(solved) Access Webgui from different subnet

[xman111]

Hey guys, new here, coming from PFsense.

I am trying to access the webgui (192.168.10.1) from my laptop (192.168.20.14).  Is there anything more i need than firewall rules from 192.168.20.0 to any?  i cannot connect.

any help would be appreciated.

[cookiemonster]

if system > settings > administration > Listen interfaces is set to All (recommended) then yes.

[xman111]

thanks for ther reply.. i do have that set and this is my rule for that subnet.. does this look right?

[doktornotor]

That rule
- matches way more than the webGUI access (destination: WLAN address, TCP port 443 or whatever you are using)
- will only work if you are connecting to the WLAN IP and the webserver is listening there, as already said above.
- will not work anyway if IPv6 is used on your network

Not really anything different here from pfS. "Cannot connect" is not useful description of the problem. Look at the firewall logs at least.

[xman111]

i was just trying to make a wide open rule to at least let me ping between subnets.   I also disabled all the ipv6 on my network as i thought that may be part of the problem.  In pfsense, i thought i just made a rule that allowed my laptop to any and it worked right away.  I literally worked on it for hours last night and couldn't get it working, lol.

[doktornotor]

Hmmm...

- firewall logs still missing
- rule on WLAN won't do any good if blocked by rules on another interface or floating
- disabling IPv6 on firewall does not disable it on any client. It only blocks all IPv6 traffic, if you mean the Firewall -> Settings -> Advanced -> Allow IPv6 checkbox. Certainly not a useful strategy at all. IPv6 has been preferred for ages by any reasonable OS out there.

[cookiemonster]

and you can connect successfully to it from a client on its LAN i.e. 192.168.10.0/24, right?
The rule looks very open but yes, that is all that should be needed in terms of rules.
But yes, I agree, turn on the logging of defaults temporarily to be sure.

[xman111]

yes I can connect to it directly.

something very weird.  I connected a laptop at 192.168.20.30 and setup a continuous ping to 192.168.10.1 and it was working. At the time I had my other laptop connected to the lan and it was getting an ip of 192.168.10.14. as soon as I disconnect my laptop from the Lan, the ping from the other laptop fails.  when I plug my laptop back to the lan, the ping works again. its acting like I am pinging the other laptop but I am actually pinging the 192.168.10.1 ip.

what setting is wrong here?

[doktornotor]

Good that you did not post any logs ever, even after they've been requested at least 3 times. Outta here. 

[xman111]

sorry man, have been out Christmas shopping for the kids and was on my phone, will try to post the log file.  thanks for trying anyways.

[xman111]

couldn't figure out how to download the logs so i just took a screenshot of it.  This is the laptop continuously trying to ping the firewall.  This is successful only when my other laptop is plugged into the lan.

[Patrick M. Hausen]

Of course! If nothing is plugged into LAN the interface is down and the IP address not reachable. Most people have a switch plugged in there so the interface stays up.

If you don't need a switch because you need only one wired port and your access point, why do you use two different networks and not a LAN bridge? That would solve your problem and behave like most consumer routers do.

[xman111]

Of course! If nothing is plugged into LAN the interface is down and the IP address not reachable

dude, that was it!!  i didn't realize that the interface goes down if nothing is plugged into it. 

I use all managed Cisco switches on my main network.  I am just trying to slowly move my config from Pfsense to Opnsense.  I have a mini pc running Opnsense with an old unifi AP connected to it.  I just wanted to be able to wirelessly login to Opnsense wifi and slowly work on setting up all my stuff without having a wire dangling across my room for my kids or dog to trip on.  I will just leave a switch plugged into it for the meantime.

thanks again, i am embarrased to say how much time i spent on this!!