Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
Internet not working on Subnets
« previous
next »
Print
Pages: [
1
]
Author
Topic: Internet not working on Subnets (Read 2221 times)
ala.tech
Newbie
Posts: 4
Karma: 0
Internet not working on Subnets
«
on:
June 04, 2019, 09:01:15 pm »
OPNSense 19.1.8
Virtual Machine
2 vCPU
8 GB RAM
3 vNIC
100 GB vDisk
Currently have OPNSense running in a dev environment with the following setup
vNIC = LAN (172.16.1.10)
vNIC = ISP 1 (DHCP)
vNIC = ISP 2 (DHCP)
ISP 1 (Primary)
/
Switch - LAN - OPNSense
\
ISP 2 (Fail over)
LAN consists of 3 subnets, with 2 of them routing to the first subnet for internet
Subnet 1 (Layer 3 Switch, 172.16.1.1)
172.16.1.0/24
/ \
Subnet 2 Subnet 3
172.16.2.0/24 172.16.3.0/24
ISP 1 and 2 are setup in a fail over group with ISP 1 as the Primary. I have a static route set for 172.16.0.0/16 to go to 172.16.1.1.
Issue = Subnets 2 and 3 can't get internet. Subnet 1 (directly attached to the LAN interface on Firewall) gets internet.
Everything works fine for any host on the 172.16.1.x subnet. ISP failover is great, internet speeds are awesome, and NAT translations work. If the host is on either 172.16.2.x or 3.x, it will not get internet. It can ping the LAN interface of the FW and can even access the Web GUI. Routing appears to be fine. When I look at the logs, it shows traffic going out via the "Allow LAN to Any" rule, and I can see the traffic going out the ISP and coming back to Firewall, but stops there. Example:
Ping 4.2.2.1 from 172.16.2.104
See it cross Switch 2 (172.16.2.1, default route for network)
See it cross Switch 1 (172.16.1.1, default route for network)
See it go through Firewall via Allow LAN to Any (In LAN, out ISP 1)
See it hit a switch I put in between cable modem and firewall going out
See it come back through same switch
Don't see it come through the firewall.
If I do the same thing from 172.16.1.123, I can see it go all the way through and get successful replies on the Ping command.
Seems like to me it is a firewall rule. I looked things up though, and it looks like I am doing things right. I have a rule that looks like:
LAN
Proto
Source
Port
Destination
Port
Gateway
Type
IPv4* 172.16.0.0/16 * * * ISP_Failover Allow
ISP 1 and 2 just have the default rules in them though in testing things I did add a NAT Translation on both which did work, but it was to a host on Subnet 1. And again, anything on Subnet 1 can get to the internet, so to my rationale it is having to do with the fact that the traffic does not originate on a subnet that the Firewall is directly connected to. I figured by specifically specifying 172.16.x.x in the rule it should allow it regardless of directly connected. Is there somewhere else I need to add those networks to allow it through the firewall? Or do I need to do something on the ISP 1 and 2 zones to allow it to NAT those?
Thanks for any input!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
Internet not working on Subnets