Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
Gateway not accessible from particular VLAN, but some devices can access WAN
« previous
next »
Print
Pages: [
1
]
Author
Topic: Gateway not accessible from particular VLAN, but some devices can access WAN (Read 224 times)
waldorf
Newbie
Posts: 15
Karma: 0
Gateway not accessible from particular VLAN, but some devices can access WAN
«
on:
November 24, 2024, 12:24:23 pm »
Using v24.7.1
I have one VLAN (also has MDNS repeater configured for this interface) from which I am unable to ping the gateway. (192.168.3.1)
When connected to this VLAN through WIFI AP (seems same when using wired) :
- I get a DHCP IP address with the correct gateway IP
- When doing a network scan, I see connected devices on the same VLAN
- Able to ping those devices (e.g. Nvidia shield 192.168.3.60)
- Unable to ping the gateway IP
- Unable to ping an IP on the internet (which makes sense if the gateway is not reachable
- And now the most weird, the Shield on 192.168.3.60 is able to access the internet (Netflix playback works)
- I just created an access port on the (L2) switch which is directly connected to the opnSense box (this to exclude other switches which might be misbehaving), behavior is the same. I am able to ping devices in the 3.x network, but unable to ping the 3.1 gateway. (I can ping the 3.1 gateway from another VLAN)
There are some firewall rules, but currently the first (enabled) rule on this interface is an ipv4* allow any to all.
At the moment I have no clue what this can be, any suggestions ?
«
Last Edit: November 24, 2024, 02:18:16 pm by waldorf
»
Logged
viragomann
Full Member
Posts: 213
Karma: 7
Re: Gateway not accessible from particular VLAN, but some devices can access WAN
«
Reply #1 on:
November 24, 2024, 02:21:35 pm »
Is there an outbound NAT rule in place for this VLAN?
Logged
waldorf
Newbie
Posts: 15
Karma: 0
Re: Gateway not accessible from particular VLAN, but some devices can access WAN
«
Reply #2 on:
November 24, 2024, 02:33:29 pm »
The only outbound NAT rules are the default ones. I never added/changed any NATY rules.
I seen 2 auto generated rules listed, which both contain all network names for source network.
I just noted I have a 2nd VLAN which also cannot ping it's own gateway (but has DHCP connected clients)
Logged
viragomann
Full Member
Posts: 213
Karma: 7
Re: Gateway not accessible from particular VLAN, but some devices can access WAN
«
Reply #3 on:
November 24, 2024, 02:49:15 pm »
So OPNsense has automatically added an outbound NAT rule for this VLAN.
On OPNsense apart from this, only a firewall pass rule to any is needed for internet access, and you said, you've created one.
So possibly the issue is outside of it, on the switch?
On OPNsense you can run packet capture on the internal VLAN interface and on WAN to investigate the traffic flow.
Logged
waldorf
Newbie
Posts: 15
Karma: 0
Re: Gateway not accessible from particular VLAN, but some devices can access WAN
«
Reply #4 on:
November 24, 2024, 03:13:01 pm »
One of the switched was something I suspected as well. That was the reason I created an access port for this VLAN on the switch directly connected to OPNsense.
I have to say, this is a switch which I bought recently, so there might be something I overlooked.
(HP Aruba 1830)
I have a simple VLAN capable switch as spare and will connect it to the OPN sense trunk port to see what this does (when only using the particular VLAN)
Logged
waldorf
Newbie
Posts: 15
Karma: 0
Re: Gateway not accessible from particular VLAN, but some devices can access WAN
«
Reply #5 on:
November 24, 2024, 04:39:16 pm »
Just tried the following using very simple switch with tagged VLAN support.
opnSense trunk port (Only tagged) -> switch port 1 tagged VID 13 -> port 2 untagged VID13 -> laptop
Laptop receives DHCP IP address 192.168.3.x but ping 192.168.3.1 does not work.
Neither does ping 8.8.8.8 or 1.1.1.1 work.
So it really seems something with opnSense config. In the past the setup worked, so something must have been changed, although I do not know what.
It seems I must dig into the config files.
Logged
Patrick M. Hausen
Hero Member
Posts: 6854
Karma: 575
Re: Gateway not accessible from particular VLAN, but some devices can access WAN
«
Reply #6 on:
November 24, 2024, 05:08:00 pm »
If you just added that tagged VLAN on OPNsense you also need to create a firewall rule to actually allow any traffic from clients in that interface.
DHCP is passed by automatic rules, that's why address acquisition works.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
waldorf
Newbie
Posts: 15
Karma: 0
Re: Gateway not accessible from particular VLAN, but some devices can access WAN
«
Reply #7 on:
November 24, 2024, 05:57:41 pm »
I didn't change the OPNsense config, just pulled out the trunk wire from the main switch and put it in another switch (different brand/type), just to exclude switch issues. This temporary switch was configured to have a single tagged VLAN 13 port and an access port with the same VLAN untagged. Behavior the same, client receives IP address but gateway not accessible.
I have 2 other VLANS which just work as expected, Only VLAN 13 not. (The first firewall rule it currently has is an "allow all IPV4* to any" for this interface.
One thing I just noticed: the 'interfaces menu' has a 'neighbors' submenu. This neighbors menu shows several entries (which I never added) and all of those entries are from the non working VLAN network. Can this be related somehow ? And when are entries automatically added to the neighbors list ?
I enabled logging for the "allow" any rule for the particular VLAN, did a ping to the gateway from a client. All the ICMP requests were green, but ping did not get a response.
Same client on another VLAN no problem.
It somehow seems the allow-all in-rule is not working. But I have no idea why. I do not use any floating rules.
And strangely the Shield on the same VLAN is able to play Netfix.
«
Last Edit: November 24, 2024, 09:20:47 pm by waldorf
»
Logged
waldorf
Newbie
Posts: 15
Karma: 0
Re: Gateway not accessible from particular VLAN, but some devices can access WAN
«
Reply #8 on:
Today
at 08:00:09 pm »
To answer my own question. It turned out it was caused by the "enable static ARP" which was enabled and which does a little bit more than only mapping IP addresses to MAC addresses.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
Gateway not accessible from particular VLAN, but some devices can access WAN