Good Day!
I am attempting to setup OPNsense on a Proxmox server that will be used for all internet access. I would like a number on LXC/VMs to go via OpenVPN and the rest via my fibre router (will replace that later with a 2.5Gbe OPNsense bridged port). So far I have the Proxmox instances working by performing the following:
- Firewall -> Aliases -> _vpn_group_ (host IPs)
- Firewall -> Rules -> LAN -> top level rule to direct _vpn_group too the OpenVPN gateway
- Firewall -> NAT -> Outbound -> rule for _vpn_group
That all works fine and from one of the instances if I curl a IP info check I get back the VPN address. The problem comes when I update my local machine to use OPNsense as it's gateway. I cannot reach anything outside of the local network :(
Do I need another NAT rule for the local LAN?
Amy just a little confused on what configuration am missing.
Quote from: V3G4NC4MP3R on Today at 05:53:09 PMFirewall -> Rules -> LAN -> top level rule to direct _vpn_group too the OpenVPN gateway
Note that this redirects any traffic to the VPN gateway.
If the VM is configured to use OPNsense for DNS resolution, this leads into failing DNS.
Best practice for VPN gateway rules is to limit its destination to public address ranges only.
You can achieve this by creating an network alias and add all RFC 1918 networks to it. Then specify this alias in the policy routing rule as destination and check "Invert Destination".
To allow internal access, e.g. DNS, you need additional rules of course.