Rule required for downstream networks

Started by tech101us, July 10, 2023, 04:32:46 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 10, 2023, 04:32:46 AM
Running the latest OPNSense release. Basic network layout with only two interfaces on the firewall (LAN\WAN). LAN subnet is 172.16.8.0/24 with the firewall itself being .1

Have a L3 switch in place doing some interVLAN routing for the VLAN subnets. The VLAN SVI's are the default gateways for the relavent VLAN's, with the switch itself pointing to the OPNSense firewall (172.16.8.1/24) as it's default route.

Was running OpenWRT in the past prior to switching to OPNSense, and this setup worked fine. I have the routes in place (switch pointing to OPNSense for it's default route, OPNSense pointed to the SVI on the switch on the 172.16.8.0/24 subnet for the IP subnets associated with the other VLAN's on the switch).

I'm seeing firewall logs indicating it is blocking traffic from the subnets associated with the VLAN's on the switch other than the local subnet (172.16.8.0/24). It's some sort of "default deny/invalid state" error.

Note that I did switch the NAT to Hybrid, and created a Outbound translation rule for the VLAN subnets on the switch other than the local 172.16.8.0/24 (one such subnet is 192.168.9.0/24).

Besides the routes and the Outbound NAT entry, do I need some other specific rules to allow traffic from IP's not on an interface local to the firewall to traverse the firewall? Is there something I need to do to define the other internal subnets as "LAN" traffic that should be permitted to and through the firewall?

Thanks so much . Appreciate any thoughts anyone has.
July 10, 2023, 05:27:20 AM #1
Do your allow rules on LAN use a source of "*" or a source of "LAN net"? The latter is strictly the single locally connected network on the LAN interface. So if you are using that you might want to change it to "*" or create an alias that contains all your VLANs and use that.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 10, 2023, 05:48:46 AM #2
Amazing...
That was it. Thanks so much @pmhausen. You saved me a lot of angst...
---
Quote from: pmhausen on July 10, 2023, 05:27:20 AM
Do your allow rules on LAN use a source of "*" or a source of "LAN net"? The latter is strictly the single locally connected network on the LAN interface. So if you are using that you might want to change it to "*" or create an alias that contains all your VLANs and use that.
Print
Go Up Pages1
User actions