Messages

Servus,

Ich bräuchte gerade mal Hilfe bei einem speziellem Netzwerk-Setup:

Ich bekomme von Upstream:

Code Select Expand


130.15.169.0/24 GW: 130.15.169.254/24
130.15.170.0/24 GW: 130.15.170.254/24


Auf meiner Seite möchte ich daraus machen:

Code Select Expand


130.15.169.0/25 LAN 1
130.15.169.128/25 LAN 2
192.168.10.0/24 NAT -> 130.15.169.10

130.15.170.0/25 LAN 3
130.15.170.128/25 LAN 4


Aktuell habe ich da eine recht hässliche Lösung und hab das 130.15.170.128/25 Subnet auf dem WAN-Port mit ProxyARP dazu für die anderen Subnetze.

Von Upstream Seite heißt es jetzt, die beiden Netze müssen jeweils mit VLAN getaggt werden. Heißt für mich ich bekomm ein Dual-WAN und schick halt jetzt nicht mehr alles an ein Gateway. Soweit so gut, nur möchte ich nach Möglichkeit auch das ProxyARP loswerden und das ganze durch Routing ersetzen (weil schöner).

Wie bekomme ich das am besten hin? Ich weiß nicht ob ich vom Upstream ein Transport-Netz bekomme.
Müsste ich dann das LAN 2 und LAN 3 bridgen, weil OPNSense mir nicht erlaubt auf einem Interface eine Adresse zu setzen, die in einem Subnet von einem anderen Interface liegt.

Answer was a missing ProxyARP.

The WAN interface did not answer for ARP requests for the internal LANs. Adding this under VirtualPs to the WAN interface and it worked.

Yes the gateway isn't really the problem. I tried it also with the WAN as 129.13.170.253/27 then the 129.13.170.254 default gateway wouldn't be out of scope.

We currently don't use IPv6 at all.



So NAT onto the WAN address works just fine, as well as the communication between the LAN_NAT and the not natted LAN.

A quick capture with wireshark and a ping reveals that ICMP requests from my 169.0/25 LAN leave on the WAN Port and an Reply to the original IP address comes back.
And this is where the fun begins, the WAN interface seems to discard the packet. I disabled all packet filtering to make sure the firewall isn't doing it, same result. The packets don't even show up in the packet capture built-in, only the outgoing ones are recorded.

With a 'far gateway' that is possible I think and if I ping from my firewall to 8.8.8.8 with my WAN (129.13.170.253/32) as source I get a reply

Next thing I can't route between a second non-NAT network (129.13.169.0/25) and the first one (129.13.170.0/25)

My current problem is that I can reach from my LAN the firewall and the firewall the internet, but not the LAN the internet.

I have two public /24 networks. In the end I want to split them into 4 /25 networks, as well with 3 NAT networks.

Current Setup is:
- LAN (129.13.170.0/25), allow from LAN Net to *
- LAN_NAT (192.168.1.0/24), allow from LAN_NAT Net to *
- WAN (129.13.170.253/32 with 129.13.170.254 as 'far gateway')

First thing would be to get the LAN to route to the GW. I think NAT I can get to work myself.


Seems like a simple problem, but I just can't get it to work.