Messages

All of your help was great so thank you!

One thing that EricPerl pointed at the beginning "In case it's Windows, ICMP echo requests are not allowed by default." was giving me much trouble. I found out that the solution is buried in the Windows Defender firewall advanced settings where you will need to (in the inbound rules) enable "File and Printer Sharing (Echo Request - ICMPv4-In)" for Private, Public and Domain. Without doing this, you will not be able to ping (in my case).

[VLAN VLAN Name Member Ports Tagged Ports Untagged Ports]

Ok, I think I'm getting a little more confused. Is it safe to say that my OPNsense configuration should look like this?

LAN Devices = VLAN5 (igb1 parent) – 192.168.10.1 /24 (192.168.10.2 – 192.168.10.254) – GW 192.168.10.1
IoT Devices =    VLAN10 (igb1 parent) – 10.10.10.1 /24 (10.10.10.2 – 10.10.10.60) – GW 10.10.10.1
MGMT =            VLAN20 (igb1 parent) - 10.10.20.1 / 24 (10.10.20.2 - 10.10.20.3) - GW 10.10.20.1

If yes, is the switch setup supposed to look like this (assuming that port 1 is the trunk one, port 2 is VLAN5, port 8 is VLAN10 and port 3 is MGMT?

Switch – 192.168.10.10

VLAN    VLAN Name      Member Ports    Tagged Ports     Untagged Ports
5           LAN_VLAN                1-2                      1-2                           none
10          IoT_VLAN                  1,8                       1,8                           none
20          MGMT                       1,3                       1,3                           none

Thank you @pfry & @EricPerl so much for your patience

HI,

I read through the documentation and I think I understand what you mean with what you said below. Basically both my LAN and VLAN10 should be "tagged" in my switch. So for example:

LAN = VLAN5
IoT = VLAN10

What I'm still not sure is what you mean by "then just re-associate LAN to it"? Isn't the association happen when (with the LAN as parent) is created?

Another question I have is will both VLANs (5 & 10) in OPNsense have LAN as their parent?

Again sorry for the possible "stupid" questions but as said, very new here and trying to read all the documentation (and understand it :)) at the same time is a task.

TYVM

Gotta address the big red flag: It looks as though you're trying to operate igb1 with both tagged and untagged VLANs. If you look around here, read the OPNsense docs, you'll find that this is verboten. I tried it initially, too - it failed badly. Link

Just tag your "LAN" VLAN in your switch (on the OPNsense-facing port) and move your OPNsense LAN config to an appropriate VLAN interface (you can create the VLAN interface, then just re-associate LAN to it). Once you have that set up, post your results.

Both are Windows. So am I understanding this correctly that I have to add rules specifically for ICMP?
TP-Link TL-SG108E does not have ACL to my knowledge.

thx

You don't specify an OS for laptop and PC.
In case it's Windows, ICMP echo requests are not allowed by default. Also by default, I believe the source is expected to be in the local subnet.
IOW, you'd need to enable and alter the rule in the correct profile (domain, private or public).

For laptop to switch, I don't know. Have you enabled some "switch ACLs" (in TP-link terminology)? These can be tricky...

Hi,

Very newbie here... The idea is to set up the following (I don't even know if this is possible):

ISP - OPNsense - LAN + VLAN - managed switch - 2 x AP - my devices

- on the managed switch VLAN10 I want to attach an ASUS router#1 as AP (for my IoT devices)
- on the managed switch LAN/VLAN1 I want to attach an ASUS router#2 as AP and few other devices via Ethernet cable to the switch LAN/VLAN1 ports


This is where I am so far:

HW:
1. OPNsense
2. TP-Link Managed switch
3. Laptop
4. PC

OPNsense setup:

ISP-WAN
LAN (igb1 interface) – 192.168.10.1 /24 (192.168.10.2 – 192.168.10.254) – GW 192.168.10.1
VLAN10 (igb1 parent) – 10.10.10.1 /24 (10.10.10.2 – 10.10.10.60) – GW 10.10.10.1

SWITCH setup:
Switch – 192.168.10.10
VLAN1 (default) – all untagged
VLAN10 – port 1 tagged, port 8 untagged
PVID on port 8 set to 10

LAN (igb1) - connected to port 1
PC - connected to port 2 (192.168.10.3)
Laptop - connected to port 8 (10.10.10.2)


Now, I can ping

- 192.168.10.3 to 192.168.10.1, 10.10.10.1, 192.168.10.10, 8.8.8.8 and google.com
- 10.10.10.2 to 10.10.10.1, 192.168.10.1, 8.8.8.8 and google.com

I can not ping

- 192.168.10.3 to 10.10.10.2
- 10.10.10.2 to 192.168.10.3 or 192.168.10.10

I have the following firewall rules:

LAN
Action – pass
Interface – LAN
Direction – IN
TCP/IP – IPv4
Protocol – ANY
Source – ANY
Destination – ANY


VLAN10
Action – pass
Interface – VLAN
Direction – IN
TCP/IP – IPv4
Protocol – ANY
Source – ANY
Destination - ANY


Thank you

@bartjsmit

Thank you for your answer... I only have "Media Bridge" in my ASUS under operation mode... Is that what you are referring to?

I currently have it set up as "Access Point(AP) mode / AiMesh Router in AP mode"

Choices in ASUS:
- Wireless router mode / AiMesh Router mode (Default)
- Access Point(AP) mode / AiMesh Router in AP mode
- Repeater mode
- Media Bridge
- AiMesh Node

Hi All,

New here and newbie with OPNsense. What I'm trying to do is have OPNS handle my routing and FW and 2 x ASUS routers handling my wireless devices (I already have the 2 x ASUS routers).
One ASUS is currently connected to OPNS to one of the two NIC card ports (LAN_2 interface 192.168.2.1). The idea is to have this network to be for my IOT devices (unsecured).

I have another ASUS that I want to connect in similar matter to the 2nd port of my NIC card (LAN_1 interface 192.168.1.1) and use that for my trusted devices (secured). I already have FW rules that allow traffic from LAN_1 to all and restrict LAN_2 towards LAN_1 and allow internet.

The question is should I set up the ASUS routers as AP or wireless router? For testing purpose I already have ASUS 2 router (LAN_2) connected as AP bu I'm not sure if that is ok or not. I tried using it as a wireless router but was unable to connect it in the process.

Hope this makes sense.

Thank you