Messages

I get the suggestion but my challenge is that I am using Wireguard and need to access other VLANs. My PC is connected to OPNsense via Wireguard and without the gateway configured, I cannot reach other VLANs in the LAN network behind the L3 switch. If there is a solution for this, I would appreciate your input.

Instead of configuring the gateway on the LAN interface add the gateway at System > Gateways > Configuration and then at System > Routes > Configuration add routes only for the networks that are "behind" your L3 switch.

The default route of that L3 switch should point to OPNsense.

I have not configured manually any gateways for my LAN interface. OPNsense received the gateway from my L3 switch like all other devices. Does it mean that I cannot use DHCP for the OPNsense LAN interface?

In the screenshot i posted above with the OPNsense gateways, I have WAN gateway set with a higher priority. Should that not take care of traffic to be routed first to WAN instead of LAN?

The routes I added in OPNsense are only for the other VLANs that are only accessabile through the L3 switch.

In the L3 switch I have already configured the default route to point at OPNsense LAN address.

Well think about it, if both routers have each other as their default route they will create a routing loop.

Dont let the Opnsense get DHCP on the LAN interface, configure it static and dont set a gateway on LAN.

If you want to keep your L3 router in place, use static routes. Would be best to just use it as a normal switch though.

I get the suggestion but my challenge is that I am using Wireguard and need to access other VLANs. My PC is connected to OPNsense via Wireguard and without the gateway configured, I cannot reach other VLANs in the LAN network behind the L3 switch. If there is a solution for this, I would appreciate your input.

Hello Everyone,

I am still new to OPNsense and advanced Routers/Firewalls. I can get OPNsense working and have internet access but once I integrated into my Network, I can't get internet to work. I am missing some config on the OPNsense.

My set-up:

Topology:
ISP - OPNSense - L3 Switch - LAN devices (multiple VLANs)

L3 Switch IP: 172.16.10.1
OPNsense IP: 172.16.10.6

Problem: I have internet access in OPNsense but not in L3 switch and LAN devices.

Config:
- L3 acts as DHCP server and default gateway for all LAN devices is 172.16.10.1
- OPNsense LAN receives IP and default gateway from OPNsense

Troubleshooting:

Traceroute from LAN device:


Traceroute from L3 Switch:


L3 Switch Routes:


OPNsense Routes:

(no static route for 172.16.10.0/24 network because the comment at the bottom says that "Do not enter static routes for networks assigned on any interface of this firewall")

OPNsense Gateways:


OPNsense Interfaces:


What can I do?

That's somewhat different. The mentioned NAT rule is needed to access the internet across the tunnel. It's added to WAN.

I was talking about an outbound NAT rule on the LAN, meant as a workaround if local devices doesn't have a default gateway set.
This would translate the VPN clients IP to the LAN IP. So the destination device has to reply to the LAN IP, which is within its subnet, hence it wouldn't need a gateway. This also circumvents firewall restrictions of outside access on the devices.

I am currently remote and worried that with outbound NAT rule on the LAN interface I will cutoff my access. Is there a good guide on how to set-up this up? Is it just an outbound NAT rule on the LAN interface where I enable all communication?

Danke übrigens für deine Hilfe und schönes WE!

You can realize this though by an outbound NAT for the Wireguard subnet, natting the source IP to the OPNsense LAN IP (masquerading).
Maybe this is desired, in case, you don't want to state a gateway on dumb devices, which do not need internet access.

I was following guide from https://docs.opnsense.org/manual/how-tos/wireguard-client.html page which mentions that in step "Step 4(a) - Assign an interface to WireGuard (recommended)" that "[...]it automatically adds an IPv4 outbound NAT rule, which will allow the tunnel to access IPv4 IPs outside of the local network (if that is desired), without needing to manually add a rule[...]". So I thought I don't have to add a manual outbound NAT.

I have added a screenshot with the automatically generated rule.

Oh my god. You were right. For some reason, my dhcp did not distribute the default gateway and for some reason, I thought using wireguard is the same as being in LAN. Now I know better. Thank you so much.

My Printer, Switch, etc. don't have a firewall.

[L3 Switch]

Hi All, first time poster here.

I am running OPNsense 24.7.8 and have set-up Wireguard (Road Warrior) using the official guide. My goal is to access my homelab when I am not home (I have to travel for work frequently). I am currently remote and I can access the OPNsense WebGUI using the LAN IP and I can also browse the internet through my internet back at home (2ip.to). This is good but when I try to access any ressources in my homelab in the same subnet as OPNsense, I get timeouts. Can't ping anything outside OPNsense ofcource. I have set-up the Firewall rule to "pass" traffic to LAN. I also verified that this is not a "client" issue and have the same issue on my phone (iPhone running Wireguard app). Any suggestions, what I can try?

Here is my set-up:

L3 Switch:
Management VLAN 10: 172.16.10.1 - Also acting as DHCP server for LAN

Server 1
  IPMI: 172.16.10.2 (IPMI port) <-> L3 Switch (access port tagged as vlan 10)
  Proxmox: 172.16.10.3 (eth0 connected to vmbr0) <-> L3 Switch (access port tagged as vlan 10)

OPNsense (VM on Proxmox):
  LAN: 172.16.10.5  (virtio0 connected to vmbr0) <->  L3 Switch (access port tagged as vlan 10)
  WAN: 89.255.x.x (fibre connection to ISP through PPPOE on vlan 7) <-> Fiber Modem

With this out of the way, here is my config:

(1) WG Overview:

(2) WG Instance:

(3) WG Peer:

(4) WG Interface:

(5) Interface Assignments:

(6) WAN FW Rule:

(7) WG IF Rule:



Problem: Once I am connected to the Wireguard tunnel, I can:
- Ping 172.16.10.5 : success
- Ping google.com : success
- Ping 10.10.10.1 : success
- Ping 172.16.10.1: timeout
- Ping 172.16.10.3: timeout

Would welcome any advice or guide on how to troubleshoot my issue. I have looked at firewall rules but did not notice anything strange.

Edit: In my case, the LAN members at the remote location did not had internet access (no gateway configured). Setting the gateway (using my OPNsense as a jump point to configure the gateway via ssh). I will look into masquerading my IP to be able to connect to clients which I don't intend to have internet access.