[NOOB] Connecting NAS dble ETH to LAN1 not accessible from LAN3

MarieSophieSG · October 04, 2024, 12:33:31 PM

Hello,
Today, I'm going to (try) connect my NAS (QNAP with double RJ45) to LAN1

LAN1: 192.168.101.101/24 DHCP 192.168.101.102-122
Unmanned switch with 2x NAS; 1x Laptop1; 1x Laptop2
Turn-on NAS: LEASE 192.168.101.104 and 192.168.101.105 (Which are already attributed in Static to other devices, OPNsense should not re-attribute these !)
Change these two dynamic IPs to Statics:
Static DHCPv4 for NAS 1st RJ45 = 192.168.101.111
Static DHCPv4 for NAS 1st RJ45 = 192.168.101.112

Can't connect to NAS GUI, can't even ping these IPs
And I have something weird on the dashboard:

Code Select

2024-10-04T06:26:24-04:00
<6>arp: 192.168.101.112 moved from 24:5e:be:5c:86:6c to 24:5e:be:5c:87:6d on igc0
2024-10-04T06:26:22-04:00
<6>arp: 192.168.101.112 moved from 24:5e:be:5c:86:6d to 24:5e:be:5c:86:6c on igc0

Why is it swapping MAC every 2-3 seconds on this IP to an unknown MAC and back to known MAC ?
I've created a third STATIC Lease to the "new" MAC with 192.168.101.113 and now it stopped swapping, but I still can't access the GUI

What am I doing wrong ? it should be straightforward, plug, wait for IP, and connect, no ?

Patrick M. Hausen · October 04, 2024, 12:57:31 PM

Static leases must lie outside of your dynamic range.

MarieSophieSG · October 04, 2024, 02:18:09 PM

Quote from: Patrick M. Hausen on October 04, 2024, 12:57:31 PM
Static leases must lie outside of your dynamic range.

TY for your answer, but ...
I have a DHCP for about 20 addresses per LAN, out of which I freeze (static) some, therefore inside the same lease span

Every other devices have been frozen to static the same way, including those in LAN2 (through the WiFi router AP and limited to known devices only) why would it be different for the NAS ?

I'm not sure about your statement ?

Patrick M. Hausen · October 04, 2024, 02:49:30 PM

Nothing fundamentally different. What you did for the other devices can lead to the same problem. It's a question of timing. You were lucky until now.

Just don't do it, it's not a supported configuration. When I wrote "must" I meant MUST like in RFCs ;)

MarieSophieSG · October 04, 2024, 03:22:31 PM

Quote from: Patrick M. Hausen on October 04, 2024, 02:49:30 PM
Nothing fundamentally different. What you did for the other devices can lead to the same problem. It's a question of timing. You were lucky until now.

Just don't do it, it's not a supported configuration. When I wrote "must" I meant MUST like in RFCs ;)

TY, but there again it's misleading (or confusing) if we are not supposed to use the dynamic-to-static why does the GUI offers a very simple "+" button to actually do just that ?

And for each interface, the simple option to add a frozen IP/MAC in the "DHCP Static Mappings for this interface."

Then, what should I have used to freeze all of these addresses to static if not the dhcp static one ? (neighbour ?)

MarieSophieSG · October 04, 2024, 03:24:31 PM

I've hard reset the NAS, now I can PING it (from OPNsense and from Laptop1) on its static address 192.168.101.112 but still can't access its GUI

Do I need to open something in the FW rules (I'm scared to change anything in there)

Patrick M. Hausen · October 04, 2024, 03:34:07 PM

Quote from: MarieSophieSG on October 04, 2024, 03:22:31 PM
TY, but there again it's misleading (or confusing) if we are not supposed to use the dynamic-to-static why does the GUI offers a very simple "+" button to actually do just that?

To conveniently copy the MAC address to the static reservation form? Then you are supposed to enter an IP address that is of course from the same network but outside the dynamic range you configured in the DHCP settings for that interface.

Think of each static reservation as another "range" covering one host. Ranges must not overlap.

Patrick M. Hausen · October 04, 2024, 03:37:24 PM

Quote from: MarieSophieSG on October 04, 2024, 03:24:31 PM
I've hard reset the NAS, now I can PING it (from OPNsense and from Laptop1) on its static address 192.168.101.112 but still can't access its GUI

Do I need to open something in the FW rules (I'm scared to change anything in there)

If you have the "allow all" rules still in place, there's nothing you could change.

