Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: Stitch10925 on November 20, 2018, 10:43:51 AM

Title: VLAN Routing - How to get it to work?
Post by: Stitch10925 on November 20, 2018, 10:43:51 AM
Hey everyone,

I am running OpnSense as a VM under Proxmox. I am trying to segregate my network between WAN, DMZ and LAN using VLAN's, however, I am having some trouble getting the routing configured correctly.

This is the setup:

I have a modem running to a router, then from the router I connect to a switch on (at the moment) the LAN VLAN. The switch is set up to host 3 VLAN's:
WAN -> 192.168.33.0
DMZ -> 192.168.23.0
LAN -> 192.168.13.0

On Proxmox I have 3 NIC's:
NIC 1 -> LAN -> Bridged -> Bridged IP = 192.168.13.20 (Proxmox UI)
NIC 2 -> DMZ -> Bridged -> No IP
NIC 3 -> WAN -> Bridged -> No IP

Then, in OpnSense I also have 3 virtual NICs configured, one for each VLAN:
NIC 1 -> LAN -> 192.168.13.15
NIC 2 -> DMZ-> 192.168.23.20
NIC 3 -> WAN-> 192.168.33.20

These are also configured as single gateways (with the same IP address), and I have created a static route from the DMZ Gateway to the LAN network. Also I have set an allow rule in the firewall for everything in the DMZ zone.

However, currently pinging google.com from the DMZ works, but I cannot load any internet pages.

Maybe a more visual representation:

(https://drive.google.com/file/d/1q7fub043lXDO-V25HIVskYFBOFcbQ5z-/view)
(https://drive.google.com/file/d/1q7fub043lXDO-V25HIVskYFBOFcbQ5z-/view (https://drive.google.com/file/d/1q7fub043lXDO-V25HIVskYFBOFcbQ5z-/view))

---

The goal:

What I am trying to accomplish at this point is to have internet connection on the DMZ VLAN. Once that is working I would like to add limitations so that I can access the DMZ machines from the LAN (RDP), but the DMZ machines cannot do the reverse.

Eventually I would like to get rid of the router and connect the modem directly to the WAN side of the switch and from there to the WAN side of OpnSense. OpnSense will then establish the PPPOE connection to the modem. All my internet facing machines will then be put on DMZ and all my own devices on the LAN. Also HAProxy will need to be reconfigured to the new network setup. And of course, allow for my LAN devices to cross over into the DMZ using RDP, but not the opposite direction.

Any advice on how I can, in this step, at least get the internet working on the DMZ side? That would already be a big step forward for me.

Thanks in advance,

Stitch
Title: Re: VLAN Routing - How to get it to work?
Post by: Stitch10925 on November 23, 2018, 10:03:34 AM
No one knows how to work with VLANs in OpnSense?
Title: Re: VLAN Routing - How to get it to work?
Post by: bartjsmit on November 23, 2018, 10:47:43 AM
If you can ping but not browse, your problem is either DNS or firewall rules.

Bart...
Text only | Text with Images