can't route between subnets

Started by shadow_fury, November 02, 2025, 07:28:17 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
November 02, 2025, 07:28:17 PM
I am running OPNsense 25.1.12-amd64.

I have the following setup:

Interface|subnet/CIDR
[LAN]|192.168.1.0/26
[WLAN]|192.168.2.0/26

there is an AP on 192.168.2.10 (static), that i would like to be able to reach from the LAN subnet. Additionally, there is going to be a DNS server on LAN, that i want devices on the WLAN subnet to reach. the two subnets are on separate physical interfaces.

The issue that i am having, is that OPNsense isn't advertising the cross-subnet routes. if i manually add a route on a compuer on the LAN subnet, and try to ping the AP, i can see the packet being passed in the firewall logs, but by default, the route isn't there.

Help is appreciated.
November 02, 2025, 07:56:11 PM #1
If the AP and DNS server have static IP configurations, you'll also need to configure static routes - either by setting their default gateway to the OPNsense LAN / WLAN interface address or by configuring specific static routes.

If you want OPNsense to advertise routes, you need to use DHCP.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
November 02, 2025, 07:56:47 PM #2
What do you mean by advertising? This term is frequently used in dynamic routing, i.e. routing protocols between routers, not clients.

Your clients should all have a default gateway route pointing to the OPNsense IP address in the respective network.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 02, 2025, 07:59:57 PM #3 Last Edit: November 02, 2025, 08:05:48 PM by shadow_fury
Quote from: Patrick M. Hausen on November 02, 2025, 07:56:47 PMWhat do you mean by advertising? This term is frequently used in dynamic routing, i.e. routing protocols between routers, not clients.

Your clients should all have a default gateway route pointing to the OPNsense IP address in the respective network.

the route isn't being sent to the PCs on the LAN network. it only sends the LAN route (192.168.1.0/26), and thus the PC doesn't send packets destined to the AP up to the gateway.
November 02, 2025, 08:01:02 PM #4
It should send a default route.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 02, 2025, 08:04:34 PM #5 Last Edit: November 02, 2025, 08:09:19 PM by shadow_fury
Quote from: Patrick M. Hausen on November 02, 2025, 08:01:02 PMIt should send a default route.

because of a VPN configuration on the computer, a default route doesn't work. I need an explicit route. i.e. "192.168.2.0/24 via 192.168.1.1"
also, even if I add this route manually, i still don't get a ping reply from the AP.

also, removing the VPN routes, and just leaving the default OPNsense route, i also don't get a reply from the AP
November 02, 2025, 08:21:45 PM #6
By default, OPNsense doesn't advertise specific routes via DHCP, but you configure it to do this (e. g. in the Kea subnet settings). Of course this requires that your clients actually use DHCP and honor DHCP route options.

You also need to set a route on the AP itself (either as the default gateway or as a specific route). The AP needs do know where to send the ping replies.

OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
November 02, 2025, 08:50:17 PM #7
You did not write anything about a VPN configuration. Please provide all details, all involved networks, all routes. It's difficult to help you if you don't.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 02, 2025, 09:14:31 PM #8 Last Edit: November 02, 2025, 09:22:24 PM by shadow_fury
Quote from: Patrick M. Hausen on November 02, 2025, 08:50:17 PMYou did not write anything about a VPN configuration. Please provide all details, all involved networks, all routes. It's difficult to help you if you don't.

I disabled the VPN, so it isn't a factor.

Adding the manual routes to two devices allowed them to ping each other. Unfortunately, the AP doesn't seem to let me configure it's gateway, so i can't make it reachable. Now i guess i need to switch the DHCP server to Kea, and configure routes there so DHCP devices route correctly. Thanks for the help, and i guess i need a better AP.
November 02, 2025, 09:17:27 PM #9
Doesn't OPNsense do all the routing in your network?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 02, 2025, 09:21:08 PM #10 Last Edit: November 02, 2025, 09:22:53 PM by shadow_fury
Quote from: Patrick M. Hausen on November 02, 2025, 09:17:27 PMDoesn't OPNsense do all the routing in your network?

it does, but it's currently using the ISC DHCP service, and not Kea, and i don't see a way to add an explicit route (i.e. 192.168.2.0/26 via 192.168.1.1) to ISC

* i noticed that i called the AP a router. i've fixed that (it is a re-purposed combo device, with the DHCP server disabled to turn it into an AP)
November 02, 2025, 09:23:08 PM #11
You do not need an explicit route. OPNsense ought to be the default gateway for all connected networks. Problem solved.

What is this "VPN situation"?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 02, 2025, 09:27:45 PM #12
Quote from: Patrick M. Hausen on November 02, 2025, 09:23:08 PMYou do not need an explicit route. OPNsense ought to be the default gateway for all connected networks. Problem solved.

What is this "VPN situation"?
the VPN sets a default route to it's TUN network to route outbound traffic via the tunnel. if there isn't an explicit route, the packets hit the TUN network. This isn't a behavior I can change, so not much to be done to fix this.
November 02, 2025, 09:32:37 PM #13
So while the VPN is active you are not able to communicate with any other network but your local one. Looks like it's designed that way. Disable the VPN if you need to access things in your other private LAN. Problem solved.

Instead of "OPNsense is not advertising local routes" your initial post should probably read "I am trying to circumvent my company's VPN policies".

Place all devices you need for work while the VPN is active into the same LAN. Place everything else into a different one.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 02, 2025, 09:40:02 PM #14
Quote from: Patrick M. Hausen on November 02, 2025, 09:32:37 PMSo while the VPN is active you are not able to communicate with any other network but your local one. Looks like it's designed that way. Disable the VPN if you need to access things in your other private LAN. Problem solved.

Instead of "OPNsense is not advertising local routes" your initial post should probably read "I am trying to circumvent my company's VPN policies".

Place all devices you need for work while the VPN is active into the same LAN. Place everything else into a different one.

this is a home network, so no company VPN policy circumvention. it's a VPN provider i use to tunnel out for when i need a non-UK IP.

Anyway, thanks for all the help on this.
Print
Go Up Pages1 2
User actions