Messages

Hello everyone,

After some effort, I am trying to get SoftEther working on OPNsense (please hear me out though!).  SoftEther itself is communicating very furiously between my Pi and the OPNsense server.  The only piece remaining is to get the traffic out tap0.

At this point, I believe the issue is that the firewall is blocking TCP traffic from tap0 to bridge0 (LAN).  Where this behavior has happened before is when there were no firewall rules on the interface to allow passing traffic.

So, like a good OPNsense citizen, I went to Interfaces->Assignments to add it, but tap0 is not on the devices pull down.  Itis in Interfaces->Overview. I can't really blame OPNsense since tap0 was created outside the UI, but I'd really like to manage everything inside the web intereface.

Can someone shed light on how OPNsense determines the pull-down?  I see a couple of other interfaces (enc0 and pflog0) that also don't appear there.  Thanks in advance.

I searched the forums for keywords but I didn't find anything specific enough.  I also searched for softether, but this wasn't specifically to addressed.

Yeah, I hear you.  I've done the shuffling things in and out of bridges, switching to my old router to make changes,and other fun things. Today I worked on IPv6, and I found out it wasn't broadcasting because - I didn't set link local on my bridge. Anyway, I got everything stable now, so I'm happy.

OPNsense is every way a massive step up from ASUSWRT but some things about it are not terribly intuitive. I imagine everyone new goes through this cycle, though.  Enjoy!

Well... Short answer - everything works. :). All my devices are now on 192.168.150.0/24 bridging igc1-igc3. 

In case anyone else comes up on this problem, in my case, the issue was that I needed to explicitly allow traffic on each interface in the bridge.  I just created an "in" rule for ipv4 and ipv6 that allowed traffic from anywhere.

Thanks @psharkauburn for getting me to re-look things!

Thank you very much for your reply!  You are clearly more knowledgeable on these things than I am.  For the VLAN stuff in particular, I depended on AI for the setup, so perhaps no surprise it didn't work.

I added some extraneous details, so I apologize for that.  My goal is simply to have one subnet, 192.168.150.0/24, where my wireless clients are able to access wired, and VPN (WireGuard) services.  The only way -I- know to makes igc1-igc3 act as one subnet is to bridge them.  Bridging the EAP670, however, isolates the wireless clients.  They can be routed out to the internet, but cannot access internal resources.

I'm pretty sure it's not a firewall issue.  Internal LAN rules are quite permissive. To be honest, I'm not even sure how you could separate the wireless clients specifically - they are on the same subnet, after all.  However, I am willing to try anything :)

For information only - not terribly relevant to the problem - my old router I currently have connected simply to ensure a smooth transition to the new one.  I am considering essentially turning it into a switch.

[not]

Good morning everyone,

Current Environment

Glovary N150 Firewall with 32gb of RAM, 4x 2.5GBe ports (igc0-igc3) running OPNsense 25.7.2-amd64
TP-Link EAP670

Current network configuration

WAN on igc0 (XFinity - DHCP)
EAP670 on igc3 (192.168.150.1/24)
ASUS RT-AX88U and a TrueNAS server on igc1 and igc2 respectively (bridged - 192.168.140.2/24 and .10)

I am in the process of future-proofing my home networking by retiring a consumer grade RT-AX88U in favor of a Glovary N150 firewall appliance to handle the networking piece, and a EAP670 to handle the wireless component.  The idea is to keep in place the Glovary, but to update the AP as wireless standards evolve  The bulk of my devices are wireless, to include a Tablo TV device and smart home devices, but some services are provided from a TrueNAS box as well (besides file services, JellyFin, NextCloud, etc.)

Ideally, I would like everything on the same subnet (192.168.150.0/24), but I'm running into challenges that I'm not sure if they are user issues (I'm a hobbyist), configuration issues, or hardware, although I'm leaning on hardware.

Originally, I set up the router (Glovary) as near as I could tell like the RT-AX88U.  The three LAN ethernet ports (igc1-igc3) I put into a bridge. and assigned it to 192.168.150.1/24. That "worked" in a sense, that every device had access to the internet - it was LAN services that were a problem.  In particular, with the EAP670 inside the bridge, it seemed like the access point itself was in the bridge, but the wireless clients were not. That is, devices on the AP could not see the TrueNAS (ethernet connected), and devices outside the AP could not see e.g. the Tablo device.

Naturally, I checked firewall settings, bridge settings, etc.  I tried a VLAN as well.  That exhibited similar behavior.  I assigned an IP to igc2 (the TrueNAS), no IP but same VLAN for the igc3 (the EAP670), and DHCP did not go through to the access point or clients, as if igc2 and igc3 were isolated from each other, even though they're in the same VLAN. 

I ended up getting everything talking to each other by putting the TrueNAS (and my old router) into a subnet themselves (by bridging igc1 and igc2) and routing between the wireless clients, and the TrueNAS.  This works, but ideally, I'd like everything on one subnet though, and to understand better what is going on. Is some kind of isolation happening? Can it be undone? User issue?

I did search the forums here, and noted a thread on this device, where it was not recommended primarily for IPv6 (which isn't a big concern for me). I was going to respond there, but since the thread is older, the recommendation was to make a new one.

Thanks in advance for your help!