Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Clean install won't allow internal VLANs to connect to internet
« previous
next »
Print
Pages: [
1
]
Author
Topic: Clean install won't allow internal VLANs to connect to internet (Read 5463 times)
jjduru
Newbie
Posts: 4
Karma: 0
Clean install won't allow internal VLANs to connect to internet
«
on:
May 27, 2019, 07:19:27 am »
Howdy,
My internal network has 5 VLANs:
192.168.1.0/24 - management VLAN
192.168.10.0/24 - main VLAN - opnsense has its LAN IP in this one.
192.168.20.0/24 - storage VLAN
192.168.30.0/24 - wifi VLAN
192.168.40.0/24 - telephony VLAN
The opnsense firewall has its internal LAN IP set to 192.168.10.1, so it's in the .10.0/24 (aka main VLAN) and, as such, all the devices on that VLAN are able to connect to the internet with no problem - right after the clean install of opnsense, with no additional firewall rules.
Now the tricky part: for the rest of the VLANs (at least in pfsense) I used to create a GW pointing to the switch's main IP (192.168.10.254) and add static routes to instruct the pfsense to send the replies for those VLAN networks through the newly added GW IP (192.168.10.254 one). The last step, would be to add firewall rules on the LAN interface and allow the traffic to and from the said VLANs. After these steps all the devices in the network are capable to reach the interwebz.
In opnsense, the same reproducible set up does not work. I've tried twice a clean install and the above steps and verify my logic, to no avail. What steps function flawlessly in pfsense, produce no good result in opnsense.
What strikes me is that the firewall live view log says that the Wifi VLAN requests are showing as if they are originating from the firewall itself and not from the internal network.
What am I missing here? Is the firewall set up different in OPNSense vs what it was in pfsense?
I'd like very much to use opnsense so I could put to work the QoS prioritization wizard.
Logged
jjduru
Newbie
Posts: 4
Karma: 0
Re: Clean install won't allow internal VLANs to connect to internet
«
Reply #1 on:
May 27, 2019, 07:21:12 am »
Just to take this out of the way: clean install means that the my opnsense firewall is running on the latest stable version (as of 27-May-2018) and has the latest updates applied.
«
Last Edit: May 27, 2019, 07:29:18 am by jjduru
»
Logged
jjduru
Newbie
Posts: 4
Karma: 0
Re: Clean install won't allow internal VLANs to connect to internet
«
Reply #2 on:
May 29, 2019, 04:03:52 am »
I think I know why this is happening.
In pfsense, after a complete set up, I noticed that under the "Firewall/Nat/Outbound" menu, the automatic NAT rules are being updated to reflect the newly added static routes, as follow:
- first entry:
interface: WAN
Source: 127.0.0.0/8 ::1/128 192.168.1.0/24 192.168.20.0/24 192.168.30.0/24 192.168.40.0/24 192.168.10.0/24
Source Port: *
Destination: *
Destination Port: 500
NAT Address: WAN address
NAT Port: *
Static Port: v (check mark)
Description: Auto created rule for ISAKMP
- second entry
interface: WAN
Source: 127.0.0.0/8 ::1/128 192.168.1.0/24 192.168.20.0/24 192.168.30.0/24 192.168.40.0/24 192.168.10.0/24
Source Port: *
Destination: *
Destination Port: *
NAT Address: WAN address
NAT Port: *
Static Port: some cross path sign
Description: Auto created rule
The important bit in all this info is the "Source" networks: they are being updated to reflect the newly added network rules in the LAN rules section. A NAT for each of the networks.
In opnsense, after I added the firewall rules for the LAN interface, the automatic NAT tab has not been updated. This would correlate what I've seen in the live view firewall log, where the VLAN30/wifi network requests were showing up as originating on the firewall itself and not from the internal LAN/VLAN. In other words, the opnsense is not executing the NAT for any of the VLANs, except for the native VLAN10.
So the real question is: is this a bug or are there anymore steps that I should've performed after implementing the firewall rules?
Thank you in advance.
«
Last Edit: May 29, 2019, 04:40:50 pm by jjduru
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Clean install won't allow internal VLANs to connect to internet