Messages

I had the opportunity to try it out today. The NAT rule alone was not sufficient, I had also to add an IN rule for the LAN interface, otherwise the packets did not even reach the NAT rules. So to sum up, one needs:
- to allow the private networks on the WAN interface
- a gateway in the 10.1.100.0/24 subnet
- static route(s) for the subnet(s)
- IN rules for the subnet(s) on the LAN interface
- NAT mode set to hybrid and a NAT rule the subnet(s)

It works now. However, I will probably have to go for a VLAN-based model in the end, because I need to manage several WLAN networks with different network permissions. The way I see it, VLAN are the best way to cover this, with OPNsense managing the permissions.

Thanks for the quick and useful answers!

Sorry, I forget some important information. Patrick guessed it. The core switch does the VLAN routing. I have set its default gateway to the address of the firewall. I have also set static routes in the firewall for all the LAN subnets. I can ping everything from everywhere from within the LAN, including the firewall. The only thing which is not working is the internet access from the subnets which are unknown to the firewall. I assumed that the NAT would apply to any traffic coming from LAN to WAN, but based on "NAT mode set to hybrid and a NAT rule for each of your VLANs", I guess I was wrong and the NAT rules are the missing piece of the puzzle. I will try that as soon as possible.

One question though: by "each of your VLANs", do you mean "each of your subnets"? Currently, the firewall is not aware of the VLANs, and I would prefer to keep it this way, at least for now. This also answers meyergru's question. I have basically two VLANs, clients and servers. The servers are virtualized using Proxmox, and protected by rules in Proxmox's firewall. So I do not really need OPNsense firewall rules on top within the LAN.

Hi,

I am new to OPNsense and I have my first instance running. My setup is:

Code Select Expand

  Internet
     |
SOHO router 1     
192.168.1.1
     |
192.168.1.2 (WAN interface)
OPNsense
10.1.100.1    (LAN interface)
     |
     +--------+--------+------.......
     |        |        |       
10.1.100.x 10.1.1.x 10.1.2.x

The LAN network is managed by a core switch (Aruba), with a VLAN per subnet.

Since the WAN interface is using a private network, I have deactivated the corresponding option in OPNsense for the WAN interface. From the 10.1.100.x subnet, I can access the internet through the firewall and the SOHO router. So far, so good.
However, I cannot access the internet from the other subnets. The catchall rule "invalid state" blocks it. So it looks like OPNsense does not like these unexpected subnets. After some research, I read about the following options:

• Create virtual IPs for the firewall in the different subnets and assign them to the LAN interface
• Use VLANs. But I am not sure if it is really a good idea to have the whole LAN traffic to go through the firewall

Is that correct? What is the recommended way? Are there any other options?

Thanks!