Firewall Rules for Multiple LAN - Need to talk to each other

Started by DrQuinn24, March 03, 2023, 09:57:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 03, 2023, 09:57:21 PM
Good day. Newbie home user needing basic help with firewall rules. Searched forum, google and reddit for the topic and found many suggestions but none that are working after spending days at it.
Here is what I am trying to accomplish:

Have LAN, LAN2 and LAN3. I would like all 3 LANS to be able to talk to each other. Example: LAN3 is dedicated 2.5gb for wireless AP which will need to talk to a wired network printer on LAN. Currently, LAN3 can assign IP addresses and reach the internet but it can not reach the wired printer (static ip) on the LAN.

The attached screenshots show the interfaces and LAN2 firewall rules (exact same setup for LAN3), one for internet access and the other for what I thought would allow access to LAN and LAN3 but it does not. Once I have a working firewall rule for LAN2 I can modify it for LAN3 hopefully.

Thank you in advance for your help and apologies for my ignorance. Opnsense is a godsend for me, allows me to access my network when I travel via Wireguard. 
March 03, 2023, 11:28:41 PM #1
First, the DNS rule is not needed since you then have a "Any/Any" rule in place beneath it.
The Any rule will include DNS.

How are you testing between networks?
The usual "block" is someone trying to ping a pc on one of the other subnets and that pc has a software firewall turned on.
March 03, 2023, 11:38:55 PM #2
Demusman,

Thank you for your reply.

For testing I am using a phone which is connected to the AP (wifi, LAN3) and opening a picture which I can typically print to a wired network printer (LAN). I am unable to print from the phone to the printer when the AP is plugged into LAN3.

If I disconnect the AP from LAN3 and plug it into LAN I can print from my phone just fine.
March 03, 2023, 11:49:09 PM #3
Demusman,

I see why you are asking how I am testing now. I also have IP cameras that are on the LAN and I can access them from my phone on LAN3 so the firewall rule is working. For some reason i am unable to print from my phone - using Cannon app for Android. I'll try to uninstall the app and see what the issue could be.

I should have tested multiple scenarios first, my bad but a good lesson learned.

Thanks again for your help.  Have a good weekend!
March 04, 2023, 11:51:18 AM #4
For printing, you probably need more than just working firewall rules, routing and opening specific ports for printing across LANs or VLANs. Some printing protocols actually use network detection via network broadcasts to find printers, which are usually contained in a single broadcast domain.

This is different from setting up printing on a PC where you specifiy the printer via an IP address or DNS name, which you probably cannot do on a phone.

Thus, what you most likely need is to enable broadcast traffic across your LANs or VLANs. There is a package called os-mdns-repeater to do this. You have to install it and then configure the interfaces it should bridge across.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
March 04, 2023, 01:43:45 PM #5
meyergru,

Thank you for your help. I uninstalled the Canon app from my phone and reinstalled it. That did the trick and now I can print.

I made a mistake by assuming that the printer worked prior and was using a static ip that it should work on the new LAN. Great lessons for me to learn from - never assume when troubleshooting and test multiple methods.

Thanks for everyone's help - the people are Opnsense are the reason I changed from another Firewall/Routing software. I'm in way over my head in understanding any of this and people jump in and share their knowledge which is awesome.
Print
Go Up Pages1
User actions