Port forwarding

[cranky]

I think you need to share a bit more about your network setup. You’ve obviously got another router in the mix?

how is that obviously? there is nothing pointing to that info?

i have no other routing in the network. Opnsense(10.0.0.1) <vlan15(10.0.1.x)> - switch - <vlan15> - client. (10.0.1.200)

@cranky
looks like port forward works. something with reply (routes, reply-to or some)
I join @Greelan's question about routes and another question: where is the connection checked from?

No, no other routing in the network. only opnsense and switch to client.

ISP -> MODEM(Bridge) ->  Opnsense -> Switch -> Client.

Switch Setup :
Port 1 - Cable to Opnsense
Port 3/5 Cables to Clients.
VLAN1 Untagged (all ports)
VLAN 15 Tagged 1,3,5.



If i remove opnsense, and replace it with dd-wrt, problem is gone. (same setup, without vlan)
So im thinking its in the vlan setup?

[Fright]

ISP -> MODEM(Bridge) ->  Opnsense -> Switch -> Client

ok. from what point you testing this connections? between Opnsense and ISP or from internet?

[cranky]

From internet. (VPS in datacenter) also Bnet just shows all ports are closed too (from outside).

As im reading it now, my switch is setup wrong.
Im rusty in vlan configuring. and confused cause all ports are standard vlan1 untagged? (so all are access port on vlan1?) (can i remove the untagged vlan1? i mean im not using vlan1, or is the switch depending on vlan1 for the switching?)
Im also getting confused by the PVID setup, they are all set to PVID 1.
So the switch is standard ootb untagged VLAN1 all ports, and PVID 1 on all ports.
From opnsense i just use LAN, and one VLAN(15) (to begin with).



So setup now :

PORT 1 = PVID 1 / UNTAGGED 1 / TAGGED 15
PORT 2 = PVID 1 / UNTAGGED 1
PORT 3 = PVID 15 / UNTAGGED 15
PORT 4 = PVID 1 / UNTAGGED 1
PORT 5 = PVID 15 / UNTAGGED 15
PORT 6 = PVID 1 / UNTAGGED 1
PORT 7 = PVID 1 / UNTAGGED 1
PORT 8 = PVID 1 / UNTAGGED 1
PORT 9 = PVID 1 / UNTAGGED 1
PORT 10 = PVID 1 / UNTAGGED 1
PORT 11 = PVID 1 / UNTAGGED 1
PORT 12 = PVID 1 / UNTAGGED 1
PORT 13 = PVID 1 / UNTAGGED 1
PORT 14 = PVID 1 / UNTAGGED 1
PORT 15 = PVID 1 / UNTAGGED 1
PORT 16 = PVID 1 / UNTAGGED 1


Port 3/5 = cable to clients (this should be untagged 15 with PVID 15 right?)
Port 1 = cable to opnsense (this should be tagged 15 right?) (what to do with the standard VLAN1?)
I did not setup VLAN PVID 1 , its native in the switch.

[Fright]

1 = cable to opnsense (this should be tagged 15 right?)

trunk native vlan 1
trunk allowed vlan add 1,15

[cranky]

1 = cable to opnsense (this should be tagged 15 right?)

trunk native vlan 1
trunk allowed vlan add 1,15

haha sadly i dont have console (its a netgear web gui).
So on port1 i get tagged 1+15? if i change the untagged 1 to tagged it drops the LAN traffic :/

[Patrick M. Hausen]

@cranky "native VLAN" means untagged. So you get untagged frames for VLAN 1 and tagged ones for VLAN 15 on that port. For OPNsense/FreeBSD that means VLAN 1 is in the parent interface and VLAN 15 on the VLAN interface.

Unfortunately from what I read on the forum some things don't quite work as intended when you mix untagged and tagged frames on the same interface and try to use different firewall rules or DHCP server settings on both.

