No Internet for Only Windows Client on VLAN

[yutzin_sea]

Hi all, I have an odd situation I was hoping to get some help with.

I recently set up a new network using OPNSense on my router. I added a VPN client and had been routing all traffic from the LAN net through it. Everything had been working great.

A bit ago, I added a VLAN, hoping to let any clients that do not need to take advantage of the VPN to use that to access the internet through the WAN gateway. These changes worked fine, and I was able to connect to the internet both through the VPN and through the WAN gateway on multiple clients (Linux and iOS) with one exception: a Windows client.

The Windows client for whatever reason is not able to access the internet from the VLAN (either over wire or wifi). It can connect, is assigned an IP by DHCP, and can ping the VLAN gateway, but it cannot access the internet or ping 1.1.1.1/8.8.8.8, for example.

I've tried updating the network drivers, and releasing and resetting the IP lease with no change. More oddly, if I live boot the device using Linux, I can access the internet just fine.

Interestingly, when I connect the Windows client to the LAN net, it is able to access the internet through the VPN.

My firewall rules are as follows:

LAN Interface:

Allow access to DNS

• Action: Pass
• TCP/IP: IPv4 Protocol: TCP/UDP
• Source: LAN net
• Dest/invert: Unchecked
• Destination: LAN address
• Destination Port: 53 (DNS)
• Gateway: Default

Allow access to internet but not private networks

• Action: Pass
• TCP/IP: IPv4
• Protocol: Any
• Source: LAN net
• Dest/invert: Checked
• Destination: PrivateNetworks (alias)
• Destination Any
• Gateway: WAN_DHCP

The firewall rules for the VLAN are the same with the source and destination fields being changed to reflect the correct net/address and the gateway for the second rule being changed to the WAN gateway.

Outgoing NAT rules (set to manual):

LAN:

• Interface: VPN Interface
• TCP/IP: IPv4
• Protocol: Any Source invert: Unchecked
• Source address: LAN net
• Destination invert: Unchecked
• Destination address: Any
• Destination port: Any
• Translation/target: Interface address

VLAN:

• Interface: WAN
• TCP/IP: IPv4
• Protocol: Any
• Source invert: Unchecked
• Source address: VLAN net
• Destination invert: Unchecked
• Destination address: Any
• Destination port: Any
• Translation/target: Interface address

Both the LAN and the VLAN have static IPv4 configurations.

LAN:

• IPv4 Address: xxx.xxx.1.1/24
• Subnet: xxx.xxx.1.0
• Subnet Mask: 255.255.255.0
• DHCPv4 Range: xxx.xxx.1.100 – xxx.xxx.1.200

VLAN:

• IPv4 Address: xxx.xxx.20.1/24
• Subnet: xxx.xxx.20.0
• Subnet Mask: 255.255.255.0
• DHCPv4 Range: xxx.xxx.20.100 – xxx.xxx.20.200

I want to also mention that when I was configuring the VLAN, initially I was running into issues where either I could not access the internet or the connection was routed through the VPN. I fixed this issue by checking the Don’t add/remove routes option within the VPN client options. Once I did this, everything worked fine.

If anyone might have any insight into the above issue of why the Windows client doesn’t seem to want to connect to the internet, I would greatly appreciate it.  Thanks very much for your help.

[JamesFrisch]

A bit ago, I added a VLAN, hoping to let any clients that do not need to take advantage of the VPN to use that to access the internet through the WAN gateway.

You can do that, but you could probably also just use rules instead to achieve this.
Could you describe what you try to achieve with the VPN? Is it a site to site connection?
Seems like you try to force all traffic through a VPN, wich makes no sense in most cases.

Allow access to DNS

You could change that to "This firewall" or your actual DNS.

Allow access to internet but not private networks

I find it easier to use a block rule with an RFC 1918 alias instead of an invert rule. But this should also work.

Outgoing NAT rules (set to manual):

I would not do that unless you have a very specific need. For most setups, at most you need hybrid.

I want to also mention that when I was configuring the VLAN, initially I was running into issues where either I could not access the internet or the connection was routed through the VPN. I fixed this issue by checking the Don’t add/remove routes option within the VPN client options. Once I did this, everything worked fine.

There could be an error here or in the , or it could also be a VLAN setting on the Windows client. Anyway before we try to track down the issue, we first have to make sure you are not a NordVPN Youtube influencer victim that thinks you can make your internet more secure or private by using such a service   

[yutzin_sea]

Thanks for taking the time to reply.

Regarding the VPN, the only thing I’m hoping to achieve is to route the traffic on the LAN network through the VPN tunnel (which currently is working).  I’m hoping to have the traffic on the VLAN then be routed through the WAN gateway, which works on all clients except ones that are running Windows.  To assuage your concerns, no, I am not employing NordVPN as the service.

The guides I had been following recommended setting NAT rules to manual.  I did experiment with setting them to hybrid to see if that would solve the issue but it persisted even with the change so I reverted back to manual.

There could be an error here or in the , or it could also be a VLAN setting on the Windows client.

Would you mind elaborating on this when you can?  I’ve toggled that setting I don’t believe it improved the situation.  I’m also not sure what you mean by “VLAN setting on the Windows client.”  As far as I know, my setup is platform agnostic, and I don’t think I have any settings tailored specifically for machines running Windows.

