I have a hub-and-spoke model in Azure (as shown below)
(https://waynestor.blob.core.windows.net/share/hub-spoke.png)
opnsense:
LAN interface:10.1.1.250
WAN interface:10.1.0.250
Spoke1 is peered to hub vnet where opnsense lives.
Spoke3 is peered to hub vnet where opnsense lives.
For spoke1 to talk to spoke3, the traffic is routed through opnsese LAN interface in the hub.
Also for spoke3 to talk to spoke1, the traffic is routed through opnsese LAN interface in the hub.
I have added specific firewall rules on opnsense to allow the traffic from spoke1 to spoke3 and vice versa. However when I try to reach from spoke1 to spoke3 but I can't. I don't see any traffic on spoke3 at all from spoke1. Looking at opnsense firewall logs. I see the traffic is hitting my rule, but then the traffic is let out from firewall through WAN interface as shown in the following snippet:
(https://waynestor.blob.core.windows.net/share/fwlogs.png)
Why this is happening? What do I need to do to get the traffic from spoke1 to reach to spoke3 and vice versa?
any help is appreciated.
Your LAN interface can't be both 10.11.1.0/24 and 10.13.1.0/24. You'll need two separate interfaces. You haven't shared any information at all about how OPNsense is configured, so we could only guess...........
Quote from: dseven on December 01, 2024, 12:42:09 PM
Your LAN interface can't be both 10.11.1.0/24 and 10.13.1.0/24. You'll need two separate interfaces. You haven't shared any information at all about how OPNsense is configured, so we could only guess...........
My bad... Here how opnsense configured
Lan interface 10.1.1.250
Wan interface 101.0.250
10.13.1.4 is not part of 10.1.1.0/24, so it will take the default route, which is the gateway associated with your WAN interface. You'll need an additional "LAN" interface for "spoke3"
Quote from: dseven on December 01, 2024, 01:20:02 PM
10.13.1.4 is not part of 10.1.1.0/24, so it will take the default route, which is the gateway associated with your WAN interface. You'll need an additional "LAN" interface for "spoke3"
How to add an additional LAN interface? Under Interfaces--Assignments, I can't seem to find any option to add a new interface.
I am totally new to opnsense, please excuse my ignorance.
It's not really clear what you're trying to accomplish - e.g. is there an actual WAN here, or are you using the WAN interface as an additional LAN? I'm not familiar with Azure, and don't know what a "VNet Peering" entails, but your network design doesn't look right. You have a host on subnet 10.13.1.0/24 and a route supposedly pointing to 10.1.1.250, but that's on a different subnet, so what's in between? You have the same next hop (10.1.1.250) on the other side, but that side of your hub is 10.1.0.250 ...
Quote from: dseven on December 01, 2024, 02:53:35 PM
It's not really clear what you're trying to accomplish - e.g. is there an actual WAN here, or are you using the WAN interface as an additional LAN? I'm not familiar with Azure, and don't know what a "VNet Peering" entails, but your network design doesn't look right. You have a host on subnet 10.13.1.0/24 and a route supposedly pointing to 10.1.1.250, but that's on a different subnet, so what's in between? You have the same next hop (10.1.1.250) on the other side, but that side of your hub is 10.1.0.250 ...
VNet peering is basically a way to connect two virtual network together, so spoke can talk to hub and vice versa as if they were in the same VNet.
Spoke2, spoke3 and hub are separate VNets.
In my diagram, spoke3 is connected to hub and spoke1 is connected hub. However this doesn't make spoke1 is accessible from spoke1 just because both are connected (via VNet peering) to hub. To make them talk to each other, you can route the traffic from spoke3 to spoke1 to a NVA (network virtual appliance) in our case opnsense is the NVA which in turn should be able to route/allow the traffic to the destined network. In my case, I am using a static route for this matter which points to the LAN interface of my NVA (10.1.1.250).
The WAN interface is going to be used for internet traffic from spoke VNets.
to close out this thread, I have just managed to get this to work.
(https://waynestor.blob.core.windows.net/share/traffic.png)
A NAT rule was needed to get things to work as expected:
(https://waynestor.blob.core.windows.net/share/nat.png)
Thank you for your help and support