Unable to access WAN from VLAN, what am I doing wrong?

Started by WholesomeTRex, May 03, 2024, 08:52:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 03, 2024, 08:52:10 PM Last Edit: May 10, 2024, 07:09:42 PM by WholesomeTRex
Update:
In reply2 I posted my current state of affairs for getting VLAN's to work properly on my network.

Setup as follows:
ESXi has a single Ethernet to virtual switch as "LAN", then a port group for LAN (no vlan id), then another port group with vlan id 99 named VLAN_Guest.
I assigned this port group to OPNsense VM just like I did with the LAN and WAN port groups.

In OPNsense:

  • Interface > Assignment > vmx0 ESXi_VLAN_Guest_Int - Static IPv4, IPv4 10.0.199.1/24, upstream Gateway: ESXi_VLAN_Guest_Gateway
  • System > Gateways > Config > New > Interface ESXi_VLAN_Guest_Int, IP Addr 10.0.199.1
  • Interface > Other > VLAN > vlan01, tag 99, parent vmx0 ESXi_VLAN_guest
  • Firewall > NAT > Outbound > Interface ESXi_VLAN_Guest_Int, source Any, dest Any, NAT Address Interface Address
  • Firewall > Rules > ESXi_VLAN_Guest_Int > Rule Protocol IPv4 Any, Source Any, Dest Any, Gateway default

Hello,
I've searched the forums and I haven't found anything that quite describes the issue I'm having. I'm also not sure whether this is an issue with the ISC DHCPv4 or if this is an issue with my TP-Link Omada SG2428P switch.

ESXi has a network port as LAN. I created a Port Group [VLAN_Guest] with VLAN ID 99. I have assigned a new network interface to OPNsense as VLAN_Guest.

In OPNsense, I have assigned this new interface (vmx0) as [ESXi_VLAN_Guest].
I have ISC DHCPv4 [ESXi_VLAN_Guest] network with DHCP setup with the subnet 10.0.199.1/24, with the range 10.0.199.40-10.0.199.254.

In TP-Link Omada controller software, I have a LAN Interface "Guest" that is enabled on the switch. I have updated a desired port with the port profile "Guest".

I plug in my laptop to this port with the guest profile. When I check out ipconfig /all I see that the interface has shown me the DNS servers, but the gateway is blank, and the IP address is in the 169.254 range indicating it's not receiving an IP.

When I check the DHCP logs, I see that the laptop does a DHCPDISCOVER, DHCP does a DHCPOFFER, then a few seconds later this repeats 2 more times...
DHCP does not "Abandon" this IP address offer, and the lapptop does not obtain a network connection.

In addition, I see that my Omada switch keeps sending DHCP requests to the DHCP server on only this guest VLAN, through this loop: DHCPDISCOVER, DHCPOFFER, DHCPREQUEST, DHCPACK, Abandons the IP address: declined, and then DHCPDECLINE. It does this through the entire IP range that is assigned and once an IP address is finally released, it attempts again to request it.

I think one of the things that makes me wonder what I did wrong is that the interface used in the DHCP lease list is LAN instead of ESXi_VLAN_Guest...

I am unsure whether this is an issue with the Switch or if I have misconfigured my DHCP server on OPNsense.
May 04, 2024, 12:20:51 PM #1
Hi,+

I don't know all the devices involved and their behaviour and that's why it is hard to come up with a solution. But from the OPNsense logs we see that your switch wants to have an IP adress via vmx0 and abandons it for some reason. It is always the switch (according to the mac address).

As there seems to be no entry (really?) from your laptop you may want to recheck the switch's configuration and your VM environment for correct assignment. Maybe the switch has a useful logging system and can help you finding the cause, too.

But in general that's not an OPNSense issue.
May 10, 2024, 06:34:00 PM #2
I wanted to follow up on this; the screenshot I had uploaded didn't have my laptop attempting to gain an IP address, but another screenshot did. I selected the wrong one.
I have made further progress on being able to get an IP address.

The issue I have run into now is that while I can get an IP on that subnet, I cannot get out of the subnet to the Internet.

I can ping other devices on my LAN but cannot access their web interfaces or anything, which is exactly what I wanted for internal security for this Guest VLAN.

However, the Guest VLAN should still be able to connect to the network. Clearly I have done something wrong.

Setup as follows:
ESXi has a single Ethernet to virtual switch as "LAN", then a port group for LAN (no vlan id), then another port group with vlan id 99 named VLAN_Guest.
I assigned this port group to OPNsense VM just like I did with the LAN and WAN port groups.

In OPNsense:

  • Interface > Assignment > vmx0 ESXi_VLAN_Guest_Int - Static IPv4, IPv4 10.0.199.1/24, upstream Gateway: ESXi_VLAN_Guest_Gateway
  • System > Gateways > Config > New > Interface ESXi_VLAN_Guest_Int, IP Addr 10.0.199.1
  • Interface > Other > VLAN > vlan01, tag 99, parent vmx0 ESXi_VLAN_guest
  • Firewall > NAT > Outbound > Interface ESXi_VLAN_Guest_Int, source Any, dest Any, NAT Address Interface Address
  • Firewall > Rules > ESXi_VLAN_Guest_Int > Rule Protocol IPv4 Any, Source Any, Dest Any, Gateway default


Any ideas on what I'm doing wrong that would prevent devices on the VLAN getting to WAN/Internet?
May 10, 2024, 11:21:25 PM #3
So, what's the exact error msg when
A) ping public site
B) opening a website
May 11, 2024, 02:03:38 AM #4
Quote from: Saarbremer on May 10, 2024, 11:21:25 PM
So, what's the exact error msg when
A) ping public site  - ping - "request timed out" when pinging google.com
B) opening a website - Internal websites: the connection has timed out. External websites: "Hmm. we're having trouble finding that site"

for external websites, sounds  like it can't query DNS, but nslookup google.com returns valid results from my AdGuard Home (and by extension my Active Directory DNS) servers.
May 12, 2024, 11:22:39 AM #5
What does that mean "it looks"?

You may want to check the DNS configuration on the host. Is that what you expected? And: Did you allow UDP+TCP port 53 for that VLAN to your DNS?
Print
Go Up Pages1
User actions