[NOOB] Connecting NAS dble ETH to LAN1 not accessible from LAN3

[MarieSophieSG]

As suggested here, the static address are outside the DHCP range: and the NAS gets the  .111 and .112
The NAS themselves have no DHCP (since there is no devices connected to it)
The NAS network setting, since getting a static address from teh router, is set to automatic (auto IP, auto DNS, etc ..) same as all other devices.

OK - finally something that does look fishy  Why two addresses for the NAS? You cannot connect two interfaces to the same network. Won't work as you now experience.

If it's one port for the NAS and one dedicated IPMI port, fine, of course. But if it's two NAS ports - never connect both to a single network.

The NASes have two network interfaces,
NAS1 has 2x 2,5 GbE and NAS2 has 2x 1GbE, with a failover (if one is down, or one is overloaded, traffic goes to the other)

Each independant from the other, so I can, if I want, connect 1 laptop to 192.168.101.111 as root, and 1 laptop to 192.168.101.112 as user

[MarieSophieSG]

Code: [Select]

Firewall: Rules: IGC0_SWITCH1_ETH1_CAT7green
(No Category)Block WAN at night
 
Protocol Source Port Destination Port Gateway Schedule Description    
Automatically generated rules
  IPv4+6 * IGC1_MoDem_ETH2_CAT8black net * _QNAP * * QNAP_Update  Allow QNAP To/From WAN    
  IPv4 * IGC0_SWITCH1_ETH1_CAT7green net * * * * * Default allow LAN to any rule    
  IPv6 * IGC0_SWITCH1_ETH1_CAT7green net * * * * * Default allow LAN IPv6 to any rule    
pass block reject log in first match
pass (disabled) block (disabled) reject (disabled) log (disabled) out last match
  Active/Inactive Schedule (click to view/edit)


Code: [Select]

Enable Enable DHCP server on the IGC0_SWITCH1_ETH1_CAT7green interface
 Deny unknown clients
If this is checked, only the clients defined below will get DHCP leases from this server.
 Ignore Client UIDs
By default, the same MAC can get multiple leases if the requests are sent using different UIDs. To avoid this behavior, check this box and client UIDs will be ignored.
 Subnet 192.168.0.0
 Subnet mask 255.255.0.0
 Available range 192.168.0.1 - 192.168.255.254
 Range
from to
192.168.101.116
192.168.101.122
 Additional Pools
Pool Start Pool End Description
If you need additional pools of addresses inside of this subnet outside the above Range, they may be specified here.
That's ugly ! is there a better way to present it ?
There is nt much to be seen here besides what I wrote earlier about static/dhcp,
or is it the lease you wanna see ?

[MarieSophieSG]

Code: [Select]

Firewall: Rules: IGC3_SWITCH2_ETH4_CAT7white
(No Category)Block WAN at night
 
Protocol Source Port Destination Port Gateway Schedule Description    
Automatically generated rules
  IPv4+6 TCP/UDP * * sshlockout _Anti_Lockout_Ports * * Anti Lockout Rules
  IPv6 * IGC3_SWITCH2_ETH4_CAT7white net * * * * * Default allow LAN IPv6 to any rule    
  IPv4 * IGC3_SWITCH2_ETH4_CAT7white net * * * * * Default allow LAN to any rule    
Delete


[Patrick M. Hausen]

The NASes have two network interfaces,
NAS1 has 2x 2,5 GbE and NAS2 has 2x 1GbE, with a failover (if one is down, or one is overloaded, traffic goes to the other)

Each independant from the other, so I can, if I want, connect 1 laptop to 192.168.101.111 as root, and 1 laptop to 192.168.101.112 as user

This is fundamentally impossible in networking. A system cannot have two interfaces in a single network. Period.
One possible cause of your problems.

[Patrick M. Hausen]

That's ugly ! is there a better way to present it ?
There is nt much to be seen here besides what I wrote earlier about static/dhcp,
or is it the lease you wanna see ?

I do not get what you mean. What I want from you is something like this:



Why is it so difficult for you to show screen shots of your configuration when asked?

[MarieSophieSG]

That's ugly ! is there a better way to present it ?
There is nt much to be seen here besides what I wrote earlier about static/dhcp,
or is it the lease you wanna see ?

Why is it so difficult for you to show screen shots of your configuration when asked?

Because in a previous post/thread you said: - "no screenshot, I want the code"

[MarieSophieSG]

https://ibb.co/bdKRXLT

https://ibb.co/PG3VFPy

[Patrick M. Hausen]

Because in a previous post/thread you said: - "no screenshot, I want the code"

For command output, of course. Not for UI things  Sorry about the confusion.

But please attach them to your post. The links don't open for me.

[MarieSophieSG]

Because in a previous post/thread you said: - "no screenshot, I want the code"

For command output, of course. Not for UI things  Sorry about the confusion.

But please attach them to your post. The links don't open for me.

TY, and no, don'T be, I am the one sorry for my autism makes this situation/confusion quite usual to me :/

Attached to the post ? I'm using an external link on purpose because I didn't find an "attach picture" (as in: hosted on this opnsense.org server)
I will look again

[MarieSophieSG]

Found it !
it's not in the button menu above, it's a link sub-menu below !

[Patrick M. Hausen]

OK, the first of the IGC0 rules is useless. On IGC0 there will never be a packet coming IN with a source of IGC1 network. That rule needs to be on the IGC1 interface. Rules always go where the initial packet of the connection first hits the firewall on the way in to some firewall interface. "In" and "out" are viewed from the firewall interface, not a human definition of e.g. "Internet is outside" and "home is inside" or some such.

But the rule does not hurt. It just never matches.

The following two rules allow any system with a source address in the IGC0 network to contact anything else - all systems on all other interfaces, everything on the Internet, etc.

So there is a PC on IGC0 and some other system (NAS?) on a different interface and the PC cannot ping the NAS? Correct?

We need to find out why that is the case because the rules clearly allow that.

The only thing I can think of at the moment: edit the rule on IGC0 for IPv4 - is there an explicit "Gateway" setting? If yes, what is it and why? 

[MarieSophieSG]

OK, the first of the IGC0 rules is useless. On IGC0 there will never be a packet coming IN with a source of IGC1 network. That rule needs to be on the IGC1 interface. Rules always go where the initial packet of the connection first hits the firewall on the way in to some firewall interface. "In" and "out" are viewed from the firewall interface, not a human definition of e.g. "Internet is outside" and "home is inside" or some such.

But the rule does not hurt. It just never matches.

Good morning,
OK, so as soon as I get my GUI access back, I will move this one to IGC1_WAN (still with "IN", right ?)

The following two rules allow any system with a source address in the IGC0 network to contact anything else - all systems on all other interfaces, everything on the Internet, etc.

So there is a PC on IGC0 and some other system (NAS?) on a different interface and the PC cannot ping the NAS? Correct?

We need to find out why that is the case because the rules clearly allow that.

Yes, exactly.
Devices on LAN1 can't reach devices on LAN2, LAN3
Device on LAN3 can't reach devices on LAN1

The only thing I can think of at the moment: edit the rule on IGC0 for IPv4 - is there an explicit "Gateway" setting? If yes, what is it and why? 

Nope, all gateway are "default"

[MarieSophieSG]

Some progress ...
I now can access the NAS GUI (192.168.101.111 & 112) from 192.168.103.102
I've added rules to the FW (screenshot)
It's definitely not ideal, and I still can't map network drives, but at least I can access/download/upload files to NAS1 from LAptop4

Edit: no longer ... the dumb-noob me did some other tweak and I lost access to the GUI of the NAS ... working on reverting one by one ...

[Patrick M. Hausen]

Why the same rule (it seems) twice?

[MarieSophieSG]

Why the same rule (it seems) twice?

One is on INT IGC0, the other is on INT IGC3, each with an IN/OUT

Device on IGC0 => IN -> FW (INT IGC0) -> OUT => IGC3
Device on IGC3 => IN -> FW (INT IGC0) -> OUT => IGC0