New interface question

[Mattps]

Hi Forum - hopefully and easy one!

I have got my home lab setup working using multiple vlans and an inline ISP Broadband router. I can happily ping all the SVIs from each required location. Previous I had just a LAN and WAN interface on OPNSense, but I wanted another network to access the internet. My OPNSense instance is virtualised so I have added a new VLAN on my hypervisor host, assigned to the OPNSense virtual appliance and then created a new interface in OPNSense by selecting the available MAC. The new interface is of type "opt1".

Client(192.168.2.100) <---> Switch1 (VLAN SVI:192.168.2.254) <---> Switch2 (VLAN SVI:192.168.1.253) <---> OPNSense opt1 (Int IP: 192.168.2.1)

The problem is that I can't ping out from OPNSense to the SVI of this network. If I try and ping from my switches I can ping any address (client and VLAN SVIs), but can't ping the new OPNSense interface. Is there something I have missed during the interface setup?

Hope you can help!
Matt

[Mattps]

So, still having troubles. Even if I add the follow allow all rules in the second LAN (LAN2) interface I am still not able to ping out or in:

Protocol | Direction | Source | Port | Dest | Port | Gateway | Schedule
IPv4 -> * * * * * *
IPv4 <- * * * * * *

[Patrick M. Hausen]

What is SVI? Why are the two switches in two dufferent networks? Please show for all connections if they are trunk (tagged) or access (untagged) ports.

[Mattps]

Hi Patrick,

Apologies, there was a typo in my first post (fat fingered phone input). The Switch2 SVI should have read 192.168.2.253.

SVI - Switch Virtual Interface, or VLAN interface.

The image shows that I am able to access the internet from the "LAN" (VLAN10) network, and I can PING both switch SVIs and the client IP from the OPNSense interface diagnostics.
I am not able to access the internet from the second LAN interface "opt1" (VLAN2), PING either switch SVI or the client. I have added a *.* firewall rule to opt1 but still don't see anything if I try a packet capture.

https://ibb.co/SXMfM04x

I thought maybe it could be a routing issue but I read that OPNSense added routing for the interfaces automatically.

[pfry]

[...]Switch2 (VLAN SVI:192.168.1.253)[...]

[...]Why are the two switches in two dufferent networks?[...]

Heh. The routing looked off, but the image has the expected 192.168.2.253.

I'd tend to suspect rules, then. Any blocks reported by the firewall?

[Mattps]

Hi pfry,

I think I do see blocks but can't work out why as I have add full in/out all traffic rules on opt1.

Matt

[Mattps]

Actually no, I don't see any blocked traffic relating to the PING diagnostic:

https://ibb.co/BMyD2bf


https://ibb.co/jk06c4KY


I have the standard WAN rule set:

https://ibb.co/99BM1Jzb

And copied the the rule that was automatically set on the LAN interface to the opt1 interface (adjusting for interface):

https://ibb.co/VWHHMJL7

*Sorry, image tags aren't working, so had to add as links.

[Maurice]

still don't see anything if I try a packet capture

Packet capture on OPNsense itself? That would indicate a VLAN / switch issue. A packet capture would show packets even if they are blocked by firewall rules.
Do you at least see ARP requests / responses?

Cheers
Maurice

[Mattps]

A packet capture does show any packets. It got me thinking. I went through the interfaces overview and saw that the interface mask had defaulted to a /32 mask, not /24.
I corrected and it started working straight away!

I do have other questions around rules - I can't seem to get these right to block opt1 from the LAN, but I'll have a look on YouTube and try and educate myself first before coming back here.

Thanks for all your help and patience - I'm only just just getting started with OPNSense, but love it so far!

Matt