VLAN Issue

Started by ImpossibleEnd, July 14, 2025, 03:53:50 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 14, 2025, 03:53:50 PM
Hey ppl,

i seem to be having an odd issue that i am banging my head against the wall trying to resolve.
i have 3 vlans setup on opnsense 20,40,60 when i try to ssh/https/ftp from vlan 20 to vlan 40 my ssh/https/ftp sessions will drop out.
there is no issues with ping or traceroute
if i talk to something on the same vlan (aka dont hit the fw) everything is fine.
I'm guessing there is a setting or something im missing on opnsense.
any ideas or suggestions on things to try would be great.

thanks in advance.
July 14, 2025, 05:00:47 PM #1
This could be an asymmetric routing issue. Maybe your VLANs are not fully isolated outside OPNsense.

Do you see any related blocks in the firewall log?
Ensure, "Default block" is checked in Firewall: Settings: Advanced.
July 15, 2025, 03:58:15 PM #2
Quote from: viragomann on July 14, 2025, 05:00:47 PMThis could be an asymmetric routing issue. Maybe your VLANs are not fully isolated outside OPNsense.

Do you see any related blocks in the firewall log?
Ensure, "Default block" is checked in Firewall: Settings: Advanced.



turns out i do.
the green line is when i ssh to the server.
then i get dropped packets when ssh drops out.
i tryed changing the firewall optimisation to conservative but it still drops out. it just takes longer to drop out.
i also tryed changing "bypass firewall rules for traffic on the same interface" seen as all the vlan's are coming off one physical network port but still drops out.



July 15, 2025, 04:16:17 PM #3
I'm wondering, why there are packets with exactly the same source address and port and the same destination address and port on different interfaces.

Maybe some information about your network setup can shed some light.
July 16, 2025, 01:59:27 PM #4 Last Edit: July 16, 2025, 02:01:38 PM by ImpossibleEnd
i use two interfaces

Port 1 = WAN
Port 2 = MGMT (native vlan 40)
Port 2 = DATA (tagged vlan 20)
Port 2 = IOT (tagged vlan 60)

here is a rough network map of my network



let me know what other info you are looking for and i can provide it

doesnt matter if i am on wifi or ethernet the same thing happens.
also doesnt matter which switch/ap i am connected to
July 16, 2025, 02:38:12 PM #5
Don't use a native VLAN with OPNsense/FreeBSD if possible. Run all interfaces tagged.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 16, 2025, 02:49:52 PM #6
Your filter log shows the same connection on different VLANs. So I suspect, that something outside is leaking the VLANs.
I don't think, that you can solve this on OPNsense.
Print
Go Up Pages1
User actions