Hello,
I have the following configuration running in a virtual machine on a proxmox node,
WAN - PPPoE, LAN - 172.16.1.1, OPT1 - 172.16.2.1, OPT2 - 172.16.3.1, what I want to do (if possible) is to be able to access from OPT1 (x.x.2.1) or OPT2 (x.x.3.1) which is connected to the LAN (x.x.1.1) and vice versa.. because I run several virtual machines on the main Proxmox node and I can only access them if I am connected to the local ip 172.16.1.1 dhcp (in the future I will add a node on x.x.2.1 and x.x.3.1), what settings do I need to make to be able to do these things mentioned above?
It is not a problem to change the IPs if needed or something from the current configuration.
Thanks!
I'm not 100% sure what you are asking but in a networking infrastructure if you want multiple subnets to be served by a single DHCP server you need to do DHCP relay.
This is usually done by setting up VLANs on a managed switch and setting the VLAN to forward DHCP packet to the address of the DHCP server in another subnet.
DHCP packets do not route so without something like this it wont work.
In OpnSense like other "modern" networking devices/software you can setup VLANs assigned to Interfaces.
Once your VLAN are setup and assigned to an interface you can configure DHCP for these VLANs.
Your interface will have an IP address, i.e. 192.168.100.1, Your DHCP will have the subnet 192.168.100.0/24. Then you can assign a scope to hand out addresses.
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-vlan-on-opnsense#5-dhcp-configuration-for-automatic-ip-address-assignment
If Promox allows you to assign a VLAN ID to your virtual networks then this will work. I am not sure how you would do that if it doesn't.
Quote from: cliffwilliams44 on December 07, 2023, 07:45:25 PM
I'm not 100% sure what you are asking but in a networking infrastructure if you want multiple subnets to be served by a single DHCP server you need to do DHCP relay.
This is usually done by setting up VLANs on a managed switch and setting the VLAN to forward DHCP packet to the address of the DHCP server in another subnet.
DHCP packets do not route so without something like this it wont work.
In OpnSense like other "modern" networking devices/software you can setup VLANs assigned to Interfaces.
Once your VLAN are setup and assigned to an interface you can configure DHCP for these VLANs.
Your interface will have an IP address, i.e. 192.168.100.1, Your DHCP will have the subnet 192.168.100.0/24. Then you can assign a scope to hand out addresses.
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-vlan-on-opnsense#5-dhcp-configuration-for-automatic-ip-address-assignment
If Promox allows you to assign a VLAN ID to your virtual networks then this will work. I am not sure how you would do that if it doesn't.
I want all LANs (LAN, OPT1, OPT2) to have the same gateway and to be able to be accessed locally from any LAN.
I don't necessarily want them to have different subnets (if it works without them).
For example, the management of the Proxmox node is linked to OPT2 and has the associated IP 172.16.3.2 at the moment, and it cannot be accessed from LAN or OPT1.
Are these physical NICS or virtual nics?
Either way if they are on the same subnet they can talk.
If you want all 3 of those subnets to talk to each other then you need a /22 subnet.
Again, unsure what the point is though.
VLANs can talk to each other, in Opnsense you have to configure firewall rules to allow traffic to flow between VLANs.
I'm just speaking from reading the documentation, I've never set this up and I'm new to Opnsense (I've used pfSense before)
VLANs might be overkill.
You probably want to configure your LAN side of Opnsense with 172.16.0.0/22
That gives you a network that supports 172.16.0.0 - 172.16.3.255
Your inside address for the Opnsense device can still be 172.16.1.1
Then 172.16.2.1 and 172.16.3.1 can talk to each other and to opensense.
Make sure you setup your DHCP on the LAN interface with subnet 172.16.0.0/22 and make sure your range starts above 172.16.1.1. You could completely exclude 172.16.0.0-172.16.1.255 and just use 172.16.2.1 - 172.16.3.255
Quote from: cliffwilliams44 on December 08, 2023, 03:45:16 AM
Are these physical NICS or virtual nics?
