I'm currently grappling with an issue related to my firewall.
Here's a nice diagram of my setup :
(https://i.postimg.cc/k991VdF7/draw.png)
My goal is to route my VLANs to my Firewall (10.0.1.2) to gain access to the Internet.
I have 2 interfaces with 2 gateways:
WAN: 192.168.3.100/24, gateway: 192.168.3.1
LAN: 10.0.1.2/24, gateway: 10.0.1.1
For my tests, I've opened the firewall for both LAN and WAN with the following settings:
Protocol: IPV4
Source: *
Destination: *
Port: 9
Gateway: *
Schedule: *
By setting my default route to 10.0.1.2 and having only one gateway on my FW (192.168.3.1), I can access the internet from all the devices in the same network as my LAN interface (10.0.1.0/24). So the Firewall rules are working to communicate with the web. ;D
However, when I add the second gateway in my FW (10.0.1.1), I can communicate within my VLANs, but I lose the connection to the internet, even if I am in the same network as my LAN interface. :(
I need this second gateway so I can have a connection between the FW and my VLANs.
Routes of my router :
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 - 10.0.1.2 1
1 ADC 10.0.1.0/24 10.0.1.1 LOCAL 0
2 S 10.0.1.0/24 10.0.1.1 LAN 1
3 ADC 10.0.2.0/24 10.0.2.1 SERVICES 0
4 S 10.0.2.0/24 10.0.2.1 LAN 1
5 ADC 10.0.3.0/24 10.0.3.1 TESTS 0
6 S 10.0.3.0/24 10.0.3.1 LAN 1
7 ADC 10.0.4.0/24 10.0.4.1 HQ 0
8 S 10.0.4.0/24 10.0.4.1 LAN 1
Addresses of my router :
# ADDRESS NETWORK INTERFACE
0 10.0.1.1/24 10.0.1.0 LOCAL
1 10.0.2.1/24 10.0.2.0 SERVICES
2 10.0.3.1/24 10.0.3.0 TESTS
3 10.0.4.1/24 10.0.4.0 HQ
For your information,
I'm using a Mikrotik Router/Switch to manage my VLANs and perform routing. Each VLAN has an IP for the interface, which serves as the gateway for the devices in each VLAN.
The NAT rules are managed by the router of my ISP.
Thanks a lot for reading I'll be waiting for your ideas :)
Don't hesitate if you need more informations.
Best regards,
pandaBolide
Quote
gateway: 10.0.1.1
Did you fill in this gateway address at the LAN interface ? If yes:
Delete the gateway definition from the LAN interface, leave blank.
Create a single gateway: "System : Gateways : Single": just fill in ip address (10.0.1.1) and interface (LAN), leave the rest default.
Create a route to your local network: "System : Routes : Configuration": With network address (10.0.0.0/8) and gateway the gateway entry (10.0.1.1) you just created.
You now told OPNsense to route all traffic to the subnets in the 10.0.0.0/8 range (VLAN1, VLAN2 & VLAN3) via your Microtik which should take care of your intra-vlan routing
Hello netnut,
Thanks for your answer. ;D Manipulating the mask to allow only one route for the 10.X.X.X subnet is a great idea, and the OPNsense LAN side is now reachable from my LAN network.
But I still have a little problem—I can't reach the internet from my LAN. Is there a way to make that possible? Or is my network address map a mess, and should I switch to 192.X.X.X on my LAN side so I can use only one route for both sides?
Best regards,
pandaBolide
Update :
Now I can acces the web IF I am on the same subnet than my LAN address (10.0.1.2), but when i'm try from another network like 10.0.3.0/24 I can not reach the Internet, and my traceroute is :
10.0.3.1 --> 10.0.1.2 --> *Nothing*
My route table is the same as beore for my Mikrotik, and for my OPNsense I added 2 routes (the rest is factory default):
Dest Gateway
192.168.0.0/16 192.168.3.1(WAN)
10.0.0.0/8 10.0.1.1(LAN)
Is my problem by any chances from the OPNsense side, or do I need to edit some things in my Mikrotik ?
