Messages

Then I was confused by the GUI in Network Manager. I thought since the interface has gotten it's gateway (192.168.20.1) from the DHCP server and I added the route 192.168.50.1/24 to the interface it would route traffic destined for the 192.168.50.1/24 subnet over the 192.168.20.1 gateway as well.

Thank you for helping me with this, I was pulling my hair out the entire afternoon yesterday.

Thank you I figured it out with your hint about the gateway.

Previously this setup would not work because I had not set the second tunable rule to allow filtering on the bridge interface.

However while testing I set a manual route on the client for 192.168.50.1/24 go through the VLAN interface on the client, which apparently is wrong.

With the manual route it looked like this and did NOT work (route -n on 192.168.20.100) ...

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         255.255.255.255 UH    400    0        0 VLAN020
0.0.0.0         192.168.20.1    0.0.0.0         UG    400    0        0 VLAN020
192.168.20.0    0.0.0.0         255.255.255.0   U     400    0        0 VLAN020
192.168.50.0    0.0.0.0         255.255.255.0   U     400    0        0 VLAN020
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

Without the manual route on 192.168.20.100 it looks like this an works ...

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         255.255.255.255 UH    400    0        0 VLAN020
0.0.0.0         192.168.20.1    0.0.0.0         UG    400    0        0 VLAN020
192.168.20.0    0.0.0.0         255.255.255.0   U     400    0        0 VLAN020
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

For my understanding Patrick, can you explain to me why setting this route on the client failed while not setting a route at all works?

I though I need an incoming rule on VLAN50 as well. I only want VLAN20 to be able to open connections to VLAN50, not the other way around.

Though still no luck. Could this be a hardware issue with the Intel I350 I am using? Maybe another idea, I have set NAT to manual, but from what I understand I do not need NAT ruled for one vlan to talk to another vlan, right?

[VLAN20_MAIN] vlan020.1 (Parent: igb3, Tag: 20)
[VLAN20_ALT]  vlan020.2 (Parent: igb2, Tag: 20)
[VLAN20]      bridge1()

[VLAN50_MAIN] vlan050.1 (Parent: igb3, Tag: 50)
[VLAN50_ALT]  vlan050.2 (Parent: igb2, Tag: 50)
[VLAN50]      bridge4()

This is the interface setup. When I created the firewall rules I used 'VLAN20 net' and 'VLAN50 net'.


Thank you for the hint with the Tunables. I had set 'net.link.bridge.pfil_member' but I did not have set 'net.link.bridge.pfil_bridge'.

Unfortunately  the issue still persists. I did also do the reboot of course.
I did attach two pictures of the firewall rules I created, maybe I am doing something wrong there?

Hi there,

I am experiencing an issue that my VLANs can't communicate.

I have vlan020.1, vlan020.2, vlan050.1 and vlan050.2 on two interfaces igb2 and igb3.
I have bridged vlan020.1 and vlan020.2 and assigned the bridge 192.168.20.1/24
I did the same for vlan050.1 and vlan050.2 and assigned the bride 192.168.50.1/24.

The hosts in the VLAN20 net and VLAN50 net can talk withing their vlan and communicate over the gateway to the internet.

However I am not able to create rules to let them communicated from say 192.168.20.100 to 192.168.50.102.

I have created two firewall rules:
PASS in VLAN20 IPv4 * VLAN20 net * VLAN50 net * *
PASS in VLAN50 IPv4 * VLAN20 net * VLAN50 net * *

Am I doing something wrong here, is this an issue because of the bridged interfaces?

Thank you in advance.

Can someone please explain in more detail how the rules need to look when you create them manually. I am experiencing the same issue, upgraded OPNSense, migrated the rules and not I am unable to create a destination NAT. I followed the instruction in the official documentation to set them to pass but it does not work. I also tried to set them to registered and rules appear in the WAN section but it still does not work.

This is super unintuitive and I can't figure it out on my own.