Hi all!
New to forums and OPNSense, not new to *nix, firewalls, and networking. I am using VirtualBox and Vagrant to model a network with an OPNSense device at the border, a DMZ which has a host and an OpenWRT's WAN port connected. In the virtual network model, this DMZ is 192.168.0.0/24 subnet and has 3 devices:
- OPNSense (LAN) - 192.168.0.1
- Test Host - 192.168.0.xyz (dhcp)
- OpenWRT (WAN) - 192.168.0.254
Behind the OpenWRT's WAN port we have a few more subnets - 192.168.1.0/24, 192.168.2.0/24, and so on. For the purposes of discussion just suppose the OpenWRT is setup and working correctly as a router only, no NAT/masquerading. In fact, the OPNSense device has a static route for each of these subnets and a gateway setup pointing them to 192.168.0.254. The 192.168.0.2 test host can ping any device on the subnets behind the OpenWRT router, and they can likewise ping devices in the DMZ.
What is not working, is that hosts behind the WRT device can not reach the Internet routing/NAT'ing through the OPN device. The WRT device and DMZ Test Host can reach the Internet through the OPN device with ping or http/https. Running TCPDump on the WRT device shows ICMP coming in on the LAN-interface, going out on the WAN-interface and TCPDump on the OPN device shows ICMP (or any other protocol) packets coming in on the LAN-interface, but not going out on the WAN interface.
I am wondering if this is an issue with the OPN device not doing a NAT translation for the 192.168.[1,2].0/24 subnets which aren't local to it. And if that's the case, then is it possible to change this so that all 192.168.0.0/16 addresses behind the LAN interface get NAT'd going out? What other configuration details might I have missed in setting up this model that could cause these symptoms?
Thanks!
:)
Generally, check your routing both ways and ensure that you allow RFC 1918 on your OPNsense WAN side.
You may want to draw a picture to get more help here
Bart...
Quote from: bartjsmit on December 07, 2021, 08:47:55 AM
Generally, check your routing both ways and ensure that you allow RFC 1918 on your OPNsense WAN side.
You may want to draw a picture to get more help here
Bart...
Thanks for the reply, I can make a diagram. The interface setting for RFC1918 might be on point, my local real network is a 10. space. That said, I also noticed that the default firewall rules on the OPNsense LAN interface allow only the local subnet. I think this may be the issue...when looking through the GUI, I didn't really understand the meaning of LAN net source alias, but after editing that rule I think it resolves the problem.