Routing issue between interfaces on opnsense firewall

[dseven]

OK, I thought you might be saying that "if1" and "if2" were on the same network.

Screenshots of [Interfaces > Overview] and [System > Routes > Status] might be helpful, along with the source and destination IP addresses.

[firewall_newbie]

Attached are screenshots that may help.

[firewall_newbie]

Last of the screenshots

[dseven]

Most of the screenshots are too blurry to read... and they're not the ones I asked for anyway.

Do you have [Firewall > Settings > Advanced > Logging > Log packets matched from the default pass rules] enabled? If not, you won't see anything logged outbound (unless you have a specific outbound rule, with logging enabled)

[firewall_newbie]

Would I still not see them in packet captures ? I can see them on if2 captures when traffic is coming back from other interface. So I don't really think it is related to logging enabled or not. If I can see packets in captures on same interface if2 when traffic is returned from internet I should be able to see them if they are actually forwarded from if1 to if2. Isn't it ?

And yes the option to log packets matched from the default pass rules  is checked/enabled but I still not see them in live view OR packet captures. I am not sure what am I missing when this should be simple L3 forwarding

[dseven]

It generally is that simple.

Earlier you said "client traffic enters firewall on if1(with gateway attached to it)" - what's the gateway for?

Assuming there's no NAT or policy-based routing involved, the traffic should get forwarded according to the routing table, which is why I suggested a screenshot of that, as well the interfaces overview.

You could also get a shell on the firewall and run `route get 10.10.30.13` to see what interface would be used...

[firewall_newbie]

The gateway is to route all default traffic via this interface(if1) and attached gateway as I would like to retire old gateway.

[dseven]

Check the interface config - do you have "Block private networks" and "Block bogon networks" unchecked?

[firewall_newbie]

They are unchecked.

[dseven]

Back to the routing table, then.

Also, can you ping the destination host from the firewall?

[firewall_newbie]

Yes, if I ping the host 10.10.30.13 from firewall with source interface of if1 I get ping working. This is really strange.

[EricPerl]

I'm totally confused with regard to the overall topology here.
GW to internet on one interface, GW on IFL1 for default traffic

Why can't we get a screenshot of Interfaces > Overview ?
Whatever was there seems to have been removed...
You can blur parts of the public IPs if you want but the rest is safe.

We're at reply #25 and we don't even know what kind of traffic we're talking about.

[firewall_newbie]

attached is overview. I am trying to ping from a host on VLAN 777 to a host on VLAN 30. If you see both VLANs/networks are directly connected to firewall and no explicit routing is required.The firewall rule is a permit for which I can see incoming traffic on VLAN 777 but I see not OUT traffic on VLAN 30 both in live view nor packet captures. I am trying a simple inter-vlan routing here.

I had to resize the image because of upload size limit which makes screenshot blurry but can still show meaningful information.

[EricPerl]

It's barely readable.
I'm unclear why there are that many gateways.
And you also seem to have manual routes defined on top of the default one for each VLAN.

In particular, there appears to be a 10.10.0.0/16 route on LAN_DEFAULT that encompasses the subnets of many 10.10.X.0/24 VLANs, including the one you target.

What's the output of the `route get 10.10.30.13` command suggested by dseven earlier (#20)?

[firewall_newbie]

 root@a:~ # route get 10.10.30.13
   route to: testhost
destination: 10.10.30.0
       mask: 255.255.255.0
        fib: 0
  interface: igb1_vlan30
      flags: <UP,DONE,PINNED>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0
root@a:~ #