OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: elfrom on September 07, 2021, 12:58:08 pm
-
Hi OpnSense-brains, sorry for the long post.
I am in the process of exchanging an old Cisco ASA for an OpnSense firewall. The most straight forward configuration and features are done and tested.
I do have at one obstacle that I need to address before I can make the switch, let me try and explain:
On our WAN-interface we have a /24 ip-address range, we have subnet’ed the wan range into 4 /26 networks.
Let’s assume that our wan range is 193.234.129.0/24 - it’s not. Our current network looks like this:
193.234.129.1 ISP’s router
193.234.129.2 (OUTSIDE-interface) our firewall
The first /26-address range is used for NAT’ing different services to some RFC1918 VLANs.
193.234.129.64/26 (VLAN-DMZ1), 193.234.129.128/26 (VLAN-DMZ2), 193.234.129.192/26 (VLAN-DMZ3)
Servers on the DMZ-networks have public IP-addresses. Access rules to internet is managed on the VLAN-DMZx interfaces, access to servers/services on the VLAN-DMZx networks from the internet is managed on the OUTSIDE-interface.
Some servers on the VLAN-DMZx networks must have access to servers on our RFC1918-networks, it may be an SQL-database, LDAP, Remote Desktop Host servers and what not.
Some servers on the VLAN-DMZx may for different reasons not be NAT’ed.
Is it possible to replicate the setup, with regards to the VLAN-DMZx-setup mentioned above, on OpnSense? If not, which way would you go about to solve the challenge?
Please advice
Best regards
Elfrom
-
Sure it's possible. I have not yet found a scenario that could be built on a different firewall that could not also be done by opnsense.
How that is done is mostly up to personal style. In my ruleset, I don't use interface rules as far as that is possible instead floating, and I don't use deny rules, but as stated, that's up to you.
-
Thanks bimbar
Maybe I have been overthinking it.
I guess it may actually be as simple as doing Virtual IP’s (type Other) for the VLAN-DMZx networks and disable NAT for the networks as well?
-
In my opinion you would use NAT only for traffic from private IP spaces to the WAN, I don't seeing the DMZs being involved in any kind of NAT. I also don't see where you would use virtual IPs.
You can just route the DMZs like any other LAN that's connected to your firewall, except you don't need NAT for WAN traffic since they already have public IPs. But maybe I haven't fully understood your network, that's always difficult without some sort of picture.
-
Yes, you are absolutely right.
I must have suffered from some kind of brain fart.
I was imagining of all kinds complicated solutions when the real solution was ever so simple.
Thanks