Traffic from LAN -> OPT

[s3c]

Hello.  I have a Protectli 4 port and configured interfaces at initial opnsense CLI install.  I've tried searching around for similar questions but nothing that I've found seems to be working.  I'd like to communicate between interfaces and I'm having a tough time getting it working.  For starters, I want to be able to connect to machines on an OPT interface (LAB) from computers on my LAN interface.  I've tried various any anys in and out on both interfaces to no avail... Thanks for any assistance. 

[Sorjal]

First place to start would be setting up rules for the OPT interface's firewall.

To start, what I did was close the IPv4 rule that OPNsense creates by default. When you are configuring that clone, you can then change the interface to be OPT and the source to be OPT network. Then you can check if devices for the OPT port can say go to google the same as anything plugged into LAN.

For cross port communication, I'm not overly experienced and learning myself, so I'd guess you would need to ensure that the local addresses would be resolved by any dns requests sent (the register addresses check box)

I added additional rules that might be unnecessary given the allow to any, but a allow IPv4 from the opt network dhcp range out of firewall to lan dhcp range in the lan firewall rules and the reverse in the opt rules (lan range out to opt range) mostly so I can ping across in case of some configuration issue and connect a system directly to the opt port. Normally, what resides on that port is our solar panel system reporting out it's information to a monitoring service and all our other devices are on the lan port. I did have these rules to have logging enabled just to see if there was any weird traffic, but there hasn't been any that wasn't created by me (pinging the solar panel controller).

Routing should be created by OPNsense, so I don't think there's anything else you need to do there. With this setup I can ping the sole device that is connect to my opt port from my desktop using it's wifi connection to the lan port without issue. I haven't tried any other types of cross-communication as it's info is simply sent out to the monitoring service and I have no direct interactions with it.  I set it up on the OPT port so it didn't create any additional slow downs (it's only 100m ethernet) by connecting it through say a port on my wifi access point and through the lan.

If you need multicast and similar, that I'm unsure of as I know there's a plug in for it but there's no need to relay multicast and similar message with my current setup and haven't messed with it.

Someone with more experience and know-how can likely provide a better answer with additional suggestions, but this might get you started for now.

[CJ]

Hello.  I have a Protectli 4 port and configured interfaces at initial opnsense CLI install.  I've tried searching around for similar questions but nothing that I've found seems to be working.  I'd like to communicate between interfaces and I'm having a tough time getting it working.  For starters, I want to be able to connect to machines on an OPT interface (LAB) from computers on my LAN interface.  I've tried various any anys in and out on both interfaces to no avail... Thanks for any assistance.

The default rules should allow you to do this with no changes.  LAN has access to everything.  If it's not working then something you've changed broke it.

Keep in mind that the OPT interface will default to no communication allowed.  This means that if you wish to use DHCP, DNS, etc, you'll have to add rules to allow the OPT subnet to have access to the appropriate OPNSense ports.

I would recommend doing a reinstall and starting from the defaults as that will give you a good known state to start from.  Once there you can post what isn't working and it will provide easier troubleshooting.  More details of what you're attempting to do would be helpful as well.

[cookiemonster]

> The default rules should allow you to do this with no changes.  LAN has access to everything.
I believe a rule is needed on every new network created by the addition of a new interface. LAN doesn't get access to them by default and this is what the OP needs.
On OPT interface you need a rule:
Action: pass
Interface : OPT
Direction : in
TCP and Protocol : to your needs
Source: LAN net
Destination: OPT net

[passeri]

Cookiemonster, should that not be IN to the LAN interface, creating the rule on the LAN interface?

For example, I have a rule (which works)
Action: pass
Quick; [√]
Interface: LAN
Direction: in
TCP/IP: (as required)
Protocol: any
Source: LAN net
Destination: (any in my case, 'OPT net' in s3c's case)
Dest port range: any to any

[cookiemonster]

yes, apologies both.

[passeri]

That's a relief. I am pretty new to this so this was no time to have my rules world up-ended!

[meyergru]

Keep in mind that the OPT interface will default to no communication allowed.  This means that if you wish to use DHCP, DNS, etc, you'll have to add rules to allow the OPT subnet to have access to the appropriate OPNSense ports.

That is incorrect: The default automatic rules will allow DNS, DHCP, IPv6 RFC4890 requirements, CARP defaults, and even allow outgoing traffic to WAN. Some other rules for Crowdsec and virusprot are there as well if the services are enabled (likewise with DHCP). For me, there were 20 automatic rules. Also, applicable floating rules will match. You can check this in the automatic and floating rules section for the interface.

But, there are no NAT rules and nothing else, like inter-VLAN traffic. This is enabled by a default initial rule on the LAN interface, which is missing from all other newly created interfaces.

[CJ]

> The default rules should allow you to do this with no changes.  LAN has access to everything.
I believe a rule is needed on every new network created by the addition of a new interface. LAN doesn't get access to them by default and this is what the OP needs.
On OPT interface you need a rule:
Action: pass
Interface : OPT
Direction : in
TCP and Protocol : to your needs
Source: LAN net
Destination: OPT net

The default LAN rule allows access to any/any from LAN.  Why would that not work to connect to a different interface?

[CJ]

Keep in mind that the OPT interface will default to no communication allowed.  This means that if you wish to use DHCP, DNS, etc, you'll have to add rules to allow the OPT subnet to have access to the appropriate OPNSense ports.

That is incorrect: The default automatic rules will allow DNS, DHCP, IPv6 RFC4890 requirements, CARP defaults, and even allow outgoing traffic to WAN. Some other rules for Crowdsec and virusprot are there as well if the services are enabled (likewise with DHCP). For me, there were 20 automatic rules. Also, applicable floating rules will match. You can check this in the automatic and floating rules section for the interface.

But, there are no NAT rules and nothing else, like inter-VLAN traffic. This is enabled by a default initial rule on the LAN interface, which is missing from all other newly created interfaces.

I was mistaken about DHCP and ICMP, but there are not automatic default rules to DNS and the Internet on a new interface.  It's been a while since I stood up a new interface but I just checked the automatic rules on mine.

Floating rules aren't part of the default install so that's why I didn't mention them.

EDIT: Looking through my rules, I think automatic DHCP rules were added at some point as it previously didn't provide access and a rule was required.

[cookiemonster]

> The default rules should allow you to do this with no changes.  LAN has access to everything.
I believe a rule is needed on every new network created by the addition of a new interface. LAN doesn't get access to them by default and this is what the OP needs.
On OPT interface you need a rule:
Action: pass
Interface : OPT
Direction : in
TCP and Protocol : to your needs
Source: LAN net
Destination: OPT net

The default LAN rule allows access to any/any from LAN.  Why would that not work to connect to a different interface?

Yes, it was my mistake.