Hi together. I have the following problem:
I currently have a Mikrotik router (coreswitch) that is supposed to route/firewall all internal traffic between VLANs, which is working fine. If a client wants to access the internet it should be routed/firewalled by the OPNSense.
I am struggling with the setup of the firewall. My firewall has the IP 192.168.1.1 On the physical LAN interface. The switch is directly connected with IP 192.168.1.3 (I'm not sure if that is already an issue).
I have created a VLAN interface on the physical LAN interface analogous to the ones at the switch. Eg. VLAN ID 40:
Switch IP 192.168.40.1, Network 192.168.40.0/24
Firewall: VLAN interface IP 192.168.40.2/24
But they do not reach each other. Where am I thinking wrong? Do I need to recreate every VLAN on the firewall when routing internally is done by the switch?
Help would be appreciated. Thanks!
Does OPNsense need a static route for 192.168.40.0 via 192.168.1.3 perhaps?
System: Routes: Configuration +
I'm not sure you need VLAN's, unless there are more subnets behind the Microtik, in which case you'll need static routes for their subnets too.
Bart...
You can either have the Microtik manage the VLANs and do the routing, in which case you need only one interface plus static routes. OPNsense will not see inter-VLAN traffic, because as intended the Microtik does the routing. Or you have the Microtik as a layer 2 switch, connect OPNsense with a trunk port carrying all the tagged VLANs and have OPNsense do the routing. This way you can filter traffic between VLANs should that be desired.
Quote from: pmhausen on April 29, 2023, 10:13:57 AM
You can either have the Microtik manage the VLANs and do the routing, in which case you need only one interface plus static routes. OPNsense will not see inter-VLAN traffic, because as intended the Microtik does the routing. Or you have the Microtik as a layer 2 switch, connect OPNsense with a trunk port carrying all the tagged VLANs and have OPNsense do the routing. This way you can filter traffic between VLANs should that be desired.
I want to do the former. "one interface" can you elaborate?
Thanks!
Quote from: bartjsmit on April 29, 2023, 09:55:27 AM
Does OPNsense need a static route for 192.168.40.0 via 192.168.1.3 perhaps?
System: Routes: Configuration +
I'm not sure you need VLAN's, unless there are more subnets behind the Microtik, in which case you'll need static routes for their subnets too.
Bart...
For that I would need to create 192.168.1.3 as a Gateway... Can I create the gateway on LAN without locking myself out?
Quote from: Needle on April 29, 2023, 10:49:08 AM
Quote from: bartjsmit on April 29, 2023, 09:55:27 AM
Does OPNsense need a static route for 192.168.40.0 via 192.168.1.3 perhaps?
System: Routes: Configuration +
I'm not sure you need VLAN's, unless there are more subnets behind the Microtik, in which case you'll need static routes for their subnets too.
Bart...
For that I would need to create 192.168.1.3 as a Gateway... Can I create the gateway on LAN without locking myself out?
That did the trick. However, I get no ping response when I ping out to 8.8.8.8
I see the created FW rule for that apply, but that's it.
I can ping 192.168.40.100 (Client) -> 192.168.1.1 (FW)
I can ping FW -> VLAN Gateway (192.168.40.1)
I don't know where my ping gets lost.
Quote from: Needle on April 29, 2023, 12:39:14 PM
I don't know where my ping gets lost.
Do a packet capture on OPNsense and give it the Wireshark treatment