Segregated Networking Not Working

Started by spetrillo, November 08, 2019, 11:14:54 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 08, 2019, 11:14:54 PM
Ok I got a weird one. I use a Protectli 4 port device as my OPNsense firewall. I have setup the LAN port for 192.168.1.0/24 and the OPT port for 192.168.2.0/24. When I connect a device to the O)PT network, via DHCP it still is pulling a 192.168.1.x address. I have setup DHCP for the OPT network. Do I need to enable DHCP Relay?
November 09, 2019, 07:18:08 AM #1
Is there a switch between the devices?
November 09, 2019, 11:43:31 AM #2
Cool! 8-D

Do you have firewall rules for LAN and OPT1 blocking traffic between the nets? IPv4 only? Or IPv6 involved?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 09, 2019, 02:57:08 PM #3
Quote from: chemlud on November 09, 2019, 11:43:31 AM
Cool! 8-D

Do you have firewall rules for LAN and OPT1 blocking traffic between the nets? IPv4 only? Or IPv6 involved?

Ding ding ding...it seems the two default rules for LAN1 do not get populated when you create a new segment on another port. Hey OPNsense folks can that be done, so that when you use another port for a separate segment, and enable the segment, the two rules are auto created and activated?
November 09, 2019, 05:42:08 PM #4
No, I don't think this will ever change, has been so for ever. And some people want the two interfaces to be separate nets, some want some kind of traffic, some want to make things go back and forth rather freely.

So you had no rule on OPT1 at all, but your clients on OPT1 got an IP from the DHCP on LAN?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 09, 2019, 06:13:58 PM #5
Default for all new Interfaces is always emtpy Rules, LAN is only allowed since nobody would reach the internet  to search for a solution why Internet is not working ;)
November 15, 2019, 02:52:11 AM #6
Quote from: mimugmail on November 09, 2019, 06:13:58 PM
Default for all new Interfaces is always emtpy Rules, LAN is only allowed since nobody would reach the internet  to search for a solution why Internet is not working ;)

Yup I was missing the rules for the second network. One thing I am noticing is there is an anti-lockout rule for the LAN interface. Do I need an anti-lockout rule for the OPT network? If yes how does that get created, as it looks like it is auto generated on the LAN network.
November 15, 2019, 05:33:12 AM #7
Just add it manually if you think you need it there too :)
November 15, 2019, 07:47:59 AM #8
Good practice: Have a dedicated service network to reach your routers GUI. Alternative: allow access from network with highest trustability, e.g. not from guest wifi...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
November 16, 2019, 05:16:06 PM #9
Quote from: chemlud on November 15, 2019, 07:47:59 AM
Good practice: Have a dedicated service network to reach your routers GUI. Alternative: allow access from network with highest trustability, e.g. not from guest wifi...

Hmmm...interesting thought. I have an extra NIC on my router that is not being used. I am going to make that my trusted network. So now the question...how do I remove the anti-lockout rule on the LAN port, since it was automatically added. There is no delete button.
November 16, 2019, 06:34:42 PM #10
Firewall : Settings : Advanced
Print
Go Up Pages1
User actions