Either way if they are on the same subnet they can talk.
If you want all 3 of those subnets to talk to each other then you need a /22 subnet.
Again, unsure what the point is though.
VLANs can talk to each other, in Opnsense you have to configure firewall rules to allow traffic to flow between VLANs.
I'm just speaking from reading the documentation, I've never set this up and I'm new to Opnsense (I've used pfSense before)
VLANs might be overkill.
You probably want to configure your LAN side of Opnsense with 172.16.0.0/22
That gives you a network that supports 172.16.0.0 - 172.16.3.255
Your inside address for the Opnsense device can still be 172.16.1.1
Then 172.16.2.1 and 172.16.3.1 can talk to each other and to opensense.
Make sure you setup your DHCP on the LAN interface with subnet 172.16.0.0/22 and make sure your range starts above 172.16.1.1. You could completely exclude 172.16.0.0-172.16.1.255 and just use 172.16.2.1 - 172.16.3.255
Hello,
The NIC is physical (PCIe) + the standard port of the motherboard, I tried until I saw your answer to try through the bridge, but it doesn't work the way I want.
What you are saying is to set the LAN on the IP 172.16.1.1/22 (DHCP Range 172.16.1.20 - 172.16.3.200 on LAN), and further I don't know how to set OPT1 and OPT2 to get IPs from the DHCP range of LAN and DNS as well.
That is, I want them to be somehow linked together and answer to a single gateway, not individually.
Edit: I'm not interested in VLANs
.
You need to activate a DHCP server on each of these interfaces and assign a different network and DHCP range to each. Communication of devices connected to different interfaces is enabled by creating matching firewall rules.
Quote from: Patrick M. Hausen on December 08, 2023, 10:11:32 AM
You need to activate a DHCP server on each of these interfaces and assign a different network and DHCP range to each. Communication of devices connected to different interfaces is enabled by creating matching firewall rules.
I don't know how to set the rules in the firewall, can you guide me at least for an interface with what settings should be made?
Copy the rule from your LAN interface but change the interface to e.g. OPT1. There's a convenient "copy" button to the right of each firewall rule.
If you have "LAN net" for source in that LAN rule, change it to "OPT1 net". If it's "any" just leave it as is.
Quote from: Patrick M. Hausen on December 08, 2023, 10:52:04 AM
Copy the rule from your LAN interface but change the interface to e.g. OPT1. There's a convenient "copy" button to the right of each firewall rule.
If you have "LAN net" for source in that LAN rule, change it to "OPT1 net". If it's "any" just leave it as is.
Does everything seem ok?
Quote from: Patrick M. Hausen on December 08, 2023, 10:52:04 AM
Copy the rule from your LAN interface but change the interface to e.g. OPT1. There's a convenient "copy" button to the right of each firewall rule.
If you have "LAN net" for source in that LAN rule, change it to "OPT1 net". If it's "any" just leave it as is.
At the moment the configuration is as follows: LAN (172.16.1.1/24) -> Switch -> TP-Link Routers in Mesh;
OPT1 (x.x.2.1/24) -> Workstation;
OPT2 (x.x.3.1/24) -> LAN port of the motherboard (connection for Proxmox and the rest of the VMs);
But I don't know how everything can have DNS 172.16.1.1 and the OPN gui can be accessed only on 172.16.1.1, not on the rest 2.1/3.1.
Is everything set up correctly?
Place DNS server 172.16.1.1 in the DHCP configuration for OPT1 in Services > DHCPv4 > OPT1. Same for OPT2.
Change UI listen address to 172.16.1.1 in System > Settings > Administration.
Quote from: Patrick M. Hausen on December 08, 2023, 12:11:42 PM
Place DNS server 172.16.1.1 in the DHCP configuration for OPT1 in Services > DHCPv4 > OPT1. Same for OPT2.
Change UI listen address to 172.16.1.1 in System > Settings > Administration.
Yes, I finally succeeded, thanks for the information!