VLAN can’t connect to Internet

Started by LtCol_Davenport, March 04, 2024, 10:19:49 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 04, 2024, 10:19:49 AM
Hi,

I just set up my first VLAN.

I added it on the Firewall, Switch and AP (is for guest wireless).

I tried to connected to it with my phone and it is: displayed, it connects, it get an IP from DHCP, looking at firewall live logs it seems to reach outside, but seems traffic won't come back or get dropped by the WAN interface cleanup rule.

What I did on the firewall was:

- Creating the VLAN, interface, set DHCP pool
- Added a rule in VLAN_Guest allowing Any-Any (now just for testing)
- Added a rule in WAN allowing source WAN destination VLAN_Guest
- Disabled NAT from VLAN_Guest to WAN (as it seems it was NATting and I think it should not, NAT it is done from WAN to the connected router)

But it won't works. Any idea, stuff that I am missing?

This VLAN it is created on LAN (real) interface. LAN works no problem, this VLAN does not go to internet.

Fun fact: I work everyday with CheckPoint and Fortigate firewalls, and I cannot get a simple, free, open source program to work. It is frustrating.
March 04, 2024, 11:21:01 AM #1
Hi,

if you don't intend to run a server pool in your VLAN please don't
- Added a rule in WAN allowing source WAN destination VLAN_Guest

For normal client internet access this is not needed and imposes a security risk (esp. on IPv6).

Since you switched of NAT in an internal network, make sure your "connected router" has the appropriate routes to your VLANs IP range. Otherwise, you will not see any traffic coming back.

Obviously fortigate and checkpoint do not prepare you for IP basics. :-)
March 04, 2024, 12:23:53 PM #2
Thanks for the WAN rules suggestion as I was not sure about it.

I disabled the NAT because it already occurs later down the chain and didn't want to double NAT.

Thanks also for the Router suggestion. It is not a fact of basic IP knowledge, but wrong assumption about a router that's not mine. That is my ISP router and in the login page, I found no section about routes, so I thought it would at least send all private network inside, even if not directly connected.

But apparently not.

So I think know I have 3 options:

- Enable NAT for that VLAN. But that would do double NAT (I think)

- Put a better Router between my ISP Router and my Firewall that supports Routes.

- Change my ISP router with a better one.


Am I missing something?
March 04, 2024, 04:02:15 PM #3
Actually, your three options boil down to 2 if you stick with another router.

- NAT within the RFC1918 range. Not very nice - but it works; as long as you just want to provide internet access, that's fine. In other cases it might get nasty. Depends on your scenario.

- Use a router at your network's edge (connection to ISP) that is able to route NAT'ed traffic accordingly

If you could replace your ISP router by a simple modem that serves your OPNSense's WAN that would be a another option. In that case OPNSense uses the public WAN IP and everything is fine.
March 04, 2024, 05:02:07 PM #4
Quote from: Saarbremer on March 04, 2024, 04:02:15 PM

If you could replace your ISP router by a simple modem that serves your OPNSense's WAN that would be an another option. In that case OPNSense uses the public WAN IP and everything is fine.

I was looking  at a DrayTek Vigor 167. It should be just a Modem, may it be fine in your opinion?
March 04, 2024, 08:16:43 PM #5
I am sorry but my experience with xDSL modems is very limited. So I can't give you any evaluation on that. From the specs it sounds ok.
March 04, 2024, 08:26:36 PM #6
Quote from: Saarbremer on March 04, 2024, 08:16:43 PM
I am sorry but my experience with xDSL modems is very limited. So I can't give you any evaluation on that. From the specs it sounds ok.
Thank you much for the help.

I'll try.
March 04, 2024, 10:23:00 PM #7
Do you have to have an ISP router in front of OPN? You might want to look for one that can be put in bridge mode, that way, all it does is terminate the xDSL connection. It would be good if you could find out the method it uses for connection i.e. PPoE. It might be that you only need OPN.
March 05, 2024, 08:49:13 AM #8
Thanks for suggestions.

I solve the issue and apparently, it was a misconfiguration of Unbound DNS.

I changed time ago the default action to deny DNS and I forget to add this new network in the Allow list for Unbound DNS query.

