[SOLVED] Problem with intra VLAN communication and RFC1918 rule

[unserpablopajero]

Hello everyone,

I recently switched to OPNsense after using pfsense for a few years, - lets go real open source again :)

Now I have a (few) problems, one of which I am asking you for help. I have different VLANs with devices that access my NAS, - inter VLAN communication is fine with a specific rule for the devices and restricted to port 445.

My main computer (iMac 27") and the NAS are on the same VLAN (referred to as Internal VMs).

I however cannot get the iMac to connect to the NAS (172.28.2.60) correctly over SMB (or AFP), no file transfer is possible. GUI access and ping are fine. Mind you, without the restrictive RFC1918 (as I had with my previous setup and pfsense), it did work without a problem.

As I understand it, rules are followed top to bottom, - the very non restrictive rule from my iMac to the NAS should not be limiting anything. I did delete one duplicate rule that is still on the picture, - did not change anything however..

What am I missing here?

Best

Alex

[dseven]

One thing you have wrong is the netmask on your rules for 172.28.2.90 - assuming those rules are supposed to apply to a single host at that IP address, the netmask should be /32, not /24.

That's not going to prevent your NAS access from working, though.

If the iMac and NAS are on the same VLAN/subnet, the firewall wouldn't be involved in communication between them (unless you have bridged ports and enabled bridge filtering?).

[unserpablopajero]

Thank you, I changed this.

Does the RFC1918 rule not apply then on the same VLAN?

The alias contains 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16..

I don't know the concept of bridge ports, - I don't think I have it set up unless its enabled by default..

[unserpablopajero]

When trying to access the NAS via SMB I get block; can't get my head around this! Why would it block? States have been cleared, even rebooted the instance (and my mac of course...)

[Patrick M. Hausen]

Are the network masks on the NAS and on the PC that tries to connect correct?

[unserpablopajero]

I hope I understood the question correctly, - subnet mask on the NAS is 255.255.255.0, on the Mac (oddly) 255.255.255.255.

If I change the subnet mask to 255.255.255.0 manually, SMB works PERFECTLY, however I don't have www -.- :)

I had problems setting up Kea DHCP, - the subnet however is defined as 172.28.2.0/24..

I think this is the cause of the problem, - I am not sure how to fix it though. Do you think it lies within Kea DHCP?

[Patrick M. Hausen]

If the subnet is a /24 all devices need a subnet mask of 255.255.255.0.

No idea about Kea, but the wrong mask on the Mac must come from *somewhere*, so best check your DHCP settings.  :)

[dseven]

Does the RFC1918 rule not apply then on the same VLAN?

The alias contains 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16..

I don't know the concept of bridge ports, - I don't think I have it set up unless its enabled by default..

I assume you have an ethernet switch to which the LAN ports of the firewall, NAS and iMac are all connected. When the iMac talks to the NAS on the same VLAN/subnet, it does not go through the firewall - the firewall doesn't even see it, much less have any chance to block it. It just goes through the switch.

It sounds like you have a DHCP issue, but the above is important to understand....

[unserpablopajero]

If the subnet is a /24 all devices need a subnet mask of 255.255.255.0.

No idea about Kea, but the wrong mask on the Mac must come from *somewhere*, so best check your DHCP settings.  :)

Thank you, - I will check the Kea DHCP. I just realised that the other devices also get the weird submask, don't know why yet.

[unserpablopajero]

Does the RFC1918 rule not apply then on the same VLAN?

The alias contains 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16..

I don't know the concept of bridge ports, - I don't think I have it set up unless its enabled by default..

I assume you have an ethernet switch to which the LAN ports of the firewall, NAS and iMac are all connected. When the iMac talks to the NAS on the same VLAN/subnet, it does not go through the firewall - the firewall doesn't even see it, much less have any chance to block it. It just goes through the switch.

It sounds like you have a DHCP issue, but the above is important to understand....

That makes a lot of sense, thank you!

[unserpablopajero]

It is a Kea DHCP issue that's already been reported here:

https://gitlab.isc.org/isc-projects/kea/-/issues/3377

I think I'll change to the older DHCP server and call it a night.

Thank you all VERY MUCH!

[Patrick M. Hausen]

Why are you using "DHCP with manual address"?

[unserpablopajero]

Did not distribute fixed leases, - just changed this while setting up the new (old) DHCP...

[Patrick M. Hausen]

Fixed reservations must lie outside of your dynamic range.

[unserpablopajero]

Yes! I usually start distribution at .101, - below is reserved for fixed leases.. (keeping in mind this is a home network :) )