell PC, to be specific.
I am using Proxmox hypervisor.
I set a static IP on the VM itself.

Promox server has two interfaces, vmbr0 with subnet 192.168.1.1/24, which I use for management, the second interface, vmbr1 (for Proxmox) with subnet 192.168.50.1/24, which is a VLAN, is used by VMs and other external servers outside of Proxmox, such as Truenas, Backup server, etc. Traffic from VLAN to LAN gets blocked or vice versa.
I have a weird theory. It might have something to do with routing when VM 192.168.50.202 sends traffic to Proxmox (192.168.1.100) or any server on the LAN subnet, the packet goes from VM -> Opnsense-> Proxmox. Proxmox receives it on vmbr0. Proxmox replies to VM. Since Proxmox also has a direct connection to 192.168.50.0/24 (via vmbr1), it bypasses Opnsense and attempts to communicate directly with the VM. I might be wrong.

My apologies, I had some health issues. Here is a screenshot of the PVID Setting for the switch. Thanks

n order to make it work, do I need to include VLAN50 in the source for LAN?

No, that is not necessary. Traffic from VLAN50 should never appear as the source on the LAN interface. VLAN configuration on the switches is not how it should be. Can you provide a diagram of your network, the switch VLAN configuration and how the client is connected (as a VM? Host OS, interfaces/bridges?)


Have you read the link @meyergru posted? It is strongly recommended not to have tagged and untagged traffic on the same interface.

Yes, I read his recommendation. VLAN port is 6, which is untagged. The client VM (RHEL9) is connected on port six from the switch. Here is a screenshot of the switch configuration. Thanks

The LAN subnet is 192.168.1.0/24, and 192.168.50.0/24 is a VLAN

If your 'LAN net' is 192.168.1.0/24 then traffic originating from VLAN 192.168.50.0/24 is not allowed with the rule you have. And that's what you are seeing in the screenshot from the first post: source 192.168.50.202 (but on LAN), direction in. Since you only allow 'LAN net' as source, the traffic is blocked.

I'd say you have an issue with the VLAN configuration.

VM interface configured with static IP 192.168.50.202, and Gateway 192.168.50.1

192.168.50.0/24 is on WAN?

In order to make it work, do I need to include VLAN50 in the source for LAN?
No 192.168.50.0/24 is not on WAN. It's a VLAN. I am attaching the screenshots for VLAN. What configuration needs to change? Thanks,

Yes, it's the latest 25.1.11. The LAN subnet is 192.168.1.0/24, and 192.168.50.0/24 is a VLAN. LAN and VLAN have the same rule, which allows all traffic to everywhere. The VM is running on RHEL9. It has DNS, NRPE, SSH services allowed, and 5666/tcp, 1514/tcp, 1515/tcp, 55000/tcp, 123/udp, 4460/tcp ports allowed from the firewall. VM interface configured with static IP 192.168.50.202, and Gateway 192.168.50.1, and IPv6 is disabled. I don't have any other firewall rules; it has its default rules. Attaching screenshot for WAN and NAT. Thanks

Hello community,
Over the last few days, I have been noticing a weird issue with the Opnsense firewall. It's blocking outbound traffic intermittently. I don't know it started but I have noticed two days ago when try to install package in a VM. It works for few minutes then block the traffic then work again. It's going on and off. I have a rule for the LAN interface as a destination, but it's blocking the traffic. I thought it might be a bug, so I updated the Opnsense instance, but I am still having the issue. Do I need to add any additional rules or update the existing ones? I am attaching screenshots for the rule and traffic screen. Can someone please help? Thanks,

Hi, I updated VLAN1 and added port 6,7 and 8 to not member. I am attaching screenshots. Can you check if the configuration is correct or I need to change something else? Thanks you!