So it was not a problem of routing (not this time) since NAT in the WAN port was done correctly it seems.

Anyway, I will probably look in any case at just a Modem to pair with my Firewall so that I will minimize research area next time. Also that ISP route I think it is giving me some other troubles, moreover, it would be nice to have the public IP directly on the firewall, is that possibile with any modem or should I look for something in particular?
March 05, 2024, 10:26:17 AM #9
if you tell us the answers to the questions I asked, it would be easier to help ;)
March 05, 2024, 10:41:43 AM #10
Quote from: cookiemonster on March 04, 2024, 10:23:00 PM
Do you have to have an ISP router in front of OPN? You might want to look for one that can be put in bridge mode, that way, all it does is terminate the xDSL connection. It would be good if you could find out the method it uses for connection i.e. PPoE. It might be that you only need OPN.
Yes, I have my ISP router in front of my Firewall. I am speaking about a private home network, not enterprise.

I tried looking inside but has an extremely simple GUI, I cannot se barely any option.

I may ask on some forums of the ISP and/or my provider directly the parameter of ADSL in order to configure a Modem separately.
March 05, 2024, 10:42:02 AM #11
Quote from: cookiemonster on March 05, 2024, 10:26:17 AM
if you tell us the answers to the questions I asked, it would be easier to help ;)
I tried to answer as best as I can.
March 05, 2024, 03:53:25 PM #12
Ok for xDSL. Varies by what the ISP use for authentication.
In the UK for instance, you can have PPoE with username and password. Some ISPs use VLAN tags, some don't.
Some don't use PPoE and don't use username/password, but instead what we used to call "full network authentication" which goes by the card/frame/port in the DSLAM or MSAN at the local exchange and could only be used by the physical cable reaching the customer's property.
Some examples of types. The router they provide will be reflecting this setup and often you can just put those in OPN. OPN can do PPoE with username/password for instance, hence the question.
The ISP router usually shows if it using username/password and the method it is using, even if the functionality will be very locked down as you've already found. Look for an option to put in bridge mode. Might or not have it.
Essentially this would be an equivalent to having a modem only in front of OPN.
March 05, 2024, 04:52:52 PM #13
Quote from: cookiemonster on March 05, 2024, 03:53:25 PM
Ok for xDSL. Varies by what the ISP use for authentication.
In the UK for instance, you can have PPoE with username and password. Some ISPs use VLAN tags, some don't.
Some don't use PPoE and don't use username/password, but instead what we used to call "full network authentication" which goes by the card/frame/port in the DSLAM or MSAN at the local exchange and could only be used by the physical cable reaching the customer's property.
Some examples of types. The router they provide will be reflecting this setup and often you can just put those in OPN. OPN can do PPoE with username/password for instance, hence the question.
The ISP router usually shows if it using username/password and the method it is using, even if the functionality will be very locked down as you've already found. Look for an option to put in bridge mode. Might or not have it.
Essentially this would be an equivalent to having a modem only in front of OPN.
Just to be sure, I just contacted my ISP, asking if I can replace the router with just a Modem that gives data to a Router/firewall behind.

They said yes, that I will need to provide information about the new devices (the Modem) and I will be contare by a technician instructing me on how to do it and provide the needed informations.

At this point, I just purchased that Vigor 167, it should arrive in 2 days. We will se, I am really curious.

Just as a side question, can I just stay with that Modem and the Firewall? Why would I eventually want to put a router in the middle of the Modem and Firewall?

Thanks.
March 05, 2024, 05:00:25 PM #14
Quote from: LtCol_Davenport on March 05, 2024, 04:52:52 PM
Just as a side question, can I just stay with that Modem and the Firewall?
If the modem is matching your DSL link's technology, yes, of course.

Quote from: LtCol_Davenport on March 05, 2024, 04:52:52 PM
Why would I eventually want to put a router in the middle of the Modem and Firewall?
I can't think of a reason why you would. I definitely wouldn't.

What you need to consider if you replace an all-in-one consumer router that includes WiFi with a modem and OPNsense is that you might need a WiFi access point. Frequently one can configure the former router as such and then place it in the LAN behind OPNsense.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1 2
User actions