[NOOB] Connecting NAS dble ETH to LAN1 not accessible from LAN3

[MarieSophieSG]

Still not clear about lambda but let's see. Can you please post screenshot of your LAN1 firewall rules. No link to external sites please. No need to expand the automatic ones yet.
We would also enable OPN additional logging if is on defaults:
Firewall: Settings: Advanced | Logging section. We enable to diagnose and then disable as it eats storage.

Sure ! You will see nothing but the lambda (as in "default", the two pre-set rules for LAN1, right after the automatic ones)

What we would like to do is (ideally) have a laptop on each interface, through a switch on each if that is the current setup, to then do the pings.

That's exactly what I did and reported in the previous

We would also enable OPN additional logging if is on defaults:
Firewall: Settings: Advanced | Logging section. We enable to diagnose and then disable as it eats storage.

Logging are on by default

[MarieSophieSG]

And the network setup,
Except NAS1 is out and there is no "static" (for now)

[cookiemonster]

So, focusing on "Laptop1 (LAN1) can't ping any LAN2 LAN3 interfaces, yet along any devices on these".
- Your LAN1 on the above statement, trying to find it on your diagram, is igc0 with ip 192.168.101.101/24, right?
- Your firewall rules on it says all in allowed on IPV4 and IPv6. Good.

1) Now, plug your laptop on the switch and should, according to your diagram, get an ip in range 116-122 so why does it have instead 192.168.101.102 ? Static set by you? if so, have you checked you have also entered the correct gateway and netmask ?
2) When you ping for this laptop, do you see the traffic hitting the OPN firewall ? Blocked or allowed, doesn't matter. You need to be able to see the traffic. To do that, you need to enable logging that is disabled by default, and you've done that (it is not on by default). And on your firewall rule screenshot it appears disabled for the rule in particular, and that would override the general setting. Please double check and report.

[MarieSophieSG]

So, focusing on "Laptop1 (LAN1) can't ping any LAN2 LAN3 interfaces, yet along any devices on these".
- Your LAN1 on the above statement, trying to find it on your diagram, is igc0 with ip 192.168.101.101/24, right?
- Your firewall rules on it says all in allowed on IPV4 and IPv6. Good.

Yes sir, that's exactly it

1) Now, plug your laptop on the switch and should, according to your diagram, get an ip in range 116-122 so why does it have instead 192.168.101.102 ? Static set by you? if so, have you checked you have also entered the correct gateway and netmask ?

That's why I mentioned "no static" (for now) as this IP was (and will be) its static one, therefore out of the DHCP range
For now, it gets a DHCP address .101.116

2) When you ping for this laptop, do you see the traffic hitting the OPN firewall ? Blocked or allowed, doesn't matter. You need to be able to see the traffic. To do that, you need to enable logging that is disabled by default, and you've done that (it is not on by default). And on your firewall rule screenshot it appears disabled for the rule in particular, and that would override the general setting. Please double check and report.

Logging *is* "on" by default, as I haven't touched anything there since re-install
Or maybe what you mean is I need *the only one* that is not "on" by default, the:

Code: [Select]

  Outbound NAT Log packets matched by automatic outbound NAT rulesOK, it is ON now,
Where do I check its results ? in rules statistics ?

[cookiemonster]

Live traffic logging view:
Firewall: Log Files: Live View
Chose the INCOMING interface from the dropdown for first filter. i.e. Interface IS LAN1 or whatever you have called it.

p.s. Strange you have that on after reinstall. Never seen that happen. You ought to remember to disable it later when all is good. It'll chew your storage if the firewall is a busy one.

[MarieSophieSG]

Live traffic logging view:
Firewall: Log Files: Live View
Chose the INCOMING interface from the dropdown for first filter. i.e. Interface IS LAN1 or whatever you have called it.

p.s. Strange you have that on after reinstall. Never seen that happen. You ought to remember to disable it later when all is good. It'll chew your storage if the firewall is a busy one.

