Help needed, LAN to LAN communication getting silently dropped? and more

Started by Beehive-guy, April 16, 2026, 09:00:42 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 16, 2026, 09:00:42 PM
Hello, I am new to OPNsense and configuring more advanced routers/firewalls, I recently decided to install OPNsense on a mini PC to use it as a router/firewall for my home network

I have seen similar posts to this one on the forums, but the rule suggestions didn't fix my problem

I have my server on LAN2 I want my desktop to be able to ping the server from LAN, and ultimately allow my desktop to get access to some services my server exposes on different ports

I have attached the full firewall rules page of LAN and LAN2 as well as their interface configurations, Also I have DHCP setup, I can provide screenshots or more information concerning that if needed

See below current behavior:

Ping from diagnostics under interfaces in the OPNsense web GUI successfully pings 192.168.1.20 (Linux desktop) and 192.168.2.25 (Linux server) with 0% packet loss
also shows up in the live view as:
192.168.1.1 -> 192.168.1.20 pass

192.168.2.1 -> 192.168.2.25 pass

From my desktop:
192.168.1.20 -> 192.168.2.25 pass by firewall but 100% packet loss

192.168.1.20 -> 192.168.1.1 and 192.168.2.1 doesn't show up in the live view of the firewall but 0% packet loss

From my server:
192.168.2.25 -> 192.168.1.20 doesn't show up in the live view + 100% packet loss

192.168.2.25 -> 192.168.2.1 doesn't show up in the live view but 0% packet loss

192.168.1.25 -> 192.168.1.1 doesn't show up in the live view + 100% packet loss

Some more info:
When my server and desktop are on the same LAN/VLAN they can ping each other, earlier I also tried to make LAN to VLAN communication work but that also failed, as well as VLAN to VLAN communication.

No floating or WAN rules are set, I believe that I left the rest of the firewall configuration to the defaults
running OPNsense 26.1.6

Any help would be greatly appreciated!
April 16, 2026, 09:28:49 PM #1
I presume, your clients and servers have internet access?

Consider that the devices might run their own firewalls, which usually blocks access from outside of their subnets. If so you need to configure them properly to permit access from the respective other subnet.
April 16, 2026, 10:13:34 PM #2
Quote from: Beehive-guy on April 16, 2026, 09:00:42 PMI have my server on LAN2 I want my desktop to be able to ping the server from LAN, and ultimately allow my desktop to get access to some services my server exposes on different ports

I have attached the full firewall rules page of LAN and LAN2 as well as their interface configurations
When you install OPNsense the Default LAN has Firewall Rules that ALLOW traffic to ANY destination.

If you then create your LAN2 correctly as the next step, you could then copy that firewall rule from LAN to LAN2 and have two networks that can talk to each other.

There is no need for seperate ICMP Firewall Rules at all :)


The above ofcourse excludes things like the Windows built-in Firewall or IPtables/NFtables/UFW/etc. on Linux Servers/Clients !!
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
April 16, 2026, 10:40:21 PM #3
I assume you want to set up a bridge with LAN and LAN2. Follow the Offizials docs, them it will work.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
Today at 01:01:54 AM #4
Quote from: viragomann on April 16, 2026, 09:28:49 PMI presume, your clients and servers have internet access?

Consider that the devices might run their own firewalls, which usually blocks access from outside of their subnets. If so you need to configure them properly to permit access from the respective other subnet.
Yes they both have internet access, I just tried completely disabling the firewall on my server (systemctl disable firewalld.service and rebooted) but my desktop still can't ping the server


Quote from: nero355 on April 16, 2026, 10:13:34 PMWhen you install OPNsense the Default LAN has Firewall Rules that ALLOW traffic to ANY destination.

If you then create your LAN2 correctly as the next step, you could then copy that firewall rule from LAN to LAN2 and have two networks that can talk to each other.
Thanks for the tip, I recreated the original LAN rules so on ipv4 and ipv6 (although I don't use v6) allow any protocol from the LAN to any destination and the same for LAN2, but still can't ping or access any other ports on the server and the server still also can't ping the 192.168.1.1 gateway. Maybe I didn't create LAN2 properly? Basically to sum up what I did to create LAN2 is in interfaces I assigned igc2 to LAN2 enabled LAN2 and set the IPv4 Configuration Type to static ipv4 and gave it the ipv4 address of 192.168.2.1/24 in services under DNSmasq DNS & DHCP I added LAN2 to the interfaces in general, added a DHCP range and that's it. If there is any other configuration that I have missed to get different LAN's and or VLAN's to be able to communicate with each other please tell me


Quote from: meyergru on April 16, 2026, 10:40:21 PMI assume you want to set up a bridge with LAN and LAN2. Follow the Offizials docs, them it will work.
I believe I don't want to use a bridge, since that would place all devices on the same subnet. Instead, I'd prefer to restrict communication so that only a few specific ports are open between my desktop and the server—and similarly for my phone
I'm also considering creating a separate LAN or VLAN (since I have a managed switch) for IoT devices, with one-way access from a trusted LAN to those devices
If anyone's wondering why I'm currently messing with separate LANs instead of VLANs: ideally, I want both my server and desktop to take advantage of the 2.5 Gbit ports on my mini PC. My switch is limited to a mere 1 Gbit :) so using VLANs there would bottleneck the connection
Today at 10:32:46 AM #5
Your rules allow any IPv4 traffic on both interfaces.
So if both, the LAN and LAN2 devices, have internet access, they should also be able to access each other.

To investigate the issue, sniff the traffic on both interfaces one by one.
OPNsense has pcap onboard: Interfaces: Diagnostics: Packet Capture

Select LAN2 at interface and ICMP as protocol and start the capture.
Then try to ping a server from a LAN device and display the result after. Don't forget to stop the capture.
You should see the packets going to the server, and if it's all right, response packets from the server to the client.
If there are no responses, there is something wrong with the servers firewall or with its routing table.
If you see responses, run a capture on the LAN to see if they are routed back properly in OPNsense.
Print
Go Up Pages1
User actions