1
General Discussion / Multi-Level Configuration
« on: July 25, 2018, 12:49:25 pm »
This may appear to be somewhat of a bizarre configuration, but it has some utility given my needs. I'm running OPNSense 18.1 as a frontend firewall which handles traffic/DHCP for a private LAN. One of the private LAN clients is also a gateway to a separate private LAN that is utilized for a different purpose. The network looks like this:
- External Internet connected to a router
- Router generates 192.168.5.* addresses for clients
- OPNSense Firewall is a client to the router (the only client) and generates 192.168.1.* addresses for clients
- There is an OSX Server client (192.168.1.102) behind OPNSense (there are multiple clients) that serves as a gateway to another private LAN. The OSX Server generates addresses of 10.0.0.* for its clients.
INET -> Router -- 192.168.5.* --> OPNSense Firewall -- 192.168.1.* --> OSX Client -- 10.0.0.* --> Private LAN
So... everything works until you get to the 10.0.0.* private LAN. The OPNSense firewall and the OSX Client can see the outside internet. However, the 10.0.0.* clients, cannot. I checked the OPNSense firewall logs and it was blocking all traffic from the 10.0.0.* as these addresses were not within range of the OPNSense LAN (192.168.1.*). I created a network alias for the 10.0.0.* range and create a firewall rules to permit traffic from that alias. The firewall becomes happy again and starts routing traffic forwarded (NAT) from the 10.0.0.* range. However, I don't believe OPNSense is correctly routing any packets back to the OSX client to NAT for the 10.0.0.* clients. EG, when client 10.0.0.2 requests "google.com" on port 80, I see the request go out through OPNSense, but the return is dropped somewhere (at least I believe it is).
Given that there are multiple clients residing behind OPNSense, I'm not sure that I can generate a static route... or is this not the case? Any thoughts on my goofy setup?
- External Internet connected to a router
- Router generates 192.168.5.* addresses for clients
- OPNSense Firewall is a client to the router (the only client) and generates 192.168.1.* addresses for clients
- There is an OSX Server client (192.168.1.102) behind OPNSense (there are multiple clients) that serves as a gateway to another private LAN. The OSX Server generates addresses of 10.0.0.* for its clients.
INET -> Router -- 192.168.5.* --> OPNSense Firewall -- 192.168.1.* --> OSX Client -- 10.0.0.* --> Private LAN
So... everything works until you get to the 10.0.0.* private LAN. The OPNSense firewall and the OSX Client can see the outside internet. However, the 10.0.0.* clients, cannot. I checked the OPNSense firewall logs and it was blocking all traffic from the 10.0.0.* as these addresses were not within range of the OPNSense LAN (192.168.1.*). I created a network alias for the 10.0.0.* range and create a firewall rules to permit traffic from that alias. The firewall becomes happy again and starts routing traffic forwarded (NAT) from the 10.0.0.* range. However, I don't believe OPNSense is correctly routing any packets back to the OSX client to NAT for the 10.0.0.* clients. EG, when client 10.0.0.2 requests "google.com" on port 80, I see the request go out through OPNSense, but the return is dropped somewhere (at least I believe it is).
Given that there are multiple clients residing behind OPNSense, I'm not sure that I can generate a static route... or is this not the case? Any thoughts on my goofy setup?