Messages

1

Tutorials and FAQs / Re: Using OPNsense with seperate Layer3 Switch, SVI, and Routing

« on: September 30, 2021, 04:27:16 pm »

After a few days full of attempts, the solution was pretty basic, by just reading carefully the help I solved it.
The Outbound rule should be configured:
Hybrid outbound

And a rule for each VLAN:
Interface: WAN
Source:   192.168.41.0/24
NAT Address: Interface address
and
Interface: WAN
Source:   192.168.42.0/24
NAT Address: Interface address

Outbound NAT only controls what happens to traffic as it leaves an interface. It does not control the interface though which traffic will exit the firewall. That is handled by the routing table (Static Routes) or policy routing (Policy routing).

2

Tutorials and FAQs / Re: Using OPNsense with seperate Layer3 Switch, SVI, and Routing

« on: September 29, 2021, 08:48:37 pm »

Hi iTninjasaki, have you found a solution for it?

I'm stuck with NAT and a layer 3 switch, RVI.
My setup:

OPNsense
LAN: 192.168.40.1  /24

VLANS
192.168.41.0 /24
192.168.42.0  /24

Switch
LAN IP: 192.168.40.5
GW: 192.168.40.1
And IP in each VLAN for RVI:
GW: 192.168.41.1
GW: 192.168.42.1

Because the switch doesn't do NAT I configured in OPNsense a new gateway on lan interface, the switch IP
GW2: 192.168.40.5.

And added the two static routes to VLANs via GW2.

The problem is that OPNsense doesn't NAT the traffic from VLAN client.
I've tried with Hybrid Outbound rules and Manual Outbound rules.
And without luck so I'm stuck.

I sent ping from a VLAN client: 192.168.41.10 to a public IP running Wireshark.
OPNsense did the routing the packet was captured.
But the source IP inside the packet was 192.168.41.10 not the WAN IP as expected.

I believe that NAT occurs only when the source IP is part of OPNsense LAN.

The not so smart solution:
Add OPNsense in each VLAN as a secondary gateway and configure static permanent routes in each client, inter-VLAN traffic goes to IRB, Internet traffic goes to OPNsense.
Something like:

RVI: 192.168.41.1  /24  and 192.168.41.2  /24
OPNsense: 192.168.41.2 /24 and 192.168.42.2 /24


The smart solution:
Figure out why it doesn't do NAT to an IP which is not part of its network (LAN).



 

3

General Discussion / Re: Multi-Wan dns failover cpanel and http proxy issues

« on: September 01, 2017, 12:48:17 pm »

Can opnsense trigger a https request or a script when one gateway goes down?
How can I achieve that?

I realized that I wasn't clear about the setup, domain is: example.com:
- hosting takes care of email, dns and stores a webpage
- opnsense is used as a router for a lan
- inside the lan there's a fileserver which has to be accessed from web.
- the lan has two ISP (mainIP and backupIP)

The dns on hosting has 1 subdomain defined twice:
A ps.example.com   ttl=30  mainIP
A ps.example.com   ttl=30  backupIP

Opnsense has the main and backup wan configured, and I defined port forwarding on both.

When a web client connects to the subdomain it gets one of the two ip, all goes well.
When one wan goes down, 50% of clients can't connect, so the dns has to be updated.
When the failed wan goes up the dns has to be updated.

Now I replaced the c# service with a php page on my hosting server.

That page is contacted each 30 sec by the file server using a simple https request.
The page checks some credentials and uses the client IP for updating the hosting dns automatically.
http://www.4webhelp.net/scripts/php/ip.php
https://stackoverflow.com/a/13987221


After reading about apinger issues, looking at the code length and seeing the solution do nothing no funding. I believe I should find another path.

So I'll make the hosting server check both wan and update the dns accordingly.

4

General Discussion / Multi-Wan dns failover cpanel and http proxy issues

« on: August 30, 2017, 08:58:22 am »

Hello,
 I'm using OPNSense since winter and it's the most stable and reliable product I've ever seen, 200 days uptime, great job. Had some issues with new Intel nics pci-x, went for older ones.

So I have two requirements and I don't know how to solve them:

1. Failover multi wan setup with proxy
The network computers have internet access through http proxy (not transparent) only.
The network file server has full internet access and port forwarding.
When the main gateway fails OPNSense switches the backup one, but the computers no longer have internet access, only the server has.
How can this be fixed?

2. I'm achieving dns failover using a small c# service which updates the IP for the subdomain automatically in cpanel.
The subdomain points to both OPNSense wan IP, backup and main, I've added port forwarding rules for both gateways.
The dns resolution is provided by a hosting company, short TTL.
The simple c# service running on the file server does a "my IP" check each minute and if that has changed it updates it with a https request to the hosting cpanel API.

How can this process be performed on OPNSense, is it possible to trigger a script when the main gateway failed, or can I write a plug-in for that?
Where to start with this?

Thank you