OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 23.1 Legacy Series »
  • Rule required for downstream networks
« previous next »
  • Print
Pages: [1]

Author Topic: Rule required for downstream networks  (Read 887 times)

tech101us

  • Newbie
  • *
  • Posts: 5
  • Karma: 0
    • View Profile
Rule required for downstream networks
« on: July 10, 2023, 04:32:46 am »
Running the latest OPNSense release. Basic network layout with only two interfaces on the firewall (LAN\WAN). LAN subnet is 172.16.8.0/24 with the firewall itself being .1

Have a L3 switch in place doing some interVLAN routing for the VLAN subnets. The VLAN SVI's are the default gateways for the relavent VLAN's, with the switch itself pointing to the OPNSense firewall (172.16.8.1/24) as it's default route.

Was running OpenWRT in the past prior to switching to OPNSense, and this setup worked fine. I have the routes in place (switch pointing to OPNSense for it's default route, OPNSense pointed to the SVI on the switch on the 172.16.8.0/24 subnet for the IP subnets associated with the other VLAN's on the switch).

I'm seeing firewall logs indicating it is blocking traffic from the subnets associated with the VLAN's on the switch other than the local subnet (172.16.8.0/24). It's some sort of "default deny/invalid state" error.

Note that I did switch the NAT to Hybrid, and created a Outbound translation rule for the VLAN subnets on the switch other than the local 172.16.8.0/24 (one such subnet is 192.168.9.0/24).

Besides the routes and the Outbound NAT entry, do I need some other specific rules to allow traffic from IP's not on an interface local to the firewall to traverse the firewall? Is there something I need to do to define the other internal subnets as "LAN" traffic that should be permitted to and through the firewall?

Thanks so much . Appreciate any thoughts anyone has.
Logged

Patrick M. Hausen

  • Hero Member
  • *****
  • Posts: 6812
  • Karma: 572
    • View Profile
Re: Rule required for downstream networks
« Reply #1 on: July 10, 2023, 05:27:20 am »
Do your allow rules on LAN use a source of "*" or a source of "LAN net"? The latter is strictly the single locally connected network on the LAN interface. So if you are using that you might want to change it to "*" or create an alias that contains all your VLANs and use that.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

tech101us

  • Newbie
  • *
  • Posts: 5
  • Karma: 0
    • View Profile
Re: Rule required for downstream networks
« Reply #2 on: July 10, 2023, 05:48:46 am »
Amazing...
That was it. Thanks so much @pmhausen. You saved me a lot of angst...
---
Quote from: pmhausen on July 10, 2023, 05:27:20 am
Do your allow rules on LAN use a source of "*" or a source of "LAN net"? The latter is strictly the single locally connected network on the LAN interface. So if you are using that you might want to change it to "*" or create an alias that contains all your VLANs and use that.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 23.1 Legacy Series »
  • Rule required for downstream networks
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2