Hello Community,
I am unable to access the switch interface when I am on the VLAN network. My LAN interface IP range is 192.168.1.1/24, and I created three VLANs. One of the VLANs is for Wi-Fi devices, whose IP range is 192.168.40.1/24. I am using an eight-port TP-Link (TL-SG108E) switch. IP 192.168.1.2 is assigned to the Switch. Wifi using port seven from the switch with v-tag 40.
Opnsense firewall rules have a source of 'LAN Net' and 'WiFi Net', a port of any, and a destination of 'any' for both the LAN and WiFi interfaces. I am still unable to access the switch's interface. I can't even ping it when I am connected to the VALN network; however, I can ping the gateway 192.168.1.1. The only way I can access the switch's interface is by removing the Wi-Fi from the VLAN port and plugging it into a non-VLAN port; that way, both devices are on the same network. Is there a way that I can access my device's interface on a different network? Such as from a VLAN network? What can be the solution? Attaching screenshots. Thanks,



https://ibb.co/Q3J4YDWk
https://ibb.co/WrYDhCz
https://ibb.co/CpH20CYL

Firewalls and Networking are new to me; I am still learning. Bridge and VLAN are the next level. I am starting with a simple method by separating both networks from two of the ports that the PC has. Once I am more familiar with it, then I can start working on bridge and VLAN stuff. Thank you for your suggestion.

The first thing you have to decide is if you really want the second port to be on a separate network. That is not clear by itself just because you want to attach your WiFi access point to it.

That is a question of network design. Know your options:

1. Go on like you started and have two separate networks for your LAN and your WiFi. In this case, both networks can have WAN access but are otherwise completely separated (e.g. your WiFi clients cannot access machines on LAN) until you create rules to allow for certain services.

2. Use the second ethernet port as a bridge (like a lite-weight switch) to just connect your WiFi AP to your LAN. In that case, you have to create a LAN bridge and set some tuneables (consult the docucomentation on how to do this).

3. Do the perfect job and create multiple VLANs to be able to create respective WiFi SSIDs for different classes of WiFi clients (i.e. some IoT clients could be in a separated network whilst your smartphones are in/on another network/SSID bridged to the LAN). This will only be possible if your WiFi APs can handle that, like e.g. Unifi equipment does.

It turned out to be a DNS issue. I added DNS to LAN2, and it worked. I didn't manually add a DNS to the LAN1, so I followed the initial wizard. I compared its setting with LAN1. I was under the impression it would automatically use 10.18.0.1 as DNS since the LAN1 did. However, after adding DNS to the  DHCP4 LAN2, it started working. Thanks

The first thing you have to decide is if you really want the second port to be on a separate network. That is not clear by itself just because you want to attach your WiFi access point to it.

That is a question of network design. Know your options:

1. Go on like you started and have two separate networks for your LAN and your WiFi. In this case, both networks can have WAN access but are otherwise completely separated (e.g. your WiFi clients cannot access machines on LAN) until you create rules to allow for certain services.

2. Use the second ethernet port as a bridge (like a lite-weight switch) to just connect your WiFi AP to your LAN. In that case, you have to create a LAN bridge and set some tuneables (consult the docucomentation on how to do this).

3. Do the perfect job and create multiple VLANs to be able to create respective WiFi SSIDs for different classes of WiFi clients (i.e. some IoT clients could be in a separated network whilst your smartphones are in/on another network/SSID bridged to the LAN). This will only be possible if your WiFi APs can handle that, like e.g. Unifi equipment does.

Hi Community,
This is my first post, and OPNsense is new to me. I installed the OPNsense firewall on a Dell mini desktop computer. I added a dual port ethernet card. The WAN cable is connected to a built-in (re0) port, and the LAN (ig0 ) is connected to a TPC-Link managed switch where I have to connect all the devices, including the WIFI access point. Everything is working fine. Now, I am trying to create a separate network for the WIFI access point and connect it to a third available port. I went to the assignment tab, added the available interface, and named it LAN2. Then I went to the LAN2 setting, enabled it, and chose static IPv4 from the configuration type and IP address field. I added IP 10.18.0.1 (though LAN1 IP is 192.168.1.1, I am not sure that makes any difference) and saved it. Then, I enabled DHCP and set range. I also added a firewall rule to allow all traffic. Then, I connected the access point cable to the second port and restarted the access point. All devices connected to the access point won't have an internet connection. Wi-Fi is connected, and DHCP is assigned an IP, but there is no internet. I don't know what else needs to be done to make it work. Attaching screenshots. Can someone help me with this? I appreciate your help.