What am I doing wrong? Interface is not getting Internet

Started by bcart167, Today at 01:35:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 01:35:28 PM
On port 0 is WAN. This port is set to DHCP because its getting its IP from my NBN box - and that seems to be fine.

On port 1 is WLAN. It's a wireless router working in AP mode and that works flawlessly. I can get Internet to anything the has connected the WiFi AP - both is wirelessly and Ethernet.

On Port 2 is a Switch that at the moment has no restrictions on it. The devices that connect to the switch get DHCP but no Internet and have no idea why. I am using DNSmasq + Unbound.

I assigned the 3rd port the router (igc2) and assigned it a static IP of 10.10.10.5. Back on my computer (which is connected to the Switch), says that the default gateway, DHCP and DNS are all 10.10.10.5. The routers IP is 10.10.10.1 which is what I have the WLAN interface (static IP) configured to. I don't know why I did it like that or how that works but it does. Just to add confusion, according to the leases under DNSmasq, the Switch is coming up as 10.10.10.93 and is attached to the WLAN interface for some reason - I have no idea why.

I know this is probably very simple but I have clearly overlooked something. I would appreciate any kind of help.
Thanks.
Today at 01:49:42 PM #1
Did you create a firewall rule permitting devices connected to the switch to access the Internet? OPNsense comes with a default rule "allow all" on the LAN port (which your AP seems to be connected to) but for each port you add you must create a matching rule yourself.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 02:02:38 PM #2 Last Edit: Today at 03:04:06 PM by meyergru
I think this is even more basic: If your AP works on one port, you would either have to set up a bridge to use the LAN also on a second port or attach the switch to the working LAN port and attach everything including the AP to that switch.

You cannot assign more than one port with the same network, see this, #1 and #2.


Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 02:12:17 PM #3
Quote from: Patrick M. Hausen on Today at 01:49:42 PMDid you create a firewall rule permitting devices connected to the switch to access the Internet? OPNsense comes with a default rule "allow all" on the LAN port (which your AP seems to be connected to) but for each port you add you must create a matching rule yourself.
I just used the allow all on both the LAN interface and the WLAN interface just for testing to ensure everything would come through. But still alas, no Internet.
Today at 02:14:07 PM #4
Then please show the configuration of all your internal interfaces ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 02:51:48 PM #5
Quote from: meyergru on Today at 02:02:38 PMI think this is even more basic: If your AP works on one port, you would either have to set up a LAGG to use the LAN also on a second port or attach the switch to the working LAN port and attach everything including the AP to that switch.

You cannot assign more than one port with the same network, see this, #1 and #2.

Quote from: Patrick M. Hausen on Today at 02:14:07 PMThen please show the configuration of all your internal interfaces ...

Something like this?
Screenshot1
Screenshot2
Screenshot3
Screenshot4
Screenshot5

I get this sinking feeling that I'll be apologizing like poor dave79. I've done something stupid and I am in the process of getting berated for my incompetency.
I was hoping to treat each port on the router like some interconnected network like a typical store bought router would work. But opnsense doesn't work like that? I understand a store bought router won't have nearly as much as features and control but I thought having a switch hang off a port wouldn't be a big stretch.
Today at 03:03:21 PM #6 Last Edit: Today at 03:16:43 PM by meyergru
Who is berating you in here? I just does not work like that, that is about it. Many people come in here because they come with hopes or beliefs that are technically infeasible or incorrect. Like OpnSense is just a "more secure" consumer router - which it is not.

That set aside, you can use different subnets for different interfaces, yes, but: WLAN = 10.10.10.1/24 and LAN = 10.10.10.2/32. Those overlap, don't they?


Basically, you can set up your ports in one of two ways:

1. Bridged (like a switch), then you have to follow the docs for a bridged setup. That is how many consumer routers do it, when they combine the internal ports like in a switch.

2. Routed, where you have multiple networks on different ports (or VLANs).

You tried to go in-between, which is not possible.

If at all, you would have to separate your 10.10.10.0/24 subnet into two subnets like 10.10.10.0/25 and 10.10.10.128/25. In that case, the interfaces would have 10.10.10.1/25 and 10.10.10.129/25 assigned. I would not do that, because it will become very confusing.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 03:39:12 PM #7
Good information - thank you for the direction. You're right - no one is berating me but I was just anxiously anticipating someone to highlight the stupid thing I overlooked. And I didn't notice the /24 and /32 until you just highlighted it.

I was thinking about implementing VLANs down the track to separate and tighten security up once I had it all up and running, but it looks like it might be better to do that now. I have gone through a few of posts you posted in the last few hours (namely READ THIS FIRST and planning my subnets first) and it has given me some things to think about. I was also going to do what you suggest as a trial: plug the switch into the WLAN port and stick the wireless AP into the switch and see if that works. I will investigate the bridged set up too and see if that works better.

Thanks!
Today at 03:59:55 PM #8 Last Edit: Today at 04:02:56 PM by bcart167
One last question: is it through VLANs I get to have different networks connect to the same gateway/outside internet?

Edit: Also, I didn't shove a polish sausage into a videocassette recorder! It was sand into a tape deck. I wanted to hear what sand sounded like. Spoiler: a lot of crunching before it stopped working.
Today at 04:07:26 PM #9 Last Edit: Today at 04:10:32 PM by meyergru
With VLANs, you can use switches acting like multiple switches in one box - logically, it is the same as having multiple separate interfaces on your router (with different subnets) connected to one switch each. That way, you can keep separate subnets of varying trust. With VLANs, you can have those separate switches combined into one.

If you do not want one switch per subnet, your switch(es) need to be able to handle VLANs, though, so they need to be "managed". With VLANs, you can use just one physical interface to carry all of your VLANs (which are logical interfaces) over one physical port (aka "trunk") to the switch and then fan out each VLAN on specific "access" ports for each client.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions