VLAN blocked from LAN and no rule

Started by wgseaton, March 29, 2021, 04:20:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 29, 2021, 04:20:40 PM
I am new, I created a Guest VLAN and configured DHCPand the interface to LAN.
Set the VLAN firewall rule to allow Guest Net to any.
I have Unifi AP configured with Guest VLAN and connecting to the Guest network i get a Guest Network IP.
I can go out the Internet from the Host on the Guest Network.
I can ping from the LAN the host on the Guest Network.
I Can Not ping the host on the LAN i use to ping the host on the Guest Network.
I can not find any rule to block access.
I can not any rule the LAN can reach the VLAN different from the VLAN rules.

Any Ideas what I am doing wrong, or is that automatically blocked.
March 29, 2021, 05:27:08 PM #1
What is in the WAN field of your Allow All Rule?
March 29, 2021, 07:36:54 PM #2
@wgseaton

Did you create a rule (incoming) on LAN to allow ICMP pings to LAN net? To keep things easy, please this rule at the very top for LAN rules for this testing.
March 29, 2021, 09:52:21 PM #3
Quote from: pankaj on March 29, 2021, 07:36:54 PM
Did you create a rule (incoming) on LAN to allow ICMP pings to LAN net? To keep things easy, please this rule at the very top for LAN rules for this testing.
Such a rule will make no difference

@wgseaton, are you sure pings to the LAN host are allowed by that host? Can you ping the LAN host from another host on LAN net?
March 29, 2021, 10:21:31 PM #4
I can ping the host from another host on the LAN.
I am not sure what WAN Setting is being ask for, the rule is any source any destination any protocol on both the VLAN and the LAN.
I added an ICMP rule but still fails.
March 29, 2021, 10:26:20 PM #5
The WAN setting is closer to the bottom when you edit the rule.  If you have selected anything but "default" then the router may not route to internal networks.
March 29, 2021, 10:30:58 PM #6
Sorry, "Gateway" (not WAN) is what I was asking about.
March 29, 2021, 11:07:45 PM #7
@wgseaton, show us your VLAN FW rule. Also as a sanity check, confirm you are not blocking private networks on the LAN interface

Otherwise could very well be an AP issue. Eg check that you don't have some sort of guest isolation in your UniFi controller for the VLAN
March 31, 2021, 02:48:44 AM #8
It was a Routing issue.  I had a learning setup and the primary gateway was on the same interface as the LAN so it appears the to VLANs could route to the Internet and to each other but not the LAN.  I changed it so both Internet Gateways are on seperate ports and all could talk to all.  I added rules to block the VLAN from each other and the LAN and all is working. Thanks for the point in right direction.
April 01, 2021, 04:04:20 PM #9
I'm glad you fixed it.  Using the Gateway Field enforces policy based routing and ignores default routing rules. I'm new to this as well, and this is the most confusing part of OPNSense thus far. The Firewall Section of the documentation was worth a read multiple times.

For other readers, a note in the documentation ("When using policy based routing, don't forget to exclude local traffic which shouldn't be forwarded. You can do so by creating a rule with a higher priority, using a default gateway.") is essential to know.
Print
Go Up Pages1
User actions