OPNsense Forum

English Forums => General Discussion => Topic started by: GorillaArms on July 25, 2018, 12:49:25 pm

Title: Multi-Level Configuration
Post by: GorillaArms on July 25, 2018, 12:49:25 pm

This may appear to be somewhat of a bizarre configuration, but it has some utility given my needs.  I'm running OPNSense 18.1 as a frontend firewall which handles traffic/DHCP for a private LAN.  One of the private LAN clients is also a gateway to a separate private LAN that is utilized for a different purpose.  The network looks like this:

- External Internet connected to a router
- Router generates 192.168.5.* addresses for clients
- OPNSense Firewall is a client to the router (the only client) and generates 192.168.1.* addresses for clients
- There is an OSX Server client (192.168.1.102) behind OPNSense (there are multiple clients) that serves as a gateway to another private LAN.  The OSX Server generates addresses of 10.0.0.* for its clients. 

INET -> Router -- 192.168.5.* --> OPNSense Firewall -- 192.168.1.* --> OSX Client -- 10.0.0.* --> Private LAN

So... everything works until you get to the 10.0.0.* private LAN.  The OPNSense firewall and the OSX Client can see the outside internet.  However, the 10.0.0.* clients, cannot.  I checked the OPNSense firewall logs and it was blocking all traffic from the 10.0.0.* as these addresses were not within range of the OPNSense LAN (192.168.1.*).  I created a network alias for the 10.0.0.* range and create a firewall rules to permit traffic from that alias.  The firewall becomes happy again and starts routing traffic forwarded (NAT) from the 10.0.0.* range.  However, I don't believe OPNSense is correctly routing any packets back to the OSX client to NAT for the 10.0.0.* clients.  EG, when client 10.0.0.2 requests "google.com" on port 80, I see the request go out through OPNSense, but the return is dropped somewhere (at least I believe it is). 

Given that there are multiple clients residing behind OPNSense, I'm not sure that I can generate a static route... or is this not the case?  Any thoughts on my goofy setup?

Title: Re: Multi-Level Configuration
Post by: bartjsmit on July 25, 2018, 03:43:42 pm

Does the internet router know where 10.0.0.0/8 lives?

Bart...

Title: Re: Multi-Level Configuration
Post by: GorillaArms on July 26, 2018, 01:51:12 am

Bart, no it doesn't.  The internet router only sees the 192.* addresses.  I can certainly try setting a static route there for all 10.* addresses to route back to the opnsense device.  Thoughts?

Title: Re: Multi-Level Configuration
Post by: bartjsmit on July 26, 2018, 08:19:50 am

Yes, you need routing both ways for the return packets to make it back to the source, or you need an outbound NAT on OPNsense.

It's much easier to have static routes on your NAT gateway for all internal subnets. A few protocols won't even work with double NAT.

Bart...