Topics

1

Virtual private networks / Seeking advice on setting up wireguard on with a separate L3 switch?

« on: July 18, 2024, 09:10:48 pm »

I've been on a network learning journey and have built a network with an L3 switch and multiple vlans in my house.  Opnsense is acting as the firewall for WAN connection.  The architecture is, I have a 99 VLAN for network devices, then I have 7 VLANS in the house, all their gateways are my L3 switch, and all the VLANS with external access go through opnsense, which only has a LAN interface on my 99 (networking) VLAN, a WAN interface, and a wg0 interface.

Primarily, I tried to adapt this guide, though my separate L3 setup I think deviates heavily from this: https://www.zenarmor.com/docs/network-security-tutorials/how-to-setup-wireguard-on-opnsense

I want to create a WireGuard VPN into the house (I had one working in a prior iteration of my network and have restarted, wiping that out).  I'm having difficulty wrapping my head around the architecture of this.  Ultimately, Wireguard clients would come in, I assume, on their own VLAN/subnet (I'm designating this 6).  My opnsense box is connected to my L3 switch with a 2-port LACP trunk currently carrying VLANS 6 and 99. 

My L3 switch (a brocade icx-6610) has a virtual interface on VLAN6, as at one point I assumed this would be my gateway device but maybe that is not necessary?  Also, I'm assuming the wireguard network does NOT need DHCP, but it will need DNS (as I have both internal DNS resolution, and then upstream to a family-filter DNS provider for the kids) which is already on my LAN and easy enough to configure.  Internal communication would require wireguard clients to go through the L3 switch then to their destination, and my assumption is WAN traffic would go directly back out the WAN interface of opnsense (after LAN dns resolution).

Everything I've done to try to make this work has been unsuccessful, so I'm willing to start this part of the system from scratch.  I've set up the wireguard instance, I have a tunnel address, and my endpoints can actually successfully connect.  I have a successful handshake from my phone from the WAN, and I can see it in the Wireguard status.  Everything past this is lost, and I think it's because I'm so turned around in my routes/rules that I need to just reconsider that part of this from whole cloth.

Per the above guide, I have a firewall rule passing all traffic from the wg0 interface net to any destination.

My connected client can ping 8.8.8.8., can ping the opnsense box at the wg0 ip address, but CANNOT ping my LAN DNS server or any other LAN resources, so at this point it appears no routing is passed between the LAN VLANS whatsoever. 

My instinct is that I need a second interface on the 6 VLAN that defines connects back to the L3 switch?  At one point I had added a gateway called "LAN_GW_VLAN_6" on the wireguard interface but that broke things in a way that confused me and I just disabled it.

Any advice on what the interfaces, gateways, and routing/firewall rules would need to look like would be appreciated.  High level is ok, as I'm very much learning.

2

24.1 Legacy Series / Help with routing from the opnsense firewall itself?

« on: March 18, 2024, 06:35:17 pm »

I've been going through a network transition as part of a learning journey and am having an issue I can't seem to solve.  High level, I have a 10.*.*.* network with a bunch of /16 VLANS and I just put in a new Layer3 switch that acts as the gateway for each VLAN.  The /16 is a legacy thing from a previous configuration, and 10.*.1.254 is the gateway on each VLAN.  The L3 switch has a default 0.0.0.0/0 route pointing to the opnsense box, which is 10.99.1.40.  99 is my networking device vlan.  Opnsense is 24.1.2 running on a standalone box with 4 NICS, one going to my comcast gateway and 2 others are a LACP LAGG to the L3 switch (a trunk carrying VLANS 99 and 6, 6 being my wireguard network which is not currently set up).  I have a DHCP and DNS server on the LAN, on the 2 VLAN, and there is an IP helper on each vlan for it.  Everything there is working fine.

Each of my other vlans has been defined as an alias in opnsense, and I have a NAT rule permitting traffic.  At this time, all clients on the LAN have internet access, and from the WAN my port forward rules are working.  Almost everything appears to be working.

...With the exception of the firewall itself.  It can ping the WAN, but cannot ping anything on the LAN on any VLAN (including the 99 which is the VLAN it's on, or other VLANS).  Actually, I can ssh into the box from a client on the 4 vlan, get in fine, then can't ping back to the client I'm connected from.  One additional thing, when I assign IP addresses I have to set a default gateway for the LAN network and tag it as an upstream gateway...this didn't make sense to me, but if I didn't do that all LAN clients lose internet access.  That LAN_GW gateway is 255 priority but is tagged as upstream, where the WAN_GW is priority 254.  I was thinking it was a static route thing, so I defined static routes for all my VLANS to go through the LAN_GW gateway but that didn't change anything.

