Topic: opnSense VLANs (Read 2803 times)

chenks · « **on:** October 23, 2023, 04:49:59 PM »

anyone good with opnSense?
i'm trying to create a VLAN and from what i've read it should be set up correctly, but when i connect a device to that VLAN, whilst i do get a correct IP for that VLAN, i don't have an internet connection, so assuming i've missed a step somewhere.

the IP range for the main LAN is 192.168.50.x and for the VLAN it's 192.168.51.x

Alex Atkin UK · « **Reply #1 on:** October 23, 2023, 06:36:40 PM »

It probably didn't automatically create a NAT rule for the VLAN subnet? Not familiar with how opnSense does it.

Chrysalis · « **Reply #2 on:** October 26, 2023, 08:22:09 PM »

In your DHCP server, remove 192.168.51.1 from the range, and make sure its set as the gateway (and probably DNS also, if you want opnsense to be your dns server on the vlan).

Its unclear if you already ste it as gateway as dhcp looks like its not a full settings grab.

chenks · « **Reply #3 on:** October 26, 2023, 08:27:19 PM »

Quote from: Chrysalis on October 26, 2023, 08:22:09 PM

In your DHCP server, remove 192.168.51.1 from the range, and make sure its set as the gateway (and probably DNS also, if you want opnsense to be your dns server on the vlan).

Interface assignments is shown in the second image in the original post

Chrysalis · « **Reply #4 on:** October 26, 2023, 08:27:46 PM »

Quote from: chenks on October 26, 2023, 08:27:19 PM

Interface assignments is shown in the second image in the original post

I noticed now, edited it out, is the gateway set in your DHCP settings?

chenks · « **Reply #5 on:** October 26, 2023, 08:30:27 PM »

Quote from: Chrysalis on October 26, 2023, 08:27:46 PM

I noticed now, edited it out, is the gateway set in your DHCP settings?

Which dhcp? The LAN or the VLAN?

Chrysalis · « **Reply #6 on:** October 26, 2023, 08:31:38 PM »

In the VLAN, it has a box I just checked on my opnsense.

DHCP server for VLAN, in gateway box 192.168.51.1.

If it missing then force a DHCP cycle on the clients to get them to pick up the gateway.

chenks · « **Reply #7 on:** October 26, 2023, 08:33:47 PM »

Quote from: Chrysalis on October 26, 2023, 08:31:38 PM

In the VLAN, it has a box I just checked on my opnsense.

DHCP server for VLAN, in gateway box 192.168.51.1.

If it missing then force a DHCP cycle on the clients to get them to pick up the gateway.

The default gateway field is blank on both the lan and vlan dhcp settings

Chrysalis · « **Reply #8 on:** October 26, 2023, 08:35:28 PM »

I suggest you populate it on the VLAN, its easy enough to change it back if you feel you dont want it there, but thats the obvious thing that stands out to me as to why your VLAN clients have no internet access.

Also Alex point on the NAT, I just checked, you probably need an outbound NAT rule as well, configured on the WAN interface with the VLAN subnet 192.168.51.0, and set to translate the address, but I think by default this should be automatic. So it should be just a check to see if its there. If its not there, duplicate the existing one for the LAN, and substitute in the VLAN subnet.

chenks · « **Reply #9 on:** October 26, 2023, 08:41:12 PM »

Quote from: Chrysalis on October 26, 2023, 08:35:28 PM

I suggest you populate it on the VLAN, its easy enough to change it back if you feel you dont want it there, but thats the obvious thing that stands out to me as to why your VLAN clients have no internet access.

Just tried, made no difference.
Reddit is suggesting that there are no firewall rules to allow dns and http/https traffic (which aren’t created automatically apparently). Default state is to block traffic unless otherwise stated

Chrysalis · « **Reply #10 on:** October 26, 2023, 08:42:52 PM »

Quote from: chenks on October 26, 2023, 08:41:12 PM

Just tried, made no difference.
Reddit is suggesting that there are no firewall rules to allow dns and http/https traffic (which aren’t created automatically apparently). Default state is to block traffic unless otherwise stated

If by default its blocking outbound traffic, then yeah add some rules to allow. I would also check the outbound NAT as well, I edited it in, and Alex mentioned it on his reply.

Chrysalis · « **Reply #11 on:** October 26, 2023, 08:46:18 PM »

So if you dont see something like this.

"Default allow VLAN51 to any rule"

If just emptyness, add something for the relevant protocols and ports.

chenks · « **Reply #12 on:** October 26, 2023, 08:47:59 PM »

Checked firewall > Nat > outbound

It’s set to automatic mode where no manual rules can be used

Vlan51 is included in the both the wan rules that are there

Chrysalis · « **Reply #13 on:** October 26, 2023, 08:53:48 PM »

You have outbound allow rules in the vlan51 interface?

Not in WAN but VLAN51, the firewall has its own rules for each interface.

Chrysalis · « **Reply #14 on:** October 26, 2023, 08:57:33 PM »

Firewall -> Rules -> VLAN51

If nothing there, the easiest way is Firewall -> Rules -> LAN, click the copy icon on "Default allow LAN to any rule " then change interface to VLAN51 on the edit box and save it, the rule will appear under VLAN51.

If you want the VLAN isolated. of course would add a rule above it to prevent access to your main LAN, subnet but this is just to get the internet working for now.

News:

Author Topic: opnSense VLANs (Read 2803 times)

chenks

opnSense VLANs

Alex Atkin UK

Re: opnSense VLANs

Chrysalis

Re: opnSense VLANs

chenks

Re: opnSense VLANs

Chrysalis

Re: opnSense VLANs

chenks

Re: opnSense VLANs

Chrysalis

Re: opnSense VLANs

chenks

Re: opnSense VLANs

Chrysalis

Re: opnSense VLANs

chenks

Re: opnSense VLANs

Chrysalis

Re: opnSense VLANs

Chrysalis

Re: opnSense VLANs

chenks

Re: opnSense VLANs

Chrysalis

Re: opnSense VLANs

Chrysalis

Re: opnSense VLANs