OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • [Solved] Cannot route Subnet (VLAN) over VPN using gateway OPNsense 23.1.3
« previous next »
  • Print
Pages: [1]

Author Topic: [Solved] Cannot route Subnet (VLAN) over VPN using gateway OPNsense 23.1.3  (Read 1404 times)

someone1337

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
[Solved] Cannot route Subnet (VLAN) over VPN using gateway OPNsense 23.1.3
« on: April 25, 2023, 12:21:47 am »
I'm hitting a roadblock here, and not sure how to make my routes work correctly.

Basics:

LAN: 10.35.35.1/24

Several [wireguard] VPN connections configured via https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html, and working perfectly via selective IP addresses (aliases).  I also have gateways to each of the VPN tunnels.  Everything works perfectly.

Recently, I added a WAP that allows me to tag a certain WiFi network with VLAN, so I'm trying to create a WiFi network that, when connected to, routes automatically over one of my VPN connections.

The concerned VLAN is "VLAN20" ... and no matter how I specify the routing, I can't get VLAN20-tagged packets to route over the VPN.  DHCP is working for VLAN20 (192.168.20.1/24), and I get good addresses when I connect; just no internet (over the VPN) when connected.

From my understanding, this requires two new rules:
  • Direction to send VLAN20 packets to the VPN_gateway
  • NAT outbound rule to change anything in the VLAN20 net to the VPN interface's address

I have tried forcing VLAN20 packets to use the VPN_gateway via:
  • Firewall -> Rules -> VLAN20 (* * * * VPN_gateway)
  • Firewall -> Rules -> LAN (VLAN20 Net * * * VPN_gateway)

And added the NAT:
Firewall -> NAT -> Outbound (VPN_interface VLAN20 net * * * Interface address *)

But no matter which way I force the gateway, no connected clients get internet through the VPN_gateway.

I even tried hard-coded IPv4/32 addresses in both Firewall rules and NAT ... still no internet though VPN_gateway.

I have read other tutorials online that seem to indicate I am addressing the right rules, but I cannot get connected clients within VLAN20 to use the VPN_gateway.

 :(

Can anyone help me with the rules I am bungling or missing?
« Last Edit: April 25, 2023, 04:53:49 pm by someone1337 »
Logged

someone1337

  • Newbie
  • *
  • Posts: 6
  • Karma: 0
    • View Profile
Re: [Solved] Cannot route Subnet (VLAN) over VPN using gateway OPNsense 23.1.3
« Reply #1 on: April 25, 2023, 05:00:49 pm »
I finally figured out a combination of rules that will allow this routing to happen.  Here's what I did:

In Firewall -> Rules -> VLAN20, I have:
  • (IPv4  VPN_hosts_alias  *  !RFC1918_Networks  *  VPN_gateway  *)
  • (IPv4 * * * * * *)

I have DHCP set up on VLAN20 to serve 192.168.20.100-192.168.20-225 ... so, I added this range to VPN_hosts_alias.

Adding the DHCP range to VPN_Hosts_alias takes care of the NAT translation to the VPN interface's address, since I already have the NAT rule set up for that alias.

Now, anything that connects to my VLAN20 automatically gets routed to VPN ... excellent!
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • [Solved] Cannot route Subnet (VLAN) over VPN using gateway OPNsense 23.1.3
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2