I've changed so many things and done so many experiments that I'm a bit lost, and am looking for some guidance of what the gateways, static routes, and rules SHOULD be configured like in a configuration like mine.  If opnsense were doing the L3 routing, I think I'd have to add all vlans to the trunk and make a vlan interface on each, but I don't think that's the case here?

I am very much learning right now, but I have this sense that the firewall is not seeing my LAN networks as LAN, and is routing connections to the WAN interface.  I've tried traceroute to the LAN and it times out.  I've tried "ping -S 10.99.1.40 10.2.2.213" and it times out.  The firewall rules are mostly default, save for some things I had to do to get my chromecasts to point to pihole.

3

23.7 Legacy Series / Firewall not accessible after changing lan VLAN

« on: March 10, 2024, 05:00:00 am »

I apologize in advance for my limited information because I cannot get to the web interface at this point and I'm not as familiar with the console, but I can provide any information requested if you show me how to provide it.

I recently got a new layer 3 switch so that I could enable some 10 gig fiber for my storage network.  Doing so, I wanted to move most of my networking off of VLAN 1 and onto a new VLAN, VLAN 99.  Before I did this move, I created a new VLAN interface on the open sense firewall.  I added the new 99 VLAN to all the required trunks on all my other switches, changed the IP addresses on all of my other devices on that VLAN, and even added a new management interface on OpnSense which was reachable on the 99 VLAN at 10.99.1.40. 

I thought I was ready to cut over and I did, replacing the old layer 3 switch with the new one.  For the most part everything went well, and everything on the lan appears to work as expected.  That being said, my firewall is now completely unreachable.  Fired up the console and reconfigured the interfaces and IPs, but it appears to be unreachable on the lan or the wan.  My lan interface is an LACP lagg which should be configured on the L3 switch as well, And the ports show as up on the switch but I cannot ping it even from the l3 switch where a gateway is configured on the 99 VLAN.  The wan is a single connection to my Comcast business gateway, And I believe it is properly configured as I am getting a DHCP address on it.  From the shell, I cannot ping 8.8.8.8.  as far as I can see, both the LAN and WAN interfaces are not communicating out and I am kind of stumped.  Here is as much information as I have right now but I can provide any more information as requested.

4

General Discussion / Questions about my setup, role of VLANS, using mdns-repeater for Chromecasts?

« on: May 19, 2022, 11:21:35 pm »

Hi, I'm a brand new opnsense user.  Over the last 6 months I've been converting my residential flat network to one more in line with a learning lab, using managed switches and vlans.  It's more complex than it needs to be, but the driver was teaching myself about more complex networking.

I have an older L3 switch which is the router on my network for my 5 VLANS.  It's a Netgear GSM7312.  It has an interface on each VLAN; the VLANS are /16 (which is bigger than needed, but is the result of a legacy configuration I'm not ready to re-architect).  When deciding on my architecture, I considered moving routing functionality to opnsense; as a result, the connection to opnsense is trunked and is carrying all 5 VLANS, though the LAN port on opnsense is tied to "lagg0_vlan1".  In opnsense I defined a gateway for each of my VLANS pointing to the interface on each VLAN on the L3 switch, then I defined an interface on each of the other 4 VLAN interfaces with roughly the same IP (10._.1.40).  While I didn't specify the gateway in the VLAN interface configuration (since It's LAN I set it to none) but the interface overview shows each interface has the right gateway.

As I understand it, I should be able to access the opnsense firewall from any of those interfaces, right?  As long as I have the web interface listening on them all (it's listening on the 5 LAN interfaces, not the WAN), I thought I should be able to get to it at "10.1.1.40" or "10.4.1.40".  As it is, I can only get to it from 10.1.1.40; the others are unreachable/unpingable.

I ask this because I am hoping opnsense can solve the one thing on my network not working...Chromecasts.  Most user devices are VLAN 4, but things like Chromecast are VLAN 5.  I want to tightly control the traffic between the VLANS as part of my learning journey, and my research says I can do that eventually, but for now at a minimum I need to use a plugin like "mdns-repeater" to allow mDNS between vlans.  Since the firewall isn't doing the routing, my understanding is I need an interface on each VLAN/subnet, then configure the plugin to watch on those interfaces. 

For as wonky as the setup is right now, does this make sense?  Should the VLAN interfaces be reachable, is there something fundamental I'm missing?