OPNsense Forum

English Forums => General Discussion => Topic started by: eptesicus on January 28, 2019, 03:57:00 pm

Title: Subnets and Messy Rules
Post by: eptesicus on January 28, 2019, 03:57:00 pm

I'm trying to go from a flat /20 network to subnets. I'm working on dividing my network up as below:

LAN - Currently contains most of the network at this time. Trying to move everything to VLANs/subnets
VLAN10_MGMT - Management network for DCs, DNS, ESXi hosts/vCenter, OoB management/console access, backups (may move to own subnet), monitoring servers/applications, etc. (Should be isolated, but also have access to everything?)
VLAN20_Storage - Network for NAS' with media and the SAN for VM storage. (Permit SAN for ESXi storage)
VLAN50_Users - My desktop, phone, laptop, etc. (Want access somehow to the management network, or everything... Not sure yet.)
VLAN70_DL - Download/torrent servers and DL automation services. (Want to view the web UIs from my Users and MGMT networks. Need to allow to read/write to the NAS on my storage network)
VLAN80_Web - Nginx reverse proxy servers, and any web-facing servers. (Only open ports to necessary services)
VLAN90_RA - Remote access - Squid proxy, VPN access to home network, RDP jumpboxes w/ Duo, ssh jumpboxes w/ Duo.
VLAN100_Guest - Guest wifi (Should be isolated completely with the exception of Plex and my other web services)
VLAN110_Wife - Wife's desktop, phone, tablet, etc. (Should be isolated completely with the exception of Plex and my other web services)
VLAN120_IOT - Internet of things... TV, Nvidia Shield... (Should be isolated completely with the exception of Plex and pi-hole DNS)

Right now, I have a PIA VPN on the firewall routing traffic to Torronto. When this was on, the guest wifi, wife and iot vlans wouldn't get access to the internet. I had to set their gateways to the WAN to fix that.

The problem right now is that when I enable the VPN, the LAN doesn't have access to the internet. Traffic should NOT be routing over that VPN, but something's happening where it's trying to, but is failing. I want it to go over the WAN, but for the time being, I don't want to set the WAN as a gateway, because then I can't access any of the other subnets.

Aside from starting my lab/home network from scratch, how do I make this all possible?

(https://i.imgur.com/RLdy97P.png)

(https://i.imgur.com/6fViQzV.png)

(https://i.imgur.com/0ET0P54.png)

(https://i.imgur.com/K0dOzNC.png)