In the live view with filter on .101.116 and .103.101 with PING running (inside OPNs)
Ping results = 100% loss

[MarieSophieSG]

And live view on LAN1

[cookiemonster]

I don't see the ping from 192.168.101.116 to 192.168.103.101 indeed.
Just to be sure the logging is correct. What I meant before, here in your screenshot, modified to show:

The greyed out

Code: [Select]

i suggest the logging of those rules is disabled. Can you try to enable it?

EDIT:
Why isn't your interface IGC0 on your picture?
In other words, your interface LAN1 maps to IGC0 according to your diagrams. So why is it showing as "LAN1_SWITCH1_Green_ETH1_IGC1". Just a labelling error?

[MarieSophieSG]

I don't see the ping from 192.168.101.116 to 192.168.103.101 indeed.
Just to be sure the logging is correct. What I meant before, here in your screenshot, modified to show:
The greyed out

Code: [Select]

i suggest the logging of those rules is disabled. Can you try to enable it?

In FW, Settings, Avenced all logging are enabled

EDIT:
Why isn't your interface IGC0 on your picture?
In other words, your interface LAN1 maps to IGC0 according to your diagrams. So why is it showing as "LAN1_SWITCH1_Green_ETH1_IGC1". Just a labelling error?

You are absolutely right, I meant to correct it yesterday but forgot
LAN1 is IGC0, not IGC1 (WAN) corected now

[cookiemonster]

Thanks for the confirmation of the interface names.

I don't see the ping from 192.168.101.116 to 192.168.103.101 indeed.
Just to be sure the logging is correct. What I meant before, here in your screenshot, modified to show:
The greyed out

Code: [Select]

i suggest the logging of those rules is disabled. Can you try to enable it?

In FW, Settings, Avenced all logging are enabled

That is not what I asked though. Have you enabled the logging for these rulese on the screenshot? Ah wait, it might be something new. The i is clickable to toggle enable/disable. It's a shortcut to editing the rule and doing it there.
Chances are if you click on edit instead of the shortcut, you'll find the rule has no logging enabled. Check please.

[MarieSophieSG]

Thanks for the confirmation of the interface names.

I don't see the ping from 192.168.101.116 to 192.168.103.101 indeed.
Just to be sure the logging is correct. What I meant before, here in your screenshot, modified to show:
The greyed out

Code: [Select]

i suggest the logging of those rules is disabled. Can you try to enable it?

In FW, Settings, Avenced all logging are enabled

That is not what I asked though. Have you enabled the logging for these rulese on the screenshot? Ah wait, it might be something new. The i is clickable to toggle enable/disable. It's a shortcut to editing the rule and doing it there.
Chances are if you click on edit instead of the shortcut, you'll find the rule has no logging enabled. Check please.

By "i" you mean the "information" icon at the very right of each lines on "live view" ? right ?
If the line appears on live view, doesn't that means the logging is on ?
Keep in mind I'M using 24.7, I didn't do any update (To leave *everything* stock, until I'm told to do so)

There is no logging per rule, only the general settings (for all rules) or maybe I didn't look in the right place ?

[cookiemonster]

please look at the attached screenshot of yours that I modified to point it out.

[MarieSophieSG]

please look at the attached screenshot of yours that I modified to point it out.

Oh ! yes, right, thank you, I missed it

[cookiemonster]

Once you've changed or at least checked this, you can probably see where this is going.
If there is no record on the firewall of your ping hitting it (hence is so important that the logging is right), then you need to check why is that. So it won't be a setting on OPN prevent it it, it will be something more "basic" and we will need to go to the very basics of the interface setup.
The only other thought and if it goes that way, is that I see signs of IPv6 which I do not use. I am not familiar with it, so if there is an IPv6 diagnostic required I'll need to step back.

[MarieSophieSG]

Once you've changed or at least checked this, you can probably see where this is going.
If there is no record on the firewall of your ping hitting it (hence is so important that the logging is right), then you need to check why is that. So it won't be a setting on OPN prevent it it, it will be something more "basic" and we will need to go to the very basics of the interface setup.
The only other thought and if it goes that way, is that I see signs of IPv6 which I do not use. I am not familiar with it, so if there is an IPv6 diagnostic required I'll need to step back.

I clicked the I-information for both lines on both LAN1 and LAN3 FW  rules (color slightly changed to blue"
And went back to live view to get this: