Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: ricksense on June 29, 2024, 11:12:21 PM

Title: L3 Switch behind Opnsense
Post by: ricksense on June 29, 2024, 11:12:21 PM
Hi,
I'd like to put an L3 switch behind OPnsense. The switch will manage a few VLANs and a DHCP server for each of them. Then, I would set a /30 subnet (say 192.168.10.0/30) between one interface of the switch (192.168.10.2/30) and one of the Firewall (192.168.10.1/30). The L3 switch would have 192.168.10.1 as a default gateway in the routing setup.
I'm not sure how to set Opnsense up to make it work properly. What should I do first on the routing setup side?
Could you help me figure it out?
Thanks
Title: Re: L3 Switch behind Opnsense
Post by: netnut on June 30, 2024, 05:10:01 AM
Quote from: ricksense on June 29, 2024, 11:12:21 PM
...
The L3 switch would have 192.168.10.1 as a default gateway in the routing setup.

Now your switch knows where to find any network that's not local; via the OPNsense gateway. The only thing left is to tell OPNsense that the networks (like 192.168.0.0/16) you use on your switch are reachable via the switch gateway (192.168.10.2/30 in your example). So make a gateway & static route for that in OPNsense.

If your routing works next step is firewall and NAT rules, also here you need to make OPNsense aware of your local switch networks, whatever your config or requirements are.
Title: Re: L3 Switch behind Opnsense
Post by: ricksense on June 30, 2024, 08:50:10 AM
Quote from: netnut on June 30, 2024, 05:10:01 AM
Quote from: ricksense on June 29, 2024, 11:12:21 PM
...
The L3 switch would have 192.168.10.1 as a default gateway in the routing setup.

Now your switch knows where to find any network that's not local; via the OPNsense gateway. The only thing left is to tell OPNsense that the networks (like 192.168.0.0/16) you use on your switch are reachable via the switch gateway (192.168.10.2/30 in your example). So make a gateway & static route for that in OPNsense.

If your routing works next step is firewall and NAT rules, also here you need to make OPNsense aware of your local switch networks, whatever your config or requirements are.

ok, so far so good then
Do I need to set Hybrid outbound NAT rule generation mode in Outbound to create new NAT rules?
Thanks
Title: Re: L3 Switch behind Opnsense
Post by: Patrick M. Hausen on June 30, 2024, 12:42:09 PM
Yes. Or manual.
Title: Re: L3 Switch behind Opnsense
Post by: ricksense on June 30, 2024, 02:48:13 PM
Quote from: Patrick M. Hausen on June 30, 2024, 12:42:09 PM
Yes. Or manual.

I set OPNsense this way to make the routing side work:

https://imgbox.com/o42vsLYI

https://imgbox.com/ZyAdVh3r

https://imgbox.com/gvXoblJb

Everything now seems to be working as expected. Someone warned me that I might have some flooding issues because of the broadcast, but honestly I didn't know what he was talking about.
Anyway, any suggestions for any improvements?

Thanks

Title: Re: L3 Switch behind Opnsense
Post by: netnut on June 30, 2024, 09:54:03 PM
Quote from: ricksense on June 30, 2024, 02:48:13 PM
Someone warned me that I might have some flooding issues because of the broadcast, but honestly I didn't know what he was talking about.

Without any context it sounds bollocks, the whole idea of VLAN's is isolating / restricting broadcast traffic, that someone might also warn you for "Static from nylon underwear".
Text only | Text with Images