ok
You have to disable outbound nat on the opnsense (set it on manual)
Then you have to create static routes on the watchguard for each of your internal nets, with the next hop being the CARP VIP of the OPNsense in your interconnect net.
And of course you have to make sure the firewalling allows these nets on the Opnsense and the Watchguard. The firewalling has to be really tight so the individual nets won't be routed to the watchguard and back to the opnsense (interconnected vlan traffic) Only traffic with destination WAN should be allowed to route to the Watchguard.
And the Watchguard has to Outbound NAT all those internal Nets now (SNAT - IP Masquerading)
It's been a while, but thank you for your response. I was able to make significant progress.
However, now I have a problem: my packets are sent out fine, but they never receive any responses, even though the return traffic is not blocked... so I don't think it's a problem with the rules.
It works if I ping from the WatchGuard to one of my subnets, but not the other way around.
Thx
No problem.
That's not really a lot of information to go on with though.
Please provide a proper trace of an ICMP echo request and ICMP echo reply, captured with tools like tcpdump.
Describe your test scenario a little more detailed, maybe in a small ASCII diagram.
Yes, here are my tests and the associated pings. I can see the packets leaving the request on all the routers (opnsense + watchguard) but I never see the reply packets coming back, they are not even refused. Doesn't Opnsense log non-legitimate packets entering the wan by default? I've also created temporary "pass all" rules everywhere for debugging.
Test A: PC to Watchguard vlan 1
A1: PC to R1 LAN VIP = OK
192.168.20.22 vip 192.168.0.254
+------+ +------+
| PC |----------| R1 |
+------+ +------+
155 18.974908 192.168.20.22 192.168.20.254 ICMP 74 Echo (ping) request id=0x0001, seq=11066/14891, ttl=128 (reply in 156)
156 18.976640 192.168.20.254 192.168.20.22 ICMP 74 Echo (ping) reply id=0x0001, seq=11066/14891, ttl=64 (request in 155)
A2: PC to R1 WAN VIP = OK
192.168.20.22 192.168.0.254 10.46.0.3
+------+ vip +----+ vip
| PC |----------| R1 |
+------+ +----+
236 31.456656 192.168.20.22 10.46.0.3 ICMP 74 Echo (ping) request id=0x0001, seq=11067/15147, ttl=128 (reply in 237)
237 31.457524 10.46.0.3 192.168.20.22 ICMP 74 Echo (ping) reply id=0x0001, seq=11067/15147, ttl=64 (request in 236)
A3: PC to WATCHGUARD INTERCO = NOTOK
192.168.20.22 192.168.0.254 10.46.0.3
+------+ vip +----+ vip +----------+
| PC |----------| R1 |--------------- |WatchGuard|
+------+ +----+ 10.46.0.4 +----------+
282 37.579659 192.168.20.22 10.46.0.4 ICMP 74 Echo (ping) request id=0x0001, seq=11068/15403, ttl=128 (no response found!)
A4: PC to WATCHGUARD LAN = NOTOK
192.168.20.22 192.168.0.254 10.46.0.3 192.168.0.200 LAN 192.168.0.0/22
+------+ vip +----+ vip +----------+
| PC |----------| R1 |--------------- |WatchGuard|--------
+------+ +----+ 10.46.0.4+----------+
391 49.838626 192.168.20.22 192.168.0.200 ICMP 74 Echo (ping) request id=0x0001, seq=11069/15659, ttl=128 (no response found!)
Test B PC LAN to PC VLAN 20 :
working
1296 3.693011 192.168.0.102 192.168.0.200 ICMP 74 Echo (ping) request id=0x0001, seq=154/39424, ttl=128 (reply in 1297)
1297 3.693324 192.168.0.200 192.168.0.102 ICMP 74 Echo (ping) reply id=0x0001, seq=154/39424, ttl=64 (request in 1296)
164522 425.912504 192.168.0.102 192.168.20.22 ICMP 74 Echo (ping) request id=0x0001, seq=168/43008, ttl=128 (reply in 164525)
164525 425.915145 192.168.20.22 192.168.0.102 ICMP 74 Echo (ping) reply id=0x0001, seq=168/43008, ttl=126 (request in 164522)
I'm sorry if this isn't very clear but it's quite hard for me to illustrate and describe in writing, but thanks for your help. :)
Just to make sure, did you set up static routes on the Watchguard back to the OPNsense?
Yes i put this on watchguard:
route gtw
192.168.20.0/24 10.46.0.3 (vip cluster)
But it's working well when watchguard ping my pc 20 (see test B)