Messages

1

23.1 Legacy Series / Re: Rule required for downstream networks

« on: July 10, 2023, 05:48:46 am »

Amazing...
That was it. Thanks so much @pmhausen. You saved me a lot of angst...
---

Do your allow rules on LAN use a source of "*" or a source of "LAN net"? The latter is strictly the single locally connected network on the LAN interface. So if you are using that you might want to change it to "*" or create an alias that contains all your VLANs and use that.

2

23.1 Legacy Series / Rule required for downstream networks

« on: July 10, 2023, 04:32:46 am »

Running the latest OPNSense release. Basic network layout with only two interfaces on the firewall (LAN\WAN). LAN subnet is 172.16.8.0/24 with the firewall itself being .1

Have a L3 switch in place doing some interVLAN routing for the VLAN subnets. The VLAN SVI's are the default gateways for the relavent VLAN's, with the switch itself pointing to the OPNSense firewall (172.16.8.1/24) as it's default route.

Was running OpenWRT in the past prior to switching to OPNSense, and this setup worked fine. I have the routes in place (switch pointing to OPNSense for it's default route, OPNSense pointed to the SVI on the switch on the 172.16.8.0/24 subnet for the IP subnets associated with the other VLAN's on the switch).

I'm seeing firewall logs indicating it is blocking traffic from the subnets associated with the VLAN's on the switch other than the local subnet (172.16.8.0/24). It's some sort of "default deny/invalid state" error.

Note that I did switch the NAT to Hybrid, and created a Outbound translation rule for the VLAN subnets on the switch other than the local 172.16.8.0/24 (one such subnet is 192.168.9.0/24).

Besides the routes and the Outbound NAT entry, do I need some other specific rules to allow traffic from IP's not on an interface local to the firewall to traverse the firewall? Is there something I need to do to define the other internal subnets as "LAN" traffic that should be permitted to and through the firewall?

Thanks so much . Appreciate any thoughts anyone has.

3

General Discussion / Dynamic DNS query external IP

« on: October 15, 2021, 04:08:55 am »

Any thoughts on what it would take to leverage the Dynamic DNS Updater in OPNsense having it query for the external IP as opposed to using the IP on the OPNSense device itself? I've got an OPNSense device that's actually behind NAT acting as a point of termination for a Wireguard Tunnel. Currently my solution is a VM running a linux instance on the WAN Network subnet that is running a DynDNS updater client to check and update my Dynamic IP's/Hosts regularly. However, I'd like to have OPNSense handle this function, but the DynDNS updater in OPNsense doesn't seem to support this feature as it only is seemingly able to query interfaces it knows about.

Thanks in advance....

4

Virtual private networks / Route traffic for specific subnets across VPN

« on: March 05, 2021, 03:28:04 am »

Apologies if this has been asked before. Hoping someone can steer me in the right direction. I'm looking to establish a site-to-site VPN using either Wireguard or OpenVPN over the internet to my brothers home where I will host a server for off-site backups and Internet Access for a specific subnet. I'm going to be living outside the United States, so I'm going to setup an OpnSense router at my brothers house (it'll be a virtual instance running on a server I setup at his home) for the purposes of terminating the VPN tunnel from my location outside the US. I'll use the VPN tunnel specifically for remote backups as well as route traffic from a specific IP subnet at my home location across the VPN. All other traffic will not transit the VPN but go straight out my internet connection.

I'm trying to figure out what this scenario looks like in terms of NAT/FW rules and routing. I'm certain I'll need to configure static routes at both ends pointing to the VPN Gateways on each OpnSense instance for the IP subnets on the opposite end of the tunnel. But how would I configure any NAT or Firewall Rules to ensure only traffic from one specific IP subnet (OpnSense Interface) is routed via the VPN tunnel?

Thanks in advance. All comments are welcome and greatly appreciated.

5

General Discussion / Routing/NAT/FW Rules with routing on L3 switch

« on: December 11, 2020, 08:25:57 pm »

Good day to all...
I've recently inherited an environment where I'm asked to deploy a OpnSense Firewall as the primary device connecting a small client to the Internet. The hardware is a small workstation device connected to a Cisco 3560 L3 switch that is handling the routing for several internal VLAN's\Subnets. Not having a lot of firewall experience (although I do understand routing and switching), I've managed to mostly figure things out. The link between the firewall and the switch is a gigabit ethernet inferface configured as a dot1q trunk. Only two vlans are allowed on the trunk...one VLAN for the network between the firewall and the L3 switch and a second VLAN (L2 only) that is handling the connection to the Comcast business cable connection.

I managed to get things mostly figured out...having to define a gateway that represents the next hop IP address for the internal private networks. I could not define the routes from the firewall back to the internal subnets until I configured this additional gateway. The priority on this new gateway I set at the same value as the WAN gateway. Not sure if this is correct or not.

Then I needed to configure a Hybrid NAT entry for each of the internal subnets, and a firewall allow rule on the LAN interface inbound for all the internal networks if I wanted them to have access to the Internet.

i'm running up against some limits in my skill sets, but think I have things worked out. What I'm wondering here is if anyone knows of any resources in terms of documentation, video, etc. that might help me out in this scenario? Or perhaps some best practices documents.

Thanks in advance...