IMHO (30 years of practice as a network engineer) the concept of a "native VLAN" and untagged frames on a trunk port at all is a huge design mistake and I always avoid them. In my data centre as well as at home. If I implement VLANs then on the trunks everything is tagged and the "native VLAN" - if the switch in question insists on using that concept like e.g. Cisco does - is set to some dummy value that is not used anywhere else.

HTH,
Patrick

[cranky]

@cranky "native VLAN" means untagged. So you get untagged frames for VLAN 1 and tagged ones for VLAN 15 on that port. For OPNsense/FreeBSD that means VLAN 1 is in the parent interface and VLAN 15 on the VLAN interface.

Unfortunately from what I read on the forum some things don't quite work as intended when you mix untagged and tagged frames on the same interface and try to use different firewall rules or DHCP server settings on both.

IMHO (30 years of practice as a network engineer) the concept of a "native VLAN" and untagged frames on a trunk port at all is a huge design mistake and I always avoid them. In my data centre as well as at home. If I implement VLANs then on the trunks everything is tagged and the "native VLAN" - if the switch in question insists on using that concept like e.g. Cisco does - is set to some dummy value that is not used anywhere else.

HTH,
Patrick

So if i read this correctly, i should ignore VLAN1 at all? remove all the untagged on all ports?
Then make a vlan for normal LAN? lets say 16? and then tag 16 and 15 on port 1? (trunk to opnsense)

[Patrick M. Hausen]

On the trunk I would run everything as tagged and not use VLAN 1 at all - correct. That's exactly what I do in my setup here.

But "remove untagged on all ports" as you put it won't work for end systems that do not participate in trunking. A port based VLAN 15 port will still be untagged so you can connect a system you want in that particular VLAN and nowhere else.

"Remove untagged for all trunk ports" is what I recommend.

[cranky]

On the trunk I would run everything as tagged and not use VLAN 1 at all - correct. That's exactly what I do in my setup here.

But "remove untagged on all ports" as you put it won't work for end systems that do not participate in trunking. A port based VLAN 15 port will still be untagged so you can connect a system you want in that particular VLAN and nowhere else.

"Remove untagged for all trunk ports" is what I recommend.

i meant remove all untagged vlan1 on all ports...?
So then i only have vlan15 tagged on port 1 , untagged on port 3+5

What i did now is remove all untagged 1 on all ports.
Made a new vlan (16) and tagged port 1, and untagged all other ports (except 3+5 (untagged vlan15).
This seems to work.
However my native lan (10.0.0.1) is now not in use.

Im going to test if forwards are working now.

[Patrick M. Hausen]

Exactly. Native VLAN not in use. It's an inconsistent and dangerous feature. My opinion, of course.

[marjohn56]

Agree, if its not tagged it should not be on the trunk.

[cranky]

So i just tested forwarding, im not getting anything opened, i'm going to capture local traffic on the client tomorow, see if the ports get to the client or not.

[cranky]

So i just tested forwarding, im not getting anything opened, i'm going to capture local traffic on the client tomorow, see if the ports get to the client or not.

So i tried to do a capture on my client pc, sadly the program crashes if i have wireshark running :/
if i cose wireshark, program runs fine.

What can i do to figure this forwarding out once and for all? I'm pulling my hair out over this.

Also im seeing traffic running into a default rule block, but i have rules allowing the traffic?
(see screenshot)

[cranky]

So i just removed all the forwards, installed upnp, and let that take care of it, sadly this doesnt open require ports either?
Im really lost here, maybe im running into hardware issues? maybe my nic isnt tagging vlan properly? i have no idea what to do here.

Port forwards did work when i wasnt using vlan's

[cranky]

So i just removed all the forwards, installed upnp, and let that take care of it, sadly this doesnt open require ports either?
Im really lost here, maybe im running into hardware issues? maybe my nic isnt tagging vlan properly? i have no idea what to do here.

Port forwards did work when i wasnt using vlan's

I just reinstalled the machine, and switched re0 for WAN en em0 for LAN.
This doesnt help sadly, still im getting no port forwards to work.
i reset everything back to no VLAN at all.
Still battlenet is moaining about strict nat.