Messages

I am setting up a second OPNsense install (other hardware) edited the config file from the original setup (renamed the interfaces to match the hardware)
the system starts, I can ping the gateway from my management VLAN, which means the interface is assigned correctly. Unfortunately the web interface is not accessible. 

I am quite new to OPNsense, any suggestions where to look ?  I would like to avoid to setup the whole configuration from scratch. 

To answer my own question. It turned out it was caused by the "enable static ARP" which was enabled and which does a little bit more than only mapping IP addresses to MAC addresses.

To answer my own question. It turned out it was caused by the "enable static ARP" which was enabled and which does a little bit more than only mapping IP addresses to MAC addresses.

I un-intendently switched it on for this interface. It took me quite some time to find out why I had this behavior. So I didn't read the info text beforehand.

Since I only know static ARP as a mechanism for just bypassing the ARP request  and statically map an IP address to a map address, I never looked into this direction. This is more like a MAC whitelist :-)

Anyway, I am glad it's clear to me and the issue is solved now. 

This is related to my 2 previous topics and turned out te be the cause of the problems.

It seems that when "static ARP" is enabled (and no static ARP entries are created) the corresponding VLAN is not working as expected.  (See 2 posts mentioned below)

According to my understanding a static ARP entry is nothing more than binding a specific IP address to a MAC address.  So when enabling static ARP, without any definitions, nothing should change. 

But when I enable static ARP entries, I am unable to ping the gateway, WAN access does not work as expected and some other strange things happen.  Is there some misunderstanding at my side about the static ARP feature, or is this a bug ?

See as well:
https://forum.opnsense.org/index.php?topic=44215.0
https://forum.opnsense.org/index.php?topic=44237.0

It is related to a long post from yesterday https://forum.opnsense.org/index.php?topic=44215.msg220486#msg220486 :o
I try to narrow down what's happening but have no explanation yet for this behavior.

Related to the issue in the previous post I took a second Shield and put it on my desk (easier testing).  Connected it with a cable to an access port on the 192.168.3.x network.  The shield gets the following network config through DHCP:

IP 192.168.3.61
GW  192.168.3.1
DNS 192.168.3.1
subnet mask 255.255.255.0

It can play Netflix. I could install a browser through the playstore and search using Google.

Then disconnect the network cable, put the same cable into a (Windows 11) laptop. It gets the same network configuration via DHCP (Except IP address)
I can ping network devices in the same network (goes not via the firewall)
- Gateway ping does not work
- Browser does not work
- Ping on WAN IP addresses such as 8.8.8.8 does not work

Manually configured using another IP address, which was 1 higher than the Shield: no difference.

Somehow it seems related to the VLAN config in OPNsense, another VLAN just works.

I try to think of an explanation why quite some functionality on the Shield does work, but not on a computer.

Anyone an idea ?

I didn't change the OPNsense config, just pulled out the trunk wire from the main switch and put it in another switch (different brand/type), just to exclude switch issues.  This temporary switch was configured to have a single tagged VLAN 13 port and an access port with the same VLAN untagged.  Behavior the same, client receives IP address but gateway not accessible.

I have 2 other VLANS which just work as expected, Only VLAN 13 not. (The first firewall rule it currently has is an "allow all IPV4* to any"  for this interface.

One thing I just noticed: the 'interfaces menu'  has a 'neighbors' submenu. This neighbors menu shows several entries (which I never added) and all of those entries are from the  non working VLAN network. Can this be related somehow ? And when are entries automatically added to the neighbors list ?

I enabled logging for the "allow" any rule for the particular VLAN, did a ping to the gateway from a client. All the ICMP requests were green, but ping did not get a response.   

Same client on another VLAN no problem.

It somehow seems the allow-all in-rule is not working. But I have no idea why. I do not use any floating rules.

And strangely the Shield on the same VLAN is able to play Netfix.

Just tried the following using very simple switch with tagged VLAN support.

opnSense trunk port (Only tagged) -> switch port 1 tagged VID 13 -> port 2 untagged VID13 -> laptop

Laptop receives DHCP IP address 192.168.3.x but ping 192.168.3.1 does not work.
Neither does ping 8.8.8.8 or 1.1.1.1 work.

So it really seems something with opnSense config. In the past the setup worked, so something must have been changed, although I do not know what. 

It seems I must dig into the config files.

One of the switched was something I suspected as well. That was the reason I created an access port for this VLAN  on the switch directly connected to OPNsense.

I have to say, this is a switch which I bought recently, so there might be something I overlooked.
(HP Aruba 1830)

I have a simple VLAN capable switch as spare and will connect it to the OPN sense trunk port to see what this does (when only using the particular VLAN) 

The only outbound NAT rules are the default ones. I never added/changed any NATY rules.
I seen 2 auto generated rules listed, which both contain all network names for source network.
I just noted I have a 2nd VLAN which also cannot ping it's own gateway (but has DHCP  connected clients)

Using v24.7.1

I have one VLAN (also has MDNS repeater configured for this interface) from which I am unable to ping the gateway. (192.168.3.1)

When connected to this VLAN through WIFI AP (seems same when using wired) :

- I get a DHCP IP address with the correct gateway IP
- When doing a network scan, I see connected devices on the same VLAN
- Able to ping those devices (e.g. Nvidia shield 192.168.3.60)
- Unable to ping the gateway IP
- Unable to ping an IP on the internet (which makes sense if the gateway is not reachable
- And now the most weird, the Shield on 192.168.3.60 is able to access the internet (Netflix playback works)
- I just created an access port on the (L2) switch which is directly connected to the opnSense box (this to exclude other switches which might be misbehaving), behavior is the same. I am able to ping devices in the 3.x network, but unable to ping the 3.1 gateway. (I can ping the 3.1 gateway from another VLAN)
 
There are some firewall rules, but currently the first (enabled) rule on this interface is an ipv4* allow any to all.

At the moment I have no clue what this can be, any suggestions ?

I have configured a VPN client using open VPN. The client works: there is a virtual interface and I get an IP address.

But now there are basically 2 things I would like to have.

1 - Create a VLAN which uses this VPN tunnel for all internet access.
2 - On another (existing VLAN) direct certain IP addresses from an ASN to this VPN tunnel.

Are both possible ? In case of the second option, which would be the approach ?
e.g. The VPN has an IP address in the 10.x range. Would I block 'regular' internet for those IP  addresses, so it uses the VPN as an alternative, or should I do something with DNS ?

It was indeed my dumb OPNsense beginner mistake. Interpreted the rule in the opposite direction. Now it's working as expected. @doktornotor the ping was from a different VLAN (192.168.5.x) which was maybe not clear enough mentioned.  Both thanks for your support  :)

I am quite new to OPNsense, probably overlooking something.

I have a VLAN for which I defined an interface with DHCP server 192.168.3.x
For this interface I defined a "block all rule" direction IN (there are no other rules)

I still am able to ping a device on the 3.x network from another VLAN, what can be wrong ?

Thanks for you quick response. I did quite some reading and searching, but nothing pointed me
into this direction. I just tried it and it works like a charm  :)

The "switch emulation" is only for occasional testing purpose. The tagged VLAN goes to the actual switch/devices.