OPNsense Forum

English Forums => 22.1 Legacy Series => Topic started by: sc0ttjm on June 10, 2022, 11:20:51 am

Title: Forward Traffic for a Specific External IP to a second Virtual OPNsense Firewall
Post by: sc0ttjm on June 10, 2022, 11:20:51 am
I have some equipment setup in a colocation cabinet in a local datacentre as per the diagram attached.
We can access everything we need to currently, but we want to add a set of Virtual Machines that have their own network behind their own managed OPNsense Firewall, independent of everything else.
We want to use a spare external IP address just for this network, so that in the example in my diagram, Unused External IP address *.*.*.164 will go straight through our firewall cluster (1) to the Virtual Firewall on XCP-NG Host1 (2) so we can access the resources behind it in that network (3).
I managed to get an isolated host on vLAN30 to be accessible from outside by NAT port forwarding RDP (don’t worry just to test, it’s not live) as shown in the diagram as “Windows VM 10.30.0.12” on XCP-NG Host3.
To achieve this:
•   I setup a vLAN ID (30) on my physical OPNSense Firewalls,
•   Created an Interface called “Test_Network” using vLAN ID30 on the LAN Physical Interface with IP Address 10.30.0.1,
•   Created a NAT Port Forward rule that allows RDP from my external IP address to the Virtual WAN IP address of the Windows VM.
•   Tagged this vLAN on all physical switch ports
•   Created a pool network on XCP-NG using vLAN ID30
•   Attached this network to my test Windows VM on one of the hosts
This works fine and my test VM is assigned an IP address from the external OPNsense firewall and has access to the internet but cannot see anything else on any other network, which is what I want, but it shares my main external IP and I have to have a rule to allow on our physical firewall,
I just can’t work out how to do this instead to recognise a specific external IP address as the Destination on the Physical Firewall and so pass all traffic through to the second Virtual firewall on the XCP-NG host to manage it.
I feel like I’m close but can’t quite get over the finishing line.
Any help greatly appreciated.
(http://)
Title: Re: Forward Traffic for a Specific External IP to a second Virtual OPNsense Firewall
Post by: defaultuserfoo on June 11, 2022, 02:10:14 am
Do you need to use a gateway and perhaps a firewall rule to force traffic through that gateway?
Title: Re: Forward Traffic for a Specific External IP to a second Virtual OPNsense Firewall
Post by: sc0ttjm on July 01, 2022, 05:10:01 pm
Not had much response to this but really struggling to work this out.  Any help would be greatly appreciated!