Messages

1

23.1 Legacy Series / Re: Possible NAT or routing issues with new opnsense setup + L3 Cisco switch

« on: July 30, 2023, 08:46:53 pm »

Update and fixed:

I had to add a static route to direct all traffic (0.0.0.0/0) to the WAN interface, add a NAT rule for my internal network (10.10.0.0/16) and restart the UnboundDNS service. Can ping out with a name, tracerts work as expected and I have internet.

2

23.1 Legacy Series / Re: Possible NAT or routing issues with new opnsense setup + L3 Cisco switch

« on: July 30, 2023, 05:22:53 pm »

Any ideas what I'm doing wrong?

Posting in the wrong subforum?

Awesome.

3

23.1 Legacy Series / Re: Possible NAT or routing issues with new opnsense setup + L3 Cisco switch

« on: July 30, 2023, 07:14:25 am »

And another update:

I've got a client pointing at the firewall as it's DNS server and it's real resolving an IP from the name now, but still giving me the TTL. When I do a tracert I can see it hit the L3 switch, bounce to the firewall and then the firewall send it right back to the switch. The route on the firewall is just 10.10.0.0 > transit gateway and it doesn't actually matter if I have it enabled or disabled - same behaviour. Makes me think I have the route wrong? No change if I just do it for a single VLAN, OR if I create a new Far Gateway to the gateway for that VLAN and then set the route up using that. Any ideas what I'm doing wrong?

4

23.1 Legacy Series / Re: Possible NAT or routing issues with new opnsense setup + L3 Cisco switch

« on: July 30, 2023, 06:34:44 am »

Update:

Throwing in a NAT rule for 10.10.0.0 to WAN seems to have done the trick for one of my issues, now all of the VLANs internally can ping 8.8.8.8 and receive a reply. Still no luck with the DNS, get a TTL Expire when printing google.com from any internal VLAN or the LAN interface of the firewall.

5

23.1 Legacy Series / Possible NAT or routing issues with new opnsense setup + L3 Cisco switch

« on: July 30, 2023, 04:40:12 am »

Hi there,

I've been playing with this all weekend and keep hitting various roadblocks. Currently I'm unable to get to the internet from any VLAN except the transit one I've set up for communication between my L3 switch and the opnsense router. My current setup is a handful of VLANs that are managed from a Cisco SG300-10 in L3 mode, I've got all of the internal stuff working fine, inter-VLAN routing is good and I can hit all of the devices on separate VLANs where needed. I've got a transit VLAN set up between the switch and the opnsense router (10.10.255.0) with the switch gateway being .254 and the opnsense LAN interface IP being .200. I can ping the LAN interface from any device on the network on any VLAN.

The opnsense is an appliance with 4 NICs, I'm using two of them - one for LAN as above and one for WAN which is connected to my ISP modem using DHCP. It works fine, gets an IP and when I use the ping/tracert tools on the WAN interface everything works as expected. When I use the LAN interface it works with IP but not using a domain name. I can also ping 8.8.8.8 from the L3 switch using the tools it has with no problem.

So currently my issues are thus:

1. Unable to ping outside the network from any VLAN except the one that opnsense is using for its LAN interface.
2. ping from that VLAN works but DNS doesn't

Things I've done so far:

I've got a static route set up on the opnsense to send all traffic from 10.10.0.0/16 to the gateway of the transit VLAN, 10.10.255.254

I've created a firewall rule allowing all traffic from 10.10.0.0/16 out the WAN interface

I've added a DNS entry manually to 8.8.8.8 on the opnsense and disabled the unbound DNS, this didn't work

I've gone through so many different variations of settings that it's hard to put them all down, but I'm happy to do them all again if suggested as it's entirely likely I need a combination of things or was just doing them wrong.

Any suggestions on what to try next or where to go would be handy. If there's a NAT rule I need to add, additional interfaces for all the VLANs, different DNS settings etc I'd love to hear them. Thanks!