Watch what happens when you try to access the UI:

Firewall > Log Files > Live View
Interfaces > Diagnostics > Packet Capture

MarieSophieSG · October 04, 2024, 04:35:22 PM

Quote from: Patrick M. Hausen on October 04, 2024, 03:34:07 PM
Quote from: MarieSophieSG on October 04, 2024, 03:22:31 PM
TY, but there again it's misleading (or confusing) if we are not supposed to use the dynamic-to-static why does the GUI offers a very simple "+" button to actually do just that?
To conveniently copy the MAC address to the static reservation form? Then you are supposed to enter an IP address that is of course from the same network but outside the dynamic range you configured in the DHCP settings for that interface.

Think of each static reservation as another "range" covering one host. Ranges must not overlap.

Hum ... I see ..
So I should have (same for the other 2) :
LAN1 192.168.101.101/24 (existing)
DHCPv4 192.168.101.102-122 (existing) moved to 192.168.101.115-122 (to be)
And keep my current static 192.168.101.102; 192.168.101.103, ... 192.168.101.111, 192.168.101.112
Does that looks better ?

MarieSophieSG · October 04, 2024, 04:43:26 PM

Quote from: Patrick M. Hausen on October 04, 2024, 03:37:24 PM
If you have the "allow all" rules still in place, there's nothing you could change.

Watch what happens when you try to access the UI:
Firewall > Log Files > Live View

Code Select


Interface                               Time                 Source             Destination   Proto  	Label	
IGC0_SWITCH1_ETH1_CAT7green 2024-10-04T10:35:51-04:00  RS39:67	            192.168.101.112:68	udp	allow access to DHCP server	
IGC0_SWITCH1_ETH1_CAT7green 2024-10-04T10:35:51-04:00  192.168.101.112:68  255.255.255.255:67	udp	allow access to DHCP server

Quote from: Patrick M. Hausen on October 04, 2024, 03:37:24 PM
Interfaces > Diagnostics > Packet Capture

Set capture to interface LAN1 and IP 192.168.101.112

Code Select

View capture
Interface	Timestamp	output
IGC0_SWITCH1_ETH1_CAT7green
igc0	2024-10-04
10:51:08.012951	IPv4, length 98: 192.168.101.101 > 192.168.101.112: ICMP echo request, id 64245, seq 6775, length 64
IGC0_SWITCH1_ETH1_CAT7green
igc0	2024-10-04
10:51:08.013069	IPv4, length 98: 192.168.101.112 > 192.168.101.101: ICMP echo reply, id 64245, seq 6775, length 64
IGC0_SWITCH1_ETH1_CAT7green
igc0	2024-10-04
10:51:09.023283	IPv4, length 98: 192.168.101.101 > 192.168.101.112: ICMP echo request, id 64245, seq 6776, length 64
IGC0_SWITCH1_ETH1_CAT7green
igc0	2024-10-04
10:51:09.023412    IPv4, length 98: 192.168.101.112 > 192.168.101.101: ICMP echo reply, id 64245, seq 6776, length 64
IGC0_SWITCH1_ETH1_CAT7green
igc0	2024-10-04
10:51:09.574796	IPv4, length 146: 192.168.101.112.6881 > 31.10.77.218.14994: UDP, length 104
IGC0_SWITCH1_ETH1_CAT7green
igc0	2024-10-04
10:51:09.718070	IPv4, length 359: 31.10.77.218.14994 > 192.168.101.112.6881: UDP, length 317
IGC0_SWITCH1_ETH1_CAT7green
igc0	2024-10-04
10:51:10.031770	IPv4, length 98: 192.168.101.101 > 192.168.101.112: ICMP echo request, id 64245, seq 6777, length 64
IGC0_SWITCH1_ETH1_CAT7green
igc0	2024-10-04
10:51:10.031897	IPv4, length 98: 192.168.101.112 > 192.168.101.101: ICMP echo reply, id 64245, seq 6777, length 64

From my innexistent knowledge, this looks good, I should be able to access it no problem, right ?

MarieSophieSG · October 04, 2024, 10:22:19 PM

Done,
New network setup:
- ETH1 LAN1 192.168.101.101/24
-- Statics 192.168.101-115;
-- DHSC 192.168.101.116-122
- ETH3 LAN2 192.168.102.101/24
-- Statics 192.168.102-115;
-- DHSC 192.168.102.116-122
- ETH4 LAN3 192.168.103.101/24
-- Statics 192.168.103-115;
-- DHSC 192.168.103.116-122

Ping 192.168.101.111
From Laptop1 (LAN1) = 100% loss
From OPNsense = 100% loss Host is down
Ping 192.168.101.112
From Laptop1 (LAN1) = 0% loss
From OPNsense = 0% loss

But still no access to GUI :(
FW log same as earlier:

