OPNsense Forum
Archive => 15.7 Legacy Series => Topic started by: BS_ on January 21, 2016, 12:46:48 pm
-
Hi,
I'll start by trying to clear up how my network is set up in relation to my OPNSense firewall...
First to define the networks:
1. 172.20.0.0 (255.255.0.0) - Main LAN, acting as the WAN to the OPNSense
2. 172.26.0.0 (255.255.240.0) - External LAN via site-site VPN to network 1.
3. 192.168.1.1 (255.255.255.0) - 'Private' LAN - has limited access to network 1.
Gateway IPs:
- Network 1: 172.20.1.254 (The OPNsense card has an IP of 172.20.1.253, so is the WAN IP in the OPNsense case)
- Network 2: 172.26.1.254
- Network 3: 192.168.1.254
- Networks 1 & 2 can see each other fine.
- Network 3 can get an external connection via the gateway on Network 1
- Network 1 can access the admin GUI on the OPNsense firewall (as can Network 3)
- I've disabled the rule disallowing private IP ranges
- Network 1 sits behind a router (with fw) so allowing connections into the OPNSense gui isn't too much of an issue as it is protected from Internet traffic by the firewall on Network 1 (172.20.1.254)
I'm trying to access the admin gui from network 2, which is failing. I can Ping 172.20.1.254 from network 1, but not from network 2. I can ping every other device on network 1 (172.20.x.x) from network 2 without issue...
I think the issue is that the IP I am coming from is a 172.26.x.x address, which is unknown to Opensense, though its card is connected the same as every other device on network 1...
Does anyone have any ideas on how I can achieve this? I have tried playing about with different NAT and Firewall rules, but to no avail so I'm going to clear those out and start fresh.
Thanks in advance, sorry for rambling slightly!
-
Hi,
if I understand your scenario correct, you don't need to configure any NAT for this setup (or do you use outbound NAT for any of the interfaces?). I guess that just some filter rules are blocking the connection. Could you post your active rules (e.g. Firewall: Diagnostics: pfInfo, Rules)?
I don't understand:
I think the issue is that the IP I am coming from is a 172.26.x.x address, which is unknown to Opensense, though its card is connected the same as every other device on network 1...
Is the IP 172.16.x.x actually part of the same subnet as network 2 (172.26.0.0/20)? What do you mean "connected the same as every other device"?
-
Hi BS_,
You didn't mention what device is on both network 1 and network 3 (the router).
You will need to add a static route to the default gateway for network one (and allow redirection as necessary).
This will allow the traffic to return out the correct firewall interface (and not out the WAN interface).
This is what I understood from your description:
{ Internet } - [ OPNsense] - [ switch network 1] - [ router ] - [ switch network 3 ] - [ PC ]
|
[ VPN network 2 ]
https to OPNsense LAN interface does not work because OPNsense does not have a route back to network 3.
Did this solve your issue?
<bug~