[SOLVED] Help configuring additional NIC as LAN -> Just use a bridge

Started by nickbreen, March 30, 2024, 02:15:09 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 30, 2024, 02:15:09 AM Last Edit: March 31, 2024, 01:43:16 AM by nickbreen
I've added an additional NIC to use as another LAN interface. So now I have this structure:

Code Select

WAN --- OPNSense +--- LAN1 (192.168.1.1/24) --- switch --- switch --- host1 (192.168.1.33/24)
                 +--- LAN2 (192.168.2.1/24) --- switch --- host2 (192.168.2.34/24)


Other than the default automatic FW rules I have configured an interface group called "LAN" that contains both LAN1 and LAN2. The only difference between the FW rules for LAN1 and LAN2 is the automatic anti-lockout rule on LAN1.

LAN has one in rule: IPv4+6 immediate allow any protocol from anywhere to anywhere.

Problem

I can IPv6 ping perfectly in all cases.
I can ping from all hosts to 8.8.8.8.
I can ping from all hosts to WAN IP.
I can ping between all hosts on 192.168.1.0/24.
I can ping between all hosts on 192.168.2.0/24.
I can ping from all hosts on 192.168.2.0/24 to all interfaces on OPNSense (i.e. WAN, LAN1, LAN2).
I can ping from all hosts on 192.168.1.0/24 to all hosts on 192.168.2.0/24.
I cannot ping from any hosts on 192.168.2.0/24 to any hosts on 192.168.1.0/24 (other than OPNSense).

I cannot see any ICMP packets blocked when enabling the default deny rule' logging.
I also cannot see any ICMP packets passed when enabling logging on my LAN group rule mentioned above.

TCP and UDP traffic also appears to be affected in the same way. I.e. I can SSH from 192.168.1.0/24 to 192.168.2.0/24 but not the other way.

Oddly, traceroutes to the WAN/LAN1/LAN2 IPs fail completely from any host on either .

Questions

Where should I be looking to diagnose this further?
What should I be looking for?

Hunches

Is there some default configuration somewhere that has been applied to LAN1 (as the original LAN interface when initially setting up the system, renamed to LAN1) that is not also applied to the (new) LAN2?

Is there some more complex NAT configuration needed given that IPv6 works perfectly?

March 30, 2024, 08:09:35 AM #1
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 30, 2024, 08:16:04 AM #2
Quote from: nickbreen on March 30, 2024, 02:15:09 AM
Hunches

Is there some default configuration somewhere that has been applied to LAN1 (as the original LAN interface when initially setting up the system, renamed to LAN1) that is not also applied to the (new) LAN2?

Is there some more complex NAT configuration needed given that IPv6 works perfectly?

There is a default rule on the first LAN that allows "LAN to any". You should replicate that for LAN2.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
March 30, 2024, 10:52:23 PM #3
Quote from: Patrick M. Hausen on March 30, 2024, 08:09:35 AM
You possibly want to iplement this?

https://docs.opnsense.org/manual/how-tos/lan_bridge.html

Yeah, that was something I was considering.

All the docs scream about CPU usage and "it's probably not what you need" without really explaining why. So I thought I'd try for two networks.
March 30, 2024, 10:58:58 PM #4
Quote from: meyergru on March 30, 2024, 08:16:04 AM
Quote from: nickbreen on March 30, 2024, 02:15:09 AM
Hunches

Is there some default configuration somewhere that has been applied to LAN1 (as the original LAN interface when initially setting up the system, renamed to LAN1) that is not also applied to the (new) LAN2?

Is there some more complex NAT configuration needed given that IPv6 works perfectly?

There is a default rule on the first LAN that allows "LAN to any". You should replicate that for LAN2.

The only NAT rule I can see is the automatic anti-lockout rule, specifically for TCP ports 22,80,443 so wouldn't apply to ICMP.

I'm sure that's already in place: as LAN2 can reach the public internet and also any interface on OPNSense. There's also an XBOX and TV on LAN2 that are operating happily (but just cannot see anything on LAN1).

Specifically, there is a rule for IPv4+6 any protocol any source any destination that applies to both LAN1 and LAN2. I replaced the wizard-generated rule with this group rule to be sure that the same rule is applied to both LAN1 and LAN2.
March 30, 2024, 10:59:17 PM #5
There is no problem with the FreeBSD bridge for speeds up to 1 Gbit/s and a decent CPU. People keep repeating "facts" that were true five years ago but were fixed in 2020:

https://freebsdfoundation.org/blog/500-if_bridge-performance-improvement/

I run 100 servers with 1000 customer jails all bridged because that is the best option for jails. No negative performance impact in any way.

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 31, 2024, 01:21:35 AM #6
Quote from: Patrick M. Hausen on March 30, 2024, 10:59:17 PM
There is no problem with the FreeBSD bridge for speeds up to 1 Gbit/s and a decent CPU. People keep repeating "facts" that were true five years ago but were fixed in 2020:

That's what I was thinking was the case.

I am going to configure a bridge!

I have more PCIe slots available for a third card so I can always fight this fight again when I stick a WiFi card in there later.
March 31, 2024, 01:42:41 AM #7
Quote from: nickbreen on March 31, 2024, 01:21:35 AM
I am going to configure a bridge!

Well that was ridiculously easy.
April 01, 2024, 10:21:19 AM #8
For future reference, bridges have IPv6 Link-Local Addresses disabled by default.

I needed to enable the bridge's Link-local address so that WAN's IPV6 prefix would propagate to all hosts downstream of the bridge.
Print
Go Up Pages1
User actions