Multiple Subnets on One Interface - How can I make this work?

[kyferez]

Hi there,

I am trying to use OPNsense to setup a firewall between multiple subnets. Unfortunately, I cannot utilize VLANs as this is a multi-tenant setup.

In addition, I am running as a Virtual instance, so I also cannot put multiple Interfaces in my one network. So this is essentially to be a router on a stick, with No VLANs.

Think of it like this:
Interface 1 will be used for all of this:
Gateway IP: 10.0.0.1/26
OPNsense IP: 10.0.0.2/26
OPNsense 2nd Subnet: 192.168.1.1/24
Windows VMs will be on the 192.168.1.0/24 subnet and have their gateway set to 192.168.1.1. They will need to access Internet by getting PNATed through OPNsense which will forward traffic to the Gateway IP 10.0.0.1.

So my questions is, how? I see how to add a Virtual IP. But I can't seem to get the firewall to respond on that new IP. It doesn't ping. I do see some traffic in the logs, but no ping response even after ensuring the traffic is allowed.

Thanks!

[Ciprian]

Hello!

You said "multiple subnets", but your description is a standard case of 1 WAN (10.0.0.0/26) + 1 LAN (192.168.1.0/24). If this is the case, the setup is standard and straightforward running the wizard or manually setting things up as a standard 1 WAN interface + 1 LAN interface. Why would you complicate setup with VIP (and even thinking about VLANs if there were no multi-tenant setup)? If there is more, please provide details...

[kyferez]

The point you missed is that I can only have 1 interface. I need all subnets on the one physical interface... Remember I can't use VLANs either.

[Ciprian]

Then use Virtual IPs on that one LAN interface.

Or, since a virtual environment, make a virtual switch on your virtualization environment, connect the virtual switch to the one physical interface of the host, then on the OPNsense appliance make as many guest interfaces you need, assign the needed IPs on each guest/ appliances' interfaces, connect them to that virtual switch, and voilà!...

Anyway and either way, you are going to share the bandwidth of that physical interface between the virtual interfaces, so, if possible, team/ bridge as many physical interfaces on the host as possible to have the required throughput for all of the virtual interfaces

[kyferez]

Second virtual adapter - not possible. This is a cloud system managed by a 3rd party provided for free for labbing up a Virtual environment and I don't have the ability to add another NIC.

Virtual IP on the LAN: I tried configuring one but it does not seem to work. I can't ping the VIP from another PC on the same subnet. I don't know if I'm missing something in the configuration. I added Firewall allow rules for that Subnet, and the firewall logs show an allowed packet for ICMP, but the VIP does not respond.

Thanks!

[bartjsmit]

If it is just a lab, why don't you nest a hypervisor? E.g. spin up a virtual ESXi and set up blind vSwitches (without a physical interface) to run your tests.

Bart...

[kyferez]

Resources per VM are too limited for that, but it might work for just the firewall; worth a try.

On a side note, I found out why the IP doesn't respond. OPNsense is routing the reply wrong. It's sending the reply ICMP packet to the default gateway mac instead of the source MAC. See attached. Note