Vlan not isolated

Started by opnessense, July 06, 2025, 06:46:19 PM

Previous topic - Next topic
July 06, 2025, 06:46:19 PM Last Edit: July 06, 2025, 08:25:50 PM by opnessense
Hello All

my setup
Opnsense act as gateway
switch usw lite 8 poe
two unifi u6 pro wireless ap
From opnsense have setup a bunch of Vlan parent with my lan network
i have created the interfaces, dhcp server and firewall rules for every single Vlan.

on the firewall rules i have the rule which block the connection to internal private ip.So i should be isolated from the rest of my network.
That is strange because i can ping any other vlans and the firewall


this is something that i need to modify from the switch side? or i need to buy a unify switch that support the ACl capability.

Im confuse.

Anybody encore in this scenario.

please help





Quote from: opnessense on July 06, 2025, 06:46:19 PMon the firewall rules i have the rule which block the connection to internal private ip.
The screenshot just shows a rule, which allow anything else, but not block rule.

Do you have a floating rule or one on an interface group, which this one is a member of, allowing the access? Remember that these rules have precedence over interface rules.

July 06, 2025, 07:46:52 PM #2 Last Edit: July 06, 2025, 07:52:19 PM by opnessense

The idea was, that there is any other rule allowing the traffic.

If only the shown rules are applied to the interface, I don't expect, that OPNsense replies to pings from it.

You can also try to flush the states.

hi viragomann

how i  flush the states in opnsense

Don't sit in front of a GUI, but should be anywhere in Firewall > Diagnostic > States.

July 06, 2025, 08:16:30 PM #6 Last Edit: July 06, 2025, 08:21:24 PM by opnessense
thanks i found it.
i found a strange rule set to the floating rule allow anything from anywhere.
i delete this rule now my vlan are isolated.

Thanks for the support Guys

Run a pcap to see if the ping to OPNsense enters on the expected interface.
Interfaces > Diagnostic > Packet Capture

Select "InternalVM" and ICMP for the protocol and start the capture. Then try to ping the OPNsense interface from a connected device and check the result after.

If there is nothing the leak might be outside of OPNsene.