Messages

1

General Discussion / Re: Best Practice: OPNsense multiple LAN as double NAT behind ISP router

« on: September 10, 2024, 02:45:00 pm »

Thank you for your quick response.

You cannot have 192.168.178.0/24 as the inter-router LAN and 192.168.0.1 / 192.168.0.102 as the endpoint IPs.

Sry 192.168.0./24 was my old network, i corrected my post 

The ISP router is a FritzBox, with port forwarding configured to direct traffic to OPNsense.
The OPNsense router has four individual interfaces, each connected to completely separate networks (so no VLANs)
I assumed that setting the OPNsense as the default gateway for the 10.10.x.0/24 networks would be enough, since it has routes to all networks and knows the FritzBox as the internet gateway.

For VPN access, I’m using WireGuard, which is currently configured as a separate interface, with a rule allowing access to all networks and the internet.
But strangely i don't can access the server 10.10.10.5 even when i can access the webinterface of OPNsense at 10.10.10.1

However, I’m having difficulty configuring the firewall rules correctly to provide internet access to the servers on each network and also keep them seperated. HAProxy seems to be working fine, as I can access the VPN without issues.

2

General Discussion / Best Practice: OPNsense multiple LAN as double NAT behind ISP router

« on: September 10, 2024, 10:37:38 am »

Hello OPNsense community,
I've been conducting some research and 've noticed that there is a lot of confusion surrounding the configuration of the OPNsense behind an ISP router. In order to address this, I would like to create a Best Practice that covers all possible configuration scenarios.

This is the network:
                                                                                                     10.10.10.0/24
                                                                                                     10.10.20.0/24
                                                   192.168.178.0/24                        10.10.30.0/24   
Internet - - - - - - - - - ISP router - - - - - - - - - - - - - - OPNsense ≡≡≡≡≡≡≡≡≡≡≡≡≡≡ ServerX
                                192.168.178.1                      192.168.178.102                           10.10.10.X
                                                                                10.10.10.1                               10.10.20.X
                                                                                10.10.20.1                               10.10.30.X
                                                                                10.10.30.1
                                                                                10.10.0.1 (VPN)

- The ISP router is configured as Uplink Gateway in the OPNsense.

Now i need your assistance in defining the following rules, routes, and NATs:
> Communication between server networks must be prohibited.
> All servers must have internet access.
> All servers must be accessible from the internet via port forwarding on the ISP router and HA balancing on the OPNsense.
> A VPN should be established to connect to the 10.10.20.0/24 network.

Thank you for your effort and time
Dani