connectivity between subnets?

[vortex1111]

Hi,

Working my way through configuring a new opnsense device, and I've run into an issue I can't figure out how to debug.

I have 6 ports on my device - 1 is for wan, 4 of them are bridged, and the 6th is a "normal" interface.

The 4 bridged ports are my internal network 192.168.10.0/24.
The other port that isn't a wan is a guest network 192.168.20.0/24

As far as I can tell, I've managed to set up the firewall properly, so that guest has access to the dns/dhcp on the router, and it gets routed to wan.  But it does NOT have access to my internal network.  Which is what I want.

However, I would like to be able to access a device on the guest network (an access point) from the internal network - and I simply get a timeout trying to make that connection.

When I view the firewall live view - I can specifically see traffic being allowed.  Yet, I simply get a timeout.  And I cannot see any deny rule.

For example, when I try to make a curl request, from internal (LAN Bridge) to guest (LAN6), I see the request, and the response, both being approved. 

Code Select Expand


LAN6          <- 2024-12-12T01:31:51-06:00 192.168.10.20:38070 192.168.20.3:80 tcp let out anything from firewall host itself
LANBridge -> 2024-12-12T01:31:51-06:00 192.168.10.20:38070 192.168.20.3:80 tcp allow lan to any


Its like the traffic is approved coming off the guest lan, but then is just lost, rather than routed back to the internal lan.

What could I be doing wrong?  How can I debug this?  It doesn't seem to be the firewall blocking it, it seems to be a routing problem.

Thanks for any advice.

[bartjsmit]

How can I debug this?  It doesn't seem to be the firewall blocking it, it seems to be a routing problem.

Run traceroute on both the devices you expect to be able to communicate and run packet capture on the firewall interfaces in question. Interfaces: Diagnostics: Packet Capture

Read the capture files in Wireshark https://www.wireshark.org/

[meyergru]

@vortex111: Since this is your first post and you have set up a bridge: Did you set the bridge tuneables?

See #2 here.

[dseven]

For example, when I try to make a curl request, from internal (LAN Bridge) to guest (LAN6), I see the request, and the response, both being approved. 

Code Select Expand


LAN6          <- 2024-12-12T01:31:51-06:00 192.168.10.20:38070 192.168.20.3:80 tcp let out anything from firewall host itself
LANBridge -> 2024-12-12T01:31:51-06:00 192.168.10.20:38070 192.168.20.3:80 tcp allow lan to any


What you're seeing there is the connection being allowed inbound to the firewall on the "LANBridge" interface, and outbound (from the firewall) on the "LAN6" interface (presumably where your guest network is?) You wouldn't normally see response packages in the firewall log. It's not a packet capture - rather just shows when rules are applied to new connections.

I would probably do a packet capture on the LAN6 interface to see if a response is actually coming back from the server at 192.168.20.3.

[vortex1111]

@vortex111: Since this is your first post and you have set up a bridge: Did you set the bridge tuneables?

See #2 here.

Yea, I should have mentioned that - I did set net.link.bridge.pfil_bridge to 1, and net.link.bridge.pfil_member to 0.... but, I was starting to ponder whether this issue has something to do with the fact that one of the interfaces is a bridge, and the other is not.

Or maybe I need something with net.link.bridge.pfil_local_phys ?  I've left that the default of 0.

[vortex1111]

Made progress after looking at some packet captures... they were also mirroring what I was seeing on the firewall log - that there simply wasn't a response. 

Went back and looked at the AP I was trying to reach on the guest network again, and it only had a routing table entry to send traffic for its own subnet 192.168.20.0 to a port on the AP - but it had no entry for the internal subnet of 192.168.10.0.

I added a manual route for the internal subnet on the AP in the guest network to point traffic for 192.168.10.0 back to the APs lan, and now I can reach it.

Is there anything I could do on the opnsense router to make that route be automatic on the client device?  Probably just over my head on networking stuff here. 

That static route seems to get me what I need.

Thanks.

[Patrick M. Hausen]

Use DHCP?

[vortex1111]

Use DHCP?

You know, of course its something obvious like that... for my APs, I usually set them static, so I can still hit them when I have them unhooked from the main network... accidentally locked my self out of them too many times in the past with one misconfiguration or another.  Makes sense.  Thanks.