Firewall rules for static routes (L3 switch doing VLAN routing)

[guest31649]

Hi,

Sorry for a potentially simple question... I'm looking to configure an Opnsense firewall for my needs but wanted to 'clarify'/ 'understand' a point or two before diving headfirst into it and screwing it up!

So.. my configuration will be that Opnsense will have 1x WAN connection, and 1x LAN connection to my L3 switch (it will have its own VLAN to sit on)

The L3 switch is controlling all VLAN stuff inc. Inter VLAN routing, and I can use ACLs on the switch to manage them and ensure only VLANs I want to talk to each other can etc..

I would need to set static routes on the Opnsense to point to the VLAN 'subnets' and on the switch have a static route back to Opnsense.

So far, so good.

My question is then... how do I set up firewall rules and open ports to specific VLANs / devices?

WAN --> Opnsense --> L3 switch --> device

Do I simply open the ports for the LAN interface on the Opnsense? Is that insecure? Is there a special way to do this?

I appreciate I'm jumping the gun by asking BEFORE setting up, but equally if I spend 4hrs randomly messing around I'm likely to click checkboxes that interfere with answers and go round in circles because of it etc.. ideally I want to do it right first time round

Thanks MASSIVELY in advance!

Owen.


EDIT:: Just been thinking it might be 'easier' to have a the LAN side of Opnsense have two VLANs where one is LAN and the other is DMZ.. the two main devices I want to route are actually 3rd party routers - 1x draytek vigor, and the other is 1x edgerouter X - don't ask its a bit complicated as to the whys and whats.. would it make more sense for the routers to be in a DMZ as they do their own firewall and port routing

WAN --> Opnsense -- LAN VLAN --> switch --> Devices
           |
           └ DMZ VLAN --> switch --> Devices

I assume I can do DHCP for the DMZ devices?

[guest31649]

I appreciate the question above was a vague hand wavy type question with a less direct focus.

I decided to go down the DMZ route using VLANs to utilise the 10Gbe patch between my Opnsense box and the netgear L3 switch (there is a genuine and real possibility of getting 10Gbe WAN, and I have multiple devices that could all need to download multi 100GB packages simultaneously, so no, its not overkill).

I've used this really through tutorial: https://homenetworkguy.com/how-to/create-basic-dmz-network-opnsense/

 But I've kinda encountered an issue.

VLAN 100 is for my "normal" LAN, VLAN 200 is for the DMZ


So DHCP on VLAN 200 works fine as the L3 switch isn't really doing anything... (ie no VLAN routing etc.. plug a device in, set the port its plugged into to be VLAN 200 and bam, DHCP assigns an IP and off to the races).

The issue is with VLAN 100.... this VLAN connects to the L3 switch, but in this case the switch is going to be doing a lot of VLAN routing between other smaller VLANs. For this to work, on the switch I have created the VLAN and then created an appropriate VLAN routing interface with an IP of 172.20.100.2. To my knowledge this has the effect of turning the switch into a router with that IP.

The issue is, I can't see any details about that IP in Opnsense... under diagnostics I can ping the IP (good), but under the diagnostics of the switch I cannot ping 172.20.100.1 (the Opnsense IP for VLAN 100).... how can I get it to route traffic if it cannot ping the Opnsense?


This may be complicated by the fact that (at least for now) I'm bridging the SFP+ port and the motherboards RJ45 port for setup (don't want to lose gui access, the rj45 port has a different IP range set atm).

I'm a bit confused as to whether or not everything will work when I assign the SFP+ interface as LAN and the RJ45 as OPT1 (ie currently set the other way around so I could initially configure the Opnsense box).

Appreciate that probably makes no sense and can provide screenshots of everything.

Sorry

Owen.

[pasha-19]

I am working on a similar project.  Multiple vlans where the switch maintains vlan separation for all but an administrative vlan.  The administrative VLan can perform tasks like Windows Remote Desktop and VNC along with http/s administration of subnets with appropriate devices like servers and network appliances across the Vlans.  I have created this using opnsense with a switch with no static routing capability.  I managed to do this on a standalone switch (without a router) with static routing capabilities.  When it came to attaching the stand alone switch to the router I have been only partially successful.  I learned that the switch's vlan interface IP address can be mapped manually into Opnsense as a gateway.  Instead of one WAN gateway I now have created manual gateways for each VLan too.  Like you initially the switch could not communicate with the router.  A firewall rule to pass the router's interface address (from the corresponding switch gateway, i believe) to the default gateway seemed to help the situation.  Of course the router's firewall interface address was also coded to pass traffic from the Router's IP interface back to the switch's gateway/interface.  Since the router is the only device not "directly" controlled by the switch this appears to work. The bad news is the part I have yet to figure out is if I can pass the internet traffic from the multiple switch gateways to the WAN gateway.  So in the end I have the switch and router communicating however I cannot transfer data between them to the internet.  The Router's firmware update function can successfully access the internet to update the router software; so the router seems to be capable  When I attach a user device like a PC directly to the router I also have achieved internet access for that specific device.  I am still experimenting trying to figure out how to get the internet traffic I hope is available at the multiple Switch Gateways to the WAN Gateway and back.

[CJ]

I'm a bit confused.  You want OPNsense to handle all of your VLANs and routing or your switch to do so?