Show Posts
1
23.1 Legacy Series / Possible NAT or routing issues with new opnsense setup + L3 Cisco switch
« on: July 30, 2023, 04:40:12 am »
Hi there,
I've been playing with this all weekend and keep hitting various roadblocks. Currently I'm unable to get to the internet from any VLAN except the transit one I've set up for communication between my L3 switch and the opnsense router. My current setup is a handful of VLANs that are managed from a Cisco SG300-10 in L3 mode, I've got all of the internal stuff working fine, inter-VLAN routing is good and I can hit all of the devices on separate VLANs where needed. I've got a transit VLAN set up between the switch and the opnsense router (10.10.255.0) with the switch gateway being .254 and the opnsense LAN interface IP being .200. I can ping the LAN interface from any device on the network on any VLAN.
The opnsense is an appliance with 4 NICs, I'm using two of them - one for LAN as above and one for WAN which is connected to my ISP modem using DHCP. It works fine, gets an IP and when I use the ping/tracert tools on the WAN interface everything works as expected. When I use the LAN interface it works with IP but not using a domain name. I can also ping 8.8.8.8 from the L3 switch using the tools it has with no problem.
So currently my issues are thus:
1. Unable to ping outside the network from any VLAN except the one that opnsense is using for its LAN interface.
2. ping from that VLAN works but DNS doesn't
Things I've done so far:
I've got a static route set up on the opnsense to send all traffic from 10.10.0.0/16 to the gateway of the transit VLAN, 10.10.255.254
I've created a firewall rule allowing all traffic from 10.10.0.0/16 out the WAN interface
I've added a DNS entry manually to 8.8.8.8 on the opnsense and disabled the unbound DNS, this didn't work
I've gone through so many different variations of settings that it's hard to put them all down, but I'm happy to do them all again if suggested as it's entirely likely I need a combination of things or was just doing them wrong.
Any suggestions on what to try next or where to go would be handy. If there's a NAT rule I need to add, additional interfaces for all the VLANs, different DNS settings etc I'd love to hear them. Thanks!
I've been playing with this all weekend and keep hitting various roadblocks. Currently I'm unable to get to the internet from any VLAN except the transit one I've set up for communication between my L3 switch and the opnsense router. My current setup is a handful of VLANs that are managed from a Cisco SG300-10 in L3 mode, I've got all of the internal stuff working fine, inter-VLAN routing is good and I can hit all of the devices on separate VLANs where needed. I've got a transit VLAN set up between the switch and the opnsense router (10.10.255.0) with the switch gateway being .254 and the opnsense LAN interface IP being .200. I can ping the LAN interface from any device on the network on any VLAN.
The opnsense is an appliance with 4 NICs, I'm using two of them - one for LAN as above and one for WAN which is connected to my ISP modem using DHCP. It works fine, gets an IP and when I use the ping/tracert tools on the WAN interface everything works as expected. When I use the LAN interface it works with IP but not using a domain name. I can also ping 8.8.8.8 from the L3 switch using the tools it has with no problem.
So currently my issues are thus:
1. Unable to ping outside the network from any VLAN except the one that opnsense is using for its LAN interface.
2. ping from that VLAN works but DNS doesn't
Things I've done so far:
I've got a static route set up on the opnsense to send all traffic from 10.10.0.0/16 to the gateway of the transit VLAN, 10.10.255.254
I've created a firewall rule allowing all traffic from 10.10.0.0/16 out the WAN interface
I've added a DNS entry manually to 8.8.8.8 on the opnsense and disabled the unbound DNS, this didn't work
I've gone through so many different variations of settings that it's hard to put them all down, but I'm happy to do them all again if suggested as it's entirely likely I need a combination of things or was just doing them wrong.
Any suggestions on what to try next or where to go would be handy. If there's a NAT rule I need to add, additional interfaces for all the VLANs, different DNS settings etc I'd love to hear them. Thanks!