Unifi's VLAN can't access Internet

Started by daydien789, November 24, 2024, 07:34:22 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 24, 2024, 07:34:22 AM Last Edit: November 24, 2024, 07:37:14 AM by daydien789
Hello everyone,

Today I am setting up OPNSense for my home network.
This is the my network topology using.
https://i.imgur.com/5taWx3M.png

Currently, I have disabled NAT on the USG router and only configured VLAN, WiFi.
And firewall rules, I have set WAN IN, WAN OUT, and WAN LOCAL as source any -> destination any, protocol any.

On OPNSense, I have configured PPPoE.
Under System -> Gateways, I added the USG IP as 172.16.16.2.
The WAN port is currently connected to another device temporarily, so that's why it is showing as "defunct" in the notifications.https://i.imgur.com/kn5J6lA.png

Under System -> Routes, I set up the static route as shown below.
https://i.imgur.com/ItY1eyN.png

Under Firewall -> NAT, I left the default settings.
https://i.imgur.com/aNA9Fd8.png

Under Firewall -> Rules, I only configured LAN to be "any."
https://i.imgur.com/J0rHRYd.png

However, when I try to access the internet, I can't reach Google.
I tried ping from:
LAN -> USG -> OPNSense (OK)
USG -> OPNSense (OK)
OPNSense -> USG -> LAN (OK)
OPNSense ping to google is ok (OK)
I tried set gateway on Firewall -> Rules -> LAN is interfaces PPPOE but it still can't connect to google
I tried using tracert on my PC, and it only reaches the OPNSense gateway (172.16.16.1), but when trying to reach the internet, it times out.
Has anyone encountered this issue before? Please help me. Thank you very much.
November 24, 2024, 09:54:01 AM #1
I think the automatically generated outbound NAT rule would only apply to the LAN interface's local network (172.16.16.0/29). Since you're routing other networks behind that, I think you'll have to use manual outbound NAT and create rules to cover them.
November 24, 2024, 01:25:51 PM #2
Quote from: dseven on November 24, 2024, 09:54:01 AM
I think the automatically generated outbound NAT rule would only apply to the LAN interface's local network (172.16.16.0/29). Since you're routing other networks behind that, I think you'll have to use manual outbound NAT and create rules to cover them.
Yesterday, I also tried configuring Hybrid NAT or Manual NAT, but it still didn't work. I don't think it's an issue with NAT because I had previously used PfSense and didn't need to configure NAT, only setting up PPPOE, Gateways, Rules, Static Routes, and I could still access the internet normally.
In OPNSense, I configured it the same way, but it still didn't work
November 24, 2024, 01:58:30 PM #3
OPNsense does not automatically apply outbound NAT to networks that are not directly connected but reached of a gateway. So if you have internal routes, you absolutely must create manual NAT rules for these networks.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 24, 2024, 02:42:08 PM #4
I have recently done a POC where I put OPNsense in front of my routing switch and I can confirm what already was said. Outbound NAT rules need to be created manually for VLAN subnets to enable Internet access. I have also made a couple of other changes, because I did not like how OPNsense sets up the default route with its default settings. First I made sure only WAN is mark as upstream and then I marked the LAN gateway as down. I think it is unfortunate that OPNsense uses the word "down" when the gateway is actually active, but it just cannot be selected as a default one.
Print
Go Up Pages1
User actions