Best regards,
pandaBolide
What do your rules on the LAN interface look like?
For the tests I keep it simple and opened all :
Protocol Source Port Destination Port Gateway Schedule
IPV4* * * * * * *
IPV6* * * * * * *
(I don't use IPV6, but I added it just to be "sure")
OK, the outbound NAT for the networks routed by the mikrotik are probably missing. Automatic NAT only cares for the networks directly connected to OPNsense.
I am a big noob with the NAT but I *think* I understand the basics.
My NAT rules are managed by the router of my ISP (FritzBox!, 192.168.3.1 not 192.168.1.1 my bad), and I didn't edited/added any NAT rules.
Just to be clear, do I need to add rules in my Mikotik which is not my ISP router but the one that I am using as a L3 switch to manage my VLANs and my static routes in my 10.0.0.0 network ?
It could sound kinda stupid but I am kinda lost with how the NAT is suppose to work in my Mikrotik.
(Sorry if my diagram is à little bit confusing)
Thank you !
pandaBolide
Did you disable NAT on OPNsense and add a static route to your ISP router? If you did not, then your OPNsense also does NAT but only for the directly attached network. Your decision if you want to double NAT or not.
No, the selected mode is "Automatic outbound NAT rule generation," but I can opt for a manual or hybrid mode if double NAT allows me to define all my rules from the OPNsense machine.
Yes, it seems you're correct. The default OPNsense NAT is only for my LAN network (10.0.1.0/24) and not the other VLAN networks (10.0.0.0/16).
I'll try the double NAT. The default rules have "WAN" as the "NAT Address." When I attempt to add a new rule for my 10.0.0.0/16 network, in the "Translation/Target" category, I only have four choices:
- Interface address
- Single host or NetworkLAN address
- LAN address
- WAN address
But none of them is "WAN." I suppose "WAN address" is the right one, but it seems it's not working.
As usual I'll try to keep everything open for the tests and then I'll try to add new rules.
Any ideas ?
BIG UPDATE :
After adding new NAT rules the connection is working !
THANKS A LOT for you guidance Patrick M. Hausen, I learn a lot today !
And thank you too netnut for you help !
Best regards,
pandaBolide
Quote from: pandaBolide on November 17, 2023, 12:17:26 PM
BIG UPDATE :
After adding new NAT rules the connection is working !
Nice!
As "Patrick M. Hausen" already explained automatic NAT rules (if it's for OPNSense, Fritzbox, or whatever device) are normally only configured for what's known to the device, ie. the directly connected network. You fixed it for OPNSense as I understand, but I would advise you to work to a design where the only NAT is happening where it needs to be: Fritzbox.
It's been a while since I had a Fritzbox, but I remember they're very flexible from a configuration point of view. I'm sure you can configure a static route in your Fritzbox (just like you did from OPNSense to Mikrotik). So start with something like network: "10.0.0.0/8" gateway: "192.168.3.100", your Fritzbox now knows where to send traffic for your local LAN (via OPNSense).
The last thing to do in your Fritzbox is to NAT ALL traffic from it's directly connected 192.168.3.0/24 network (which is your current setting) AND 10.0.0.0/8 (your local LAN). I don't know where to configure that in th Fritzbox, but I'm 99% sure it can be done.
The end result is that you ONLY NAT when traffic is going out of your Fritzbox to the Internet, all other routes are just standard, not-natted route, which makes your LAN network design simple and transparant.
Only NAT Here!
______
|
|
|
Internet — Fritzbox — OPNSense — Microtik — VLAN1 / VLAN2 / VLAN3
Quote
THANKS A LOT for you guidance Patrick M. Hausen, I learn a lot today !
And thank you too netnut for you help !
You're welcome! ;)