[NOOB] Connecting NAS dble ETH to LAN1 not accessible from LAN3

[MarieSophieSG]

aaarrrggg  found it !
Can't access in HTTP, it must be HTTPS !
And can't access with simple IP, I need to add the port
And I've disabled IDS/IPS

NO = HTTP://192.168.101.116
NO = HTTPS://192.168.101.116
YES = HTTPS://192.168.101.116:321

OK, no I have access to the GUI from Laptop1 (LAN1), login+TFA, fine !
Even tough "Services: ISC DHCPv4: Leases" shows status: "offline"
And I've lost connection to GUI again ...

[MarieSophieSG]

Reset (3sec) again, I can now ping both IPs from the NAS, but still can't access the GUI :(

Https://192.168.101.111 => Ping ok, no GUI
Https://192.168.101.112 => Ping ok, no GUI

Bingo ! of course I need the port ...
Https://192.168.101.112:321 => Ping ok, GUI ok
Https://192.168.101.112:321 => Ping ok, GUI ok

[MarieSophieSG]

Now that the two interface are no longer Port-Trunking, I have full access in/out
Since the NAS has 2x 2,5GbE and so does the swicth and so does the RS39 OPNsense box, I guess that won't change much.
ok, that's a very good achievement

Now trying:
Map local folder
Access NAS from LAptop2 (LAN2) and Laptop3&4 (LAN3) as for now they don't
Isolate NAS (through VLAN, probably ?) to limit access to only Alias _Laptops

Anyone wants to journey along ?

[MarieSophieSG]

Still not ...
I have full access to the NAS (on LAN1) from Laptop1 (on LAN1)
But none of the others have access to it (neitehr ping nor GUI)

I've added a floating rule "Pass" source Alias "_Laptops" (All laptops IPs) to alias "_NAS" any proto any ports, but still can't access

I don't understand ...

[erica.vh]

Did you recheck all your FW rules, including those automatics ?

[MarieSophieSG]

Did you recheck all your FW rules, including those automatics ?

Not much to be seen there, only the 22 automatic rules which can't be modified nor deleted, and the two clones of the LAN1 autogenerated "Allow all" "IN"

everywhere I search on the internet it says that by default all LAN can communicate between themselves with these standards rules, so there must be something else, but I don't know where to start searching

And when I inspeact the rules by filtering the IP, it only says allow all

[cookiemonster]

I've lost track on this thread. What is the problem and what is the current setup where it manifests itself?
For instance out of the blue comes what seems a VLANs setup. Please describe it, including the setup in OPN and your managed switch for it.

[MarieSophieSG]

I've lost track on this thread. What is the problem and what is the current setup where it manifests itself?
For instance out of the blue comes what seems a VLANs setup. Please describe it, including the setup in OPN and your managed switch for it.

Good morning,
Replying from the office, I should be ashamed :-p

- LAN1 192.168.101.101/24 => Swicth1
-- Laptop1 192.168.101.102
-- NAS1 192.168.101.111, 19.168.101.112
- LAN2 192.168.102.101/24 => WiFi AP
- LAN3 192.168.103.101/24 => Swicth2
-- Laptop4 192.168.103.102
-- NAS2 192.168.103.111, 192.168.103.112

Alias _Laptop (all laptops IPs) existing but not used/set in any rules (for later)
Alias _NAS (all NAS IPs) existing but not used/set in any rules (for later, as I will restrict WAN access to just 1hr/week for updates)

FW rules all default
I dropped the idea (Although I would have loved it) of VLAN, for I only have unmanaged switches and it seems way too complicated to get my NAS on a VLAN without it.

NAS FW disabled, NAS AV disabled, NAS AMware disabled

Laptop1 can access NAS1 but can't access NAS2
Laptop4 can access NAS2 but can't access NAS1

Need: All LAN to access all LAN, or all laptops to access all NAS

[Patrick M. Hausen]

All devices involved have a /24 netmask (255.255.255.0) and the .101 address in the respective network as their default gateway?

Check on the devices themselves, like e.g. `ipconfig /all` on Windows.

[MarieSophieSG]

All devices involved have a /24 netmask (255.255.255.0) and the .101 address in the respective network as their default gateway?

Check on the devices themselves, like e.g. `ipconfig /all` on Windows.