[Vilhonator]

Reason for your issue might be because Windows doesn't support IEEE 802.1Q or VLAN tagging (linux, Android, iOS and Mac OS does), so you have to enable it from your machines network adapter properties and enable 802.1Q tags or change the VLAN ID to correct VLAN ID if network adapter doesn't support IEEE 802.1Q tagging.

If that's too much of an hassle, way you can fix this is buying Switch that supports VLAN tagging (so IEEE 802.1Q protocol, Cisco is best and easiest choice for a switch, but any brand will do), that way you don't have to change other than Firewall rules and add static routes on your firewall and configure VLAN on your switch

[yutzin_sea]

Thanks so much for the reply.

My switch is an HP ProCurve J9298A and I believe, if I'm looking at the documentation right, the ports support IEEE 802.3/802.3u/803.2ab.  It seems like it's a few versions ahead of 802.1Q, but perhaps they are different standards?  This is my first major foray into networking so I apologize for not knowing.

Given the above, would you still suggest enabling IEEE 802.1Q/VLAN tagging on the Windows network adapter?  I'm happy to try anything at this point.

[JamesFrisch]

To assuage your concerns, no, I am not employing NordVPN as the service.

I don't dislike NordVPN, it is just that for normal browsing VPN only adds costs, latency and worse peering.

Would you mind elaborating on this when you can?

It could be so many things. An error in your VPN config (OpenVPN?), or a VLAN error or the VLAN settings on Windows.

That is why I think we should know first, what you try to achieve with that VPN.

Given the above, would you still suggest enabling IEEE 802.1Q/VLAN tagging on the Windows network adapter?

No, almost never. Reason is that I trust my switch more than a Windows machine. I rather wan't the switch to decide what VLAN the host has, than the NIC of Windows. Also not all NICs even support using VLAN.

But then again, I would not use VLAN to begin with to route VPN traffic.

[yutzin_sea]

It could be so many things. An error in your VPN config (OpenVPN?), or a VLAN error or the VLAN settings on Windows.

Thanks again for your reply.  Correct, I am using OpenVPN.  I'd be surprised if it was a VLAN error, since the Windows machine is able to access the internet through the default VLAN and VPN, but certainly open to exploring it.

That is why I think we should know first, what you try to achieve with that VPN.

My desire to route some traffic through the VPN VLAN is to increase the security and privacy of that traffic.  I understand that additional protection is not total by any means, but even a minimal improvement is good enough for my purposes.

[Vilhonator]

Thanks so much for the reply.

My switch is an HP ProCurve J9298A and I believe, if I'm looking at the documentation right, the ports support IEEE 802.3/802.3u/803.2ab.  It seems like it's a few versions ahead of 802.1Q, but perhaps they are different standards?  This is my first major foray into networking so I apologize for not knowing.

Given the above, would you still suggest enabling IEEE 802.1Q/VLAN tagging on the Windows network adapter?  I'm happy to try anything at this point.

You can try enabling it. Assigning VLAN ID on the network adapter should solve the issue, only downside is, that you have to do so, with each windows client on your network.

[yutzin_sea]

VLAN's were enabled on the prior driver (but I could not manually assign an ID).  I updated the driver and assigned a VLAN ID to match desired VLAN but no luck - still no internet.

It would surprise me if that did fix it since I am able to access the internet through the default VLAN (LAN), which runs through the VPN.  But I appreciate the suggestion nonetheless.

[JamesFrisch]

I understand that additional protection is not total by any means, but even a minimal improvement is good enough for my purposes.

The problem is, it is not. On the contrary, it most definitely even is a downgrade when it comes to privacy.


It is a complicated topic, but here is a pretty good summary: https://www.youtube.com/watch?v=239w7x2TdWE

[Patrick M. Hausen]

It is a complicated topic, but here is a pretty good summary: https://www.youtube.com/watch?v=239w7x2TdWE

The answer is "yes".

I have been arguing that point for years. Same for using central DOT or DOH services.

[yutzin_sea]

In case it might prove useful for anyone who stumbles upon this thread with a similar issue, I did end up solving it and wanted to share what I did.

The switch I'm running is a slightly older HP ProCurve and the documentation for it is not always glaringly straightforward. When adding VLAN's, there are options related to setting the IP. They can be manually set but also set to use a DCHP server.

When I was creating the network originally, I wasn't able to get the DHCP option to work, though I thought it was the best option because each of the VLAN interfaces has DCHP enabled. Using the "manual" option did work and allowed Linux and iOS options to have internet access. I left it at that as it was working.

In trying to troubleshoot my issue, I reinstalled OPNSense and even without recreating the tunnel I had been using for the VPN connection the issue persisted. At this point I felt it had to be a switch-related cause, as none of the Windows clients could even reach the gateway. I changed the IP configuration of the VLAN's to DHCP within the configuration of the switch and lo-and-behold suddenly the Windows clients had internet.

I also ended up toggling off the "Don't add/remove routes" (which I had previously needed on for internet to be available on the non-VPN VLAN's) in order to fix a resulting DNS leak.

Still not entirely sure how the Linux and iOS clients were able to have internet access prior to this change, but everything is working now.

Thank you to those that offered suggestions aimed at trying to resolve the technical issue!