[SOLVED] 2 LAN …. No communication

Started by stanthewizzard, May 27, 2021, 10:11:47 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
May 31, 2021, 05:27:00 PM #15
Ok
The lan 2 lan was not correctly build by our hoster.

I can ping now 2.111 frol 2.112 and vice versa

I tried to build a gateway and route but no success can't ping 1.0 from 0.0 and vice versa

Thank you very much again
May 31, 2021, 07:50:47 PM #16
Code Select

[OPNsense 1 Port 1]-----[Switch 1]-----LAN 1 clients
[OPNsense 1 Port 2]
                 |
                 |
             [Switch 0]
                 |
                 |
[OPNsense 2 Port 2]
[OPNsense 2 Port 1]-----[Switch 2]-----LAN 2 clients

[OPNsense 1 Port 1] - 192.168.0.201
[OPNsense 1 Port 2] - 192.168.2.111

[OPNsense 2 Port 2] - 192.168.2.112
[OPNsense 2 Port 1] - 192.168.1.201




QuoteI can ping now 2.111 frol 2.112 and vice versa

Good. Now let's try to access a LAN 1 service from the LAN 2 OPNsense.

Step 1: Provide such a service in LAN 1, that is available on a specific TCP port.

HTTP, FTP, XMPP, doesn't matter, as long as it's TCP. Technically it could be UDP, but i don't want that for testing. Can you do that, running a TCP-based service on a LAN 1 client?

Step 2: Create a firewall rule on OPNsense 1.

interface: [OPNsense 1 Port 1]
action: accept (or pass, i currently don't know that it's called)
logging: yes
protocol: TCP
direction: outgoing
destination address: your LAN 1 client
destination port: your LAN 1 client's service port
source address: any

Side note: At this point i don't care about security, i just want this to work. If security matters for you, you will have to find your own way.

Step 3: Ensure that the service is available to the OPNsense 1.

I assume that you have telnet or netcat available on your OPNsenses, or anything similar that can be used for testing simple TCP connections. Otherwise i can't help you.

Open a shell on OPNsense 1, use telnet/netcat/whatever, connect to the LAN 1 service (the one from step 1). If that doesn't work, i would guess the firewall rule from step 2 is not correct. In that case, take a look into the firewall log of OPNsense 1 and adjust the rule accordingly.

Step 4: Allow to connect to the LAN 1 client's service from the OPNsense 2.

I assume you need one additional fireall rule for [OPNsense 2 Port 2] (outgoing) and one additional firewall rule for [OPNsense 1 Port 2] (incoming). Please enable logging for both rules.

Step 5: Tell OPNsense 2 where to find LAN 1.

I haven't done this on OPNsense, so i can only guess how to do that. Based on https://docs.opnsense.org/manual/gateways.html i think that a static route is what you need.

I feel this is enough for one posting.
May 31, 2021, 08:22:42 PM #17
Not sure that I can use firewall rule or nat. Between the 2 lan
I need to have all the traffic to go through lan 2 lan
May 31, 2021, 08:56:13 PM #18
In one of my earlier posts i asked
Quote
Now you want your LAN 1 clients to be able to communicate with the LAN 2 clients, right?

and your response was
Quote
Lan 1 client with lan 2 client and vice versa

At that point i thought that i understand what your goal is. But this
Quote
Between the 2 lan I need to have all the traffic to go through lan 2 lan
made me shaking my head. I need more input on this, otherwise i don't understand what your goal is.
June 01, 2021, 08:26:41 AM #19
The comm between the 2 network need to be transparent (has with a site 2 site vpn ... the one I want to discard).
At my knowledge level there is no NAT in private network

I this clearer ?  ;D
June 01, 2021, 11:22:53 AM #20
Hmm, you didn't mention before that there is a VPN involved? That's a factor, that would have been good to know from the beginning (not on page 2).

I have a feeling that i can't help you any further. I know that moving targets are a thing, but this one is moving too fast for me.
June 01, 2021, 12:44:25 PM #21
Today we have a working VPN
We want to discard it to go through the LAN and what we are discussing.

So VPN is out of the scope
June 02, 2021, 10:01:14 AM #22
Please confirm that you tried to ping between 192.168.2.111 and 192.168.2.112
YES

Which rules did you create on which OPNsense, to allow the ICMP packages?
allow all from any on LAN and lan2lan

When you enable logging for the default drop policy in OPNsense, do you see the ICMP packages being dropped?
nope

There should be a checkbox somewhere in system settings / logging.
yes
June 07, 2021, 11:49:41 AM #23
SOLVED

[OPNsense 1 Port 1]-----[Switch 1]-----LAN 1 clients
[OPNsense 1 Port 2]
                 |
                 |
             [Switch 0]
                 |
                 |
[OPNsense 2 Port 2]
[OPNsense 2 Port 1]-----[Switch 2]-----LAN 2 clients

[OPNsense 1 Port 1] - 192.168.0.1
[OPNsense 1 Port 2] - 192.168.1.10

[OPNsense 2 Port 2] - 192.168.1.1
[OPNsense 2 Port 1] - 192.168.0.10

[OPNsense 1 gateway1] - 192.168.0.1
[OPNsense 1 gateway2] - 192.168.1.1

[OPNsense  gateway1] - 192.168.1.1
[OPNsense  gateway2] - 192.168.0.1

[OPNsense 1 route1] - 192.168.1.0/24 -> GW192.168.1.1
[OPNsense 2 route1] - 192.168.0.0/24 -> GW192.168.0.1

It works :)
June 23, 2021, 12:37:15 PM #24
I didn't receive a notification mail about your recent post, but i saw it just now. I'm glad that you finally found a solution and posted it here :-)
Print
Go Up Pages 1 2
User actions