Yes sir, thank to this forum (and to you for a great deal) I have a very robust and simple set up
All interfaces are 192.168.10x.101/24, with 192.168.10x.102-112 static, and 192.168.10x.116-122 DHCP
All devices are set to full auto
All devices have access to WAN and outside, IN/OUT
The only blockage I just can't find is why they can't access to each-other

Allias _Laptop is IPs only, and not used in any rules (yet)
Allias _NAS is IPs only, and not used in any rules (yet) (Although I see in some report that these IPs couldn't be resolved, I do have access to the main one's GUI on HTTPS 192.168.101.112
Allias _Printers is IPs only, and not used yet

Aliases are not restricted to same subnet only, right ? (i.e: _Laptops 192.168.101.102, 192.168.102.106)

[Patrick M. Hausen]

Then show the DHCP settings of LAN1, LAN2 and LAN3, and the firewall rules, too, please.

On more quick shot: what do you mean by "access"? Ping not working? If ping from a PC to a NAS is working but you say you cannot "access" it - do you mean ... like ... browse in "Network Neighborhood"? That does not work across different routed interfaces  :) You need to manually map a drive using the NAS' IP address or DNS name.

HTH,
Patrick

[cookiemonster]

Yes I was going to ask that, what is meant by can not access.
It seems each has two IPs on the same network. The device is probably only listening on one.

[MarieSophieSG]

Then show the DHCP settings of LAN1, LAN2 and LAN3, and the firewall rules, too, please.

On more quick shot: what do you mean by "access"? Ping not working? If ping from a PC to a NAS is working but you say you cannot "access" it - do you mean ... like ... browse in "Network Neighborhood"? That does not work across different routed interfaces  :) You need to manually map a drive using the NAS' IP address or DNS name.

HTH,
Patrick

Sure thing, I'll get a copy of all these automatic rules when I get back home.

No access as in no ping, and therfore of course no GUI
Laptop4 on LAN3 ping 192.168.101.111 or 112 = 100% loss
Laptop1 on LAN1 ping 192.168.103.111 or 112 = 100% loss

DHCP setting is:
LAN1 192.168.101.101/24 DHCP 116 - 122 (whiles static addresses are in the .102-.115 range)
LAN2 192.168.102.101/24 DHCP 116 - 122 (whiles static addresses are in the .102-.115 range)
LAN3 192.168.103.101/24 DHCP 116 - 122 (whiles static addresses are in the .102-.115 range)

As suggested here, the static address are outside the DHCP range: and the NAS gets the  .111 and .112
The NAS themselves have no DHCP (since there is no devices connected to it)
The NAS network setting, since getting a static address from teh router, is set to automatic (auto IP, auto DNS, etc ..) same as all other devices.

NB: At the very begining of this thread, I couldn't even access the GUI within the same subnt,
But thks to QNAP forum, someone suggested to un-trunk the two interace on the NAS side, and it worked right away

[Patrick M. Hausen]

Sure thing, I'll get a copy of all these automatic rules when I get back home.

Not the automatic ones - the three "allow" rules you placed on these interfaces by copying.

No access as in no ping, and therfore of course no GUI
Laptop4 on LAN3 ping 192.168.101.111 or 112 = 100% loss
Laptop1 on LAN1 ping 192.168.103.111 or 112 = 100% loss

I see.

DHCP setting is:
LAN1 192.168.101.101/24 DHCP 116 - 122 (whiles static addresses are in the .102-.115 range)
LAN2 192.168.102.101/24 DHCP 116 - 122 (whiles static addresses are in the .102-.115 range)
LAN3 192.168.103.101/24 DHCP 116 - 122 (whiles static addresses are in the .102-.115 range)

A bit unusual but nothing looks broken about it. I mean most people including myself would give the .1 to OPNsense and have dynamic pool of e.g. .100 to .254 or similar. Why so small?

As suggested here, the static address are outside the DHCP range: and the NAS gets the  .111 and .112
The NAS themselves have no DHCP (since there is no devices connected to it)
The NAS network setting, since getting a static address from teh router, is set to automatic (auto IP, auto DNS, etc ..) same as all other devices.

OK - finally something that does look fishy  ;) Why two addresses for the NAS? You cannot connect two interfaces to the same network. Won't work as you now experience.

If it's one port for the NAS and one dedicated IPMI port, fine, of course. But if it's two NAS ports - never connect both to a single network.

[MarieSophieSG]

Yes I was going to ask that, what is meant by can not access.
It seems each has two IPs on the same network. The device is probably only listening on one.

On my previous router with a very (very) basic FW, the router was connected with both RJ45, but trunked on device side, so ys, only 1 IP to access it,
But since on OPNsense the port-trunking didn't work (I couldn't access the NAS' GUI) they are now separated (not trunked) and I can access the NAS' GUI from either or both at the same time (i.e: in two different browser tab)
But only from within the sub-net