Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
Using OPNsense with seperate Layer3 Switch, SVI, and Routing
« previous
next »
Print
Pages: [
1
]
Author
Topic: Using OPNsense with seperate Layer3 Switch, SVI, and Routing (Read 6632 times)
iTninjasaki
Newbie
Posts: 1
Karma: 0
Using OPNsense with seperate Layer3 Switch, SVI, and Routing
«
on:
March 24, 2021, 10:27:06 pm »
I want OPNsense to act solely as a firewall and to do NAT translation for me. I have a robust Layer 3 switch I'm using to do my routing by utilizing SVI. What's the best implementation of this? And what advice would you offer or best practices would you point out? A point to point between the firewall and the switch? Do I need to build those VLANs on OPNsense as well? Any advice is appreciated.
Logged
Livius
Newbie
Posts: 4
Karma: 0
Re: Using OPNsense with seperate Layer3 Switch, SVI, and Routing
«
Reply #1 on:
September 29, 2021, 08:48:37 pm »
Hi iTninjasaki, have you found a solution for it?
I'm stuck with NAT and a layer 3 switch, RVI.
My setup:
OPNsense
LAN: 192.168.40.1 /24
VLANS
192.168.41.0 /24
192.168.42.0 /24
Switch
LAN IP: 192.168.40.5
GW: 192.168.40.1
And IP in each VLAN for RVI:
GW: 192.168.41.1
GW: 192.168.42.1
Because the switch doesn't do NAT I configured in OPNsense a new gateway on lan interface, the switch IP
GW2: 192.168.40.5.
And added the two static routes to VLANs via GW2.
The problem is that OPNsense doesn't NAT the traffic from VLAN client.
I've tried with Hybrid Outbound rules and Manual Outbound rules.
And without luck so I'm stuck.
I sent ping from a VLAN client: 192.168.41.10 to a public IP running Wireshark.
OPNsense did the routing the packet was captured.
But the source IP inside the packet was 192.168.41.10 not the WAN IP as expected.
I believe that NAT occurs only when the source IP is part of OPNsense LAN.
The not so smart solution:
Add OPNsense in each VLAN as a secondary gateway and configure static permanent routes in each client, inter-VLAN traffic goes to IRB, Internet traffic goes to OPNsense.
Something like:
RVI: 192.168.41.1 /24 and 192.168.41.2 /24
OPNsense: 192.168.41.2 /24 and 192.168.42.2 /24
The smart solution:
Figure out why it doesn't do NAT to an IP which is not part of its network (LAN).
Logged
Livius
Newbie
Posts: 4
Karma: 0
Re: Using OPNsense with seperate Layer3 Switch, SVI, and Routing
«
Reply #2 on:
September 30, 2021, 04:27:16 pm »
After a few days full of attempts, the solution was pretty basic, by just reading carefully the help I solved it.
The Outbound rule should be configured:
Hybrid outbound
And a rule for each VLAN:
Interface: WAN
Source: 192.168.41.0/24
NAT Address: Interface address
and
Interface: WAN
Source: 192.168.42.0/24
NAT Address: Interface address
Outbound NAT only controls what happens to traffic as it leaves an interface. It does not control the interface though which traffic will exit the firewall. That is handled by the routing table (Static Routes) or policy routing (Policy routing).
Logged
bimbar
Sr. Member
Posts: 435
Karma: 25
Re: Using OPNsense with seperate Layer3 Switch, SVI, and Routing
«
Reply #3 on:
October 08, 2021, 11:08:38 am »
The real answer is, you should not use a switch as router unless you have to, if you have a better device to do routing and firewalling for you.
The only real reason in small networks to use routing on a switch is performance.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Tutorials and FAQs
»
Using OPNsense with seperate Layer3 Switch, SVI, and Routing