SOLVED: Multiple Subnets on a Single Interface

[seamus]

The subject of this post seems to summarize what I've been asking for a while without a definitive answer:

Is it possible to assign multiple subnets to a single interface?

For example:
I have a 2-NIC appliance running OPNsense. I have been using it as a router/firewall for my LAN at 192.168.1.0/24, and now I want to add 2-3 hosts to my network that use 192.168.6.0/24 (I actually have this situation). I want to give these devices on 192.168.6.0/24 access to the Internet through my OPNsense firewall.

Is this possible?

If so, please explain how.

If not possible, can anyone explain the meaning of this statement in the "Advanced" section of the firewall? https://docs.opnsense.org/manual/firewall_settings.html#static-route-filtering

"This may be desirable in some situations where multiple subnets are connected to the same interface."

A definitive answer would really be much appreciated.

[bartjsmit]

The fact that the subnets don't overlap would indicate two separate security policies. You need to stop hosts bypassing their restrictions by just changing their IP address.

The common way to stop this is to separate the hosts by VLAN. This implements your policy on devices outside the host's control (firewall and switches).

Bart...

[seamus]

The fact that the subnets don't overlap would indicate two separate security policies. You need to stop hosts bypassing their restrictions by just changing their IP address.

The common way to stop this is to separate the hosts by VLAN. This implements your policy on devices outside the host's control (firewall and switches).

I do wish I had some idea of what you're talking about, but what you've written makes no sense at all to me. I just do not see an answer to my question here.

[seamus]

Here's one way to make this work:

After asking a couple of related/similar questions here, I managed to get the final puzzle piece I needed on reddit (the OPNsense sub-reddit). I thought I'd share the answer here. Please note: I don't claim this is the best/optimal answer - I claim only that this does work for my particular situation. Perhaps the OPNsense experts here can identify improvements; perhaps even add something to the documentation?

1. Ref the attachment here below for a crude schematic of my network. The Firewall/LAN gateway at 192.168.1.1 is OPNsense running on an appliance with two (2) Ethernet ports. The OPNsense configuration was mostly the default configuration generated during initial installation some time ago. Recently, I added a small embedded device to the network - the "pocketbeagle" device connected to a laptop running Ubuntu 20.04.

2. The objectives are as follows:

• Internet access for the pocketbeagle device
• SSH access to the pocketbeagle device from hosts on the 192.168.1.0/24 subnet

3. After plugging in the pocketbeagle device, I made an SSH connection from the Ubuntu laptop. I found it was necessary to add a default gateway to the pocketbeagle device:

    $ sudo route add -net 0.0.0.0 gw 192.168.6.1

4. On the Ubuntu laptop, I verified that forwarding was enabled, and that the firewall (ufw) was disabled:


    $ cat /proc/sys/net/ipv4/ip_forward
    1
    # "1" means ip_forward is enabled
   
    $ sudo ufw status
    Status: inactive
    # "inactive" means that no rules are altering traffic patterns on the Ubuntu laptop


5. A return route from the firewall is needed to route packets back to the pocketbeagle device. I did this by creating a static route. Use the GUI from here, be sure to Save, Apply, etc as you complete each step:

• System->Gateways->Single, Add a gateway for the IP on the Ubuntu laptop (192.168.1.104 in this case
• System->Routes->Configuration, Add a route to 192.168.6.0/24 using the gateway defined in the previous step

6. The final step to gain Internet access for the pocketbeagle device is to set up NAT for packets from the 192.168.6.0/24 subnet. Using the OPNsense GUI again:

• Firewall->NAT->Outbound; Change mode to "Hybrid outbound NAT rule generation"
• Add a NAT Rule for the WAN interface for Source Address 192.168.6.0/24

That should do it. My pocketbeagle device can now connect to the Internet, and I can update/upgrade its Debian OS. As far as connecting to the pocketbeagle device from other hosts on the network, I elected not to use OPNsense for this - I simply created a static route on each host that needed access. For example, on my Macbook, this took care of it:

    % sudo route -n add 192.168.6.0/24 192.168.1.104