Text only | Text with Images

OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: guest24447 on May 08, 2020, 10:27:45 PM

Title: Multi-WAN/Multi-LAN Isolated Networks
Post by: guest24447 on May 08, 2020, 10:27:45 PM
Hello everyone. I have scoured the internet and cannot seem to find what it is I'm looking for. I'm hoping someone can help because I really like OPNsense and building IPTable rule sets is plain boring.

Here's my situation. I have two WAN links, one with a dynamic address and one with a static address. I have two LANs: one for personal use and one for hosting servers to the internet. In order to keep my traffic nice and separate, I want to isolate WAN A to LAN A traffic only and WAN B to LAN B traffic only. Everything I've seen talks about failover and load balancing, but nothing on isolated networks.

I've tried creating firewall rules to block all incoming traffic to WAN/LAN A from WAN/LAN B and vise versa as well as outgoing traffic to the same. Doing this has either killed all traffic or still allows LAN A traffic to exit from WAN B.

For the record, I have accomplished this with the use a custom iptables rule set so I want to believe this is possible with OPNsense.

Any advice will be greatly appreciated.
Title: Re: Multi-WAN/Multi-LAN Isolated Networks
Post by: Maurice on May 09, 2020, 04:49:44 PM
You need policy based routing, just like when doing failover or load balancing. Specify the WAN A gateway in the LAN A pass rule(s) and the WAN B gateway in the LAN B pass rule(s). You might need exceptions for DNS; see multi WAN in the docs.

(Some services are always shared between LANs, e. g. Unbound DNS. If you want to completely isolate the networks in any aspect, two OPNsense instances might be a better choice.)

Cheers

Maurice
Title: Re: Multi-WAN/Multi-LAN Isolated Networks
Post by: alexroz on August 24, 2020, 09:39:51 PM
Quote from: Maurice on May 09, 2020, 04:49:44 PM
(Some services are always shared between LANs, e. g. Unbound DNS. If you want to completely isolate the networks in any aspect, two OPNsense instances might be a better choice.)
Can you elaborate some more about DNS service sharing between WAN and LAN interfaces?
I can't figure out how to do it...
When I apply this https://www.reddit.com/r/OPNsenseFirewall/comments/bm4b6w/outgoing_firewallrules/emweuyc?utm_source=share&utm_medium=web2x&context=3 solution my isolated LANs have no access to system DNS...
Title: Re: Multi-WAN/Multi-LAN Isolated Networks
Post by: alexroz on August 24, 2020, 10:09:07 PM
  ;) As they say RTFM
Just found it in the official documentation https://docs.opnsense.org/manual/how-tos/guestnet.html#allow-dns
Text only | Text with Images