Code Select

	Interface		Time					Source		Destination	Proto	Label	
IGC0_SWITCH1_ETH1_CAT7green	2024-10-04T16:19:08-04:00	192.168.101.101		192.168.101.112	icmp	let out anything from firewall host itself	
IGC0_SWITCH1_ETH1_CAT7green	2024-10-04T16:17:50-04:00	192.168.101.101		192.168.101.112	icmp	let out anything from firewall host itself

MarieSophieSG · October 04, 2024, 11:30:08 PM

Weirdly enought (at least to me) I see traffic going in/out of 192.168.101.111 and 192.168.101.112 in "reporting / Traffic"

MarieSophieSG · October 05, 2024, 02:42:44 AM

I've nmap 192.168.1.1/16
Found out that the NAS kept (despite the reset) its previous IPs 192.168.211.211 and 192.168.211.212

I've set a VLAN up with 192.168.211.210/24 and DHCP 192.168.211.211 192.168.211.212

added the interface, set the NAT up, set the FW rule up (allow all)

Can't even ping 192.168.211 -212

MarieSophieSG · October 05, 2024, 11:42:37 AM

VLAN on LAN1 Not working so well wirh ummanaged switch

VLAN0.211 192.168.211.210/24
DHCP 192.168.211.211-222
FW rule "allow all"
No ping, no connection, so ...

disable LAN2, disable LAN3 (otherwise they would have their DHCP inside the LAN1 DHCP)
Changed LAN1 from 192.168.101.101/24 to 192.168.101.101/16
Added LAN1 DHCPv4 range 192.168.211.210-222
FW rules unchanged (LAN1 Laptop1 is still connected to Internet)
Ping 192.168.211.211 nothing 192.168.211.212 nothing

Disable IDS+IPS ... now I can ping 192.168.211.212, but still can't access the GUI
ERR_CONNECTION_REFUSED

Created Virtual IPs 192.168.211.210/24 but here again, no chance

Unless someone has an idea, next step is to hard-reset again (but fro 30sec) the NAS and re-do its entire config from scratch :/

MarieSophieSG · October 06, 2024, 11:29:07 AM

Even weirder ....
I gave up, but before doing the hard reset I tried one last thing:
Unplugged the NAS and renoved it from the rack, then back to the workbench (LAN3), HDMI screen + Keyboard and direct sell access
On that work bench is Laptop3, currently running Win10

Then NAS got an IP 192.168.103.116 (the first of the DHCP) and I could access its web GUI from that Laptop
NAS can't access internet, no matter how I configure it, with manual DNS, with Automatic DNS; with manual IP, with DHCP IP
It just won't connect outside of the internal network

But at least I accessed the GUI !

Then, once I made sure everything was autom/DHCP, I plug it back to on its shelf, on LAN1, and here, I again can't access it from Laptop1 ... I really don't understand, as both LAN1 and LAN3 have cloned FW rules and are set to not block private IP

Do I need to give it special access or rediect ports or something ?

[NOOB] Connecting NAS dble ETH to LAN1 not accessible from LAN3

MarieSophieSG

October 04, 2024, 12:33:31 PM Last Edit: October 10, 2024, 01:49:13 AM by MarieSophieSG

Patrick M. Hausen

October 04, 2024, 12:57:31 PM #1

MarieSophieSG

October 04, 2024, 02:18:09 PM #2 Last Edit: October 04, 2024, 02:46:44 PM by MarieSophieSG

Patrick M. Hausen

October 04, 2024, 02:49:30 PM #3

MarieSophieSG

October 04, 2024, 03:22:31 PM #4

MarieSophieSG

October 04, 2024, 03:24:31 PM #5

Patrick M. Hausen

October 04, 2024, 03:34:07 PM #6

Patrick M. Hausen

October 04, 2024, 03:37:24 PM #7

MarieSophieSG

October 04, 2024, 04:35:22 PM #8

MarieSophieSG

October 04, 2024, 04:43:26 PM #9 Last Edit: October 04, 2024, 04:55:35 PM by MarieSophieSG

MarieSophieSG

October 04, 2024, 10:22:19 PM #10 Last Edit: October 04, 2024, 10:24:49 PM by MarieSophieSG

MarieSophieSG

October 04, 2024, 11:30:08 PM #11

MarieSophieSG

October 05, 2024, 02:42:44 AM #12 Last Edit: October 05, 2024, 10:09:21 AM by MarieSophieSG

MarieSophieSG

October 05, 2024, 11:42:37 AM #13 Last Edit: October 05, 2024, 12:12:53 PM by MarieSophieSG

MarieSophieSG

October 06, 2024, 11:29:07 AM #14 Last Edit: October 06, 2024, 11:32:24 AM by MarieSophieSG