Show Posts
1
24.7 Production Series / [SOLVED] Unable to prevent traffic from VLANs to untagged LAN
« on: November 18, 2024, 06:10:45 pm »
Hi all,
I'm using OPNsense now for about a year in my Homelab and I'm totally happy with it. Up to now I have been able to solve any questions or problems that I had with the help of the documentation, tutorials and posts in this forums.
Unfortunately I'm a bit stuck right now...
I'm running OPNsense as a VM on Proxmox. I have passed through the NICs for WAN and LAN connection and there is a third connection which is attached to a bridge on the proxmox host which bridges the connection to the LAN port of my modem (separate IP subnet - this is only for testing purposes). On OPNsense's LAN interface there are some VLANs as children and the untagged traffic should be my Management LAN (Switch is configured accordingly).
The proxmox host itself does have a further bridge, which is more or less the Proxmox default bridge VMBR0, but with VLAN awareness. It is connected to the hardware switch without any further VLAN configuration to just reside in my Management LAN and is used to access the Proxmox WebUI.
I'm using VLAN 10 as my "internal" Network with my regular devices and VLAN 50 for the DMZ.
The problem:
With devices in any VLAN I'm able to reach (ping, cURL etc) devices in the untagged (aka Management) network area. How can I find out, why this is possible and how can I prevent that? I can't find any firewall rule that makes this possible.
Btw. it is not possible e.g. for devices in DMZ to reach devices in INTERNAL, so inter VLAN routing seems to be blocked as expected.
Trying to understand what is going on, I made a packet capture on the LAN interface (in promiscuous mode) and made the following observation:
Running a ping from an iPhone in the INTERNAL (=VLAN 10) network to the Proxmox host on the Management LAN.
First occurance of the ICMP packet does have the correct VLAN tag and is sent from the iPhone devices MAC to the OPNsense LAN interface MAC:
VLAN TAG: 10
SRC 28:34:ff:d7:3e:b6 (Client iPhone, ip=10.99.110.21)
DST a8:b8:e0:02:4d:5f (OPNsense igc1 = LAN Interface, ip=10.99.1.1)
Then, the VLAN tag seems to get stripped and the packet is forwarded to the Proxmox host:
VLAN Tag: none
SRC a8:b8:e0:02:4d:5f (OPNsense igc1 = LAN Interface, ip=10.99.1.1)
DST a8:b8:e0:02:4d:71 (pmxhost enp7s0 = vmbr0, ip=10.99.1.50)
Proxmox Host responds and packet goes back to OPNsense LAN interface:
VLAN Tag: none
SRC a8:b8:e0:02:4d:71 (pmxhost enp7s0 = vmbr0, ip=10.99.1.50)
DST a8:b8:e0:02:4d:5f (OPNsense igc1 = LAN Interface, ip=10.99.1.1)
VLAN Tag seems to be added and answer is sent to iPhone:
VLAN Tag: 10
SRC a8:b8:e0:02:4d:5f (OPNsense igc1 = LAN Interface, ip=10.99.1.1)
SRC 28:34:ff:d7:3e:b6 (Client iPhone, , ip=10.99.110.21)
Can anybody help me to understand what's going on there?
Warm regards,
sandman
I'm using OPNsense now for about a year in my Homelab and I'm totally happy with it. Up to now I have been able to solve any questions or problems that I had with the help of the documentation, tutorials and posts in this forums.
Unfortunately I'm a bit stuck right now...
I'm running OPNsense as a VM on Proxmox. I have passed through the NICs for WAN and LAN connection and there is a third connection which is attached to a bridge on the proxmox host which bridges the connection to the LAN port of my modem (separate IP subnet - this is only for testing purposes). On OPNsense's LAN interface there are some VLANs as children and the untagged traffic should be my Management LAN (Switch is configured accordingly).
The proxmox host itself does have a further bridge, which is more or less the Proxmox default bridge VMBR0, but with VLAN awareness. It is connected to the hardware switch without any further VLAN configuration to just reside in my Management LAN and is used to access the Proxmox WebUI.
I'm using VLAN 10 as my "internal" Network with my regular devices and VLAN 50 for the DMZ.
The problem:
With devices in any VLAN I'm able to reach (ping, cURL etc) devices in the untagged (aka Management) network area. How can I find out, why this is possible and how can I prevent that? I can't find any firewall rule that makes this possible.
Btw. it is not possible e.g. for devices in DMZ to reach devices in INTERNAL, so inter VLAN routing seems to be blocked as expected.
Trying to understand what is going on, I made a packet capture on the LAN interface (in promiscuous mode) and made the following observation:
Running a ping from an iPhone in the INTERNAL (=VLAN 10) network to the Proxmox host on the Management LAN.
First occurance of the ICMP packet does have the correct VLAN tag and is sent from the iPhone devices MAC to the OPNsense LAN interface MAC:
VLAN TAG: 10
SRC 28:34:ff:d7:3e:b6 (Client iPhone, ip=10.99.110.21)
DST a8:b8:e0:02:4d:5f (OPNsense igc1 = LAN Interface, ip=10.99.1.1)
Then, the VLAN tag seems to get stripped and the packet is forwarded to the Proxmox host:
VLAN Tag: none
SRC a8:b8:e0:02:4d:5f (OPNsense igc1 = LAN Interface, ip=10.99.1.1)
DST a8:b8:e0:02:4d:71 (pmxhost enp7s0 = vmbr0, ip=10.99.1.50)
Proxmox Host responds and packet goes back to OPNsense LAN interface:
VLAN Tag: none
SRC a8:b8:e0:02:4d:71 (pmxhost enp7s0 = vmbr0, ip=10.99.1.50)
DST a8:b8:e0:02:4d:5f (OPNsense igc1 = LAN Interface, ip=10.99.1.1)
VLAN Tag seems to be added and answer is sent to iPhone:
VLAN Tag: 10
SRC a8:b8:e0:02:4d:5f (OPNsense igc1 = LAN Interface, ip=10.99.1.1)
SRC 28:34:ff:d7:3e:b6 (Client iPhone, , ip=10.99.110.21)
Can anybody help me to understand what's going on there?
Warm regards,
sandman