OPNsense Forum

English Forums => General Discussion => Topic started by: Aloist on December 04, 2018, 07:02:50 pm

Title: [SOLVED] secondary IP address for WAN interface - how? (routing issue)
Post by: Aloist on December 04, 2018, 07:02:50 pm: I need help to configure a new Opensense firewall for my special situation, which I describe below.

We own a C class IP range a.a.a.0/24 since many years and all devices in our company
network have public addresses from this range.
I have split it into two subnets:
a.a.a.240/28 for the external network at colocation space
a.a.a.0/25 for the internal company network
(the range a.a.a.128 - 239 is currently unused)

In addition, we use a network 10.1.2.0/24 at the colocation space
for the remote-admin interfaces (RAC interfaces) on all Dell servers
and for VLAN access to the two switches

We also use the network 10.1.1.0/24 inside the web server farm.

Problem: how to reach the RAC-network 10.1.2.0/24 from the internal company network?

Up to now we used an older Cisco router 2621 on the place where now the Opensense firewall
will be placed. We use access list filter rules as firewall for the company network.
The outer interface of the Cisco router had two IPs assigned:
a.a.a.254
secondary 10.1.2.254

That way, it understood the routing automatically.

On opensense, apparently I cannot simply assign a secondary IP to the WAN

Colocation rack at provider
===========================

^ to Provider router + Internet
| gateway IP a.a.a.253
|
|
| vlan: 10.1.2.2
+---------------------------------------+
| 24 port outer switch |-------------------+
+---------------------------------------+ |
| |
| Subnet a.a.a.240/28 |
| |
|IP a.a.a.241 .. Subnet 10.1.2.0/24 |
|aliases: a.a.a.242-245 for RAC card on each |
+--------------------------------+ server and for vlan |
| load balancer | on switches |
| and firewall for web servers | |
| with iptables / RHEL 7 |----- RAC IP 10.1.2.200 |
+--------------------------------+ |
|10.1.1.254 |
| |
|IP 10.1.1.x |
Web server farm of 7 servers --- RAC IP 10.1.2.201-207 |
|
|
|
|fiber
|leased line
|100 mbit
|
| 10 km
|
Server room at company HQ |
========================= |
|
ethernet |
+--------------------------
|
|
ip a.a.a.254 | port 2 'WAN', secondary IP 10.1.2.254 is desired
+-----------------------------+
| Opensense Firewall os1 |
+-----------------------------+
| port 1 'LAN'
| ip a.a.a.62 as company gateway
| keep IP which is defined as gateway in many devices
|
|
internal network
subnet a.a.a.0/25
Title: Re: secondary IP address for WAN interface - how? (routing issue)
Post by: Aloist on December 06, 2018, 08:22:42 am: Does really nobody know how to route IP 10.1.2.0/24 through an Opnsense box which has public WAN and LAN addresses?
traceroute shows me that I get the packets reflected or looping at the LAN port.
I have tried many variants of route and gateway configurations, also defined a static route LAN to WAN port
for 10.1.2.0/24
Title: Re: secondary IP address for WAN interface - how? (routing issue)
Post by: Aloist on December 12, 2018, 08:44:22 am: The solution was provided by the (paid) support of Opnsense/Deciso, and is simple:

for routing the subnet 10.1.2.0/24 and the desired extra WAN IP of 10.1.2.254 on the OPNsense firewall, you only need to add a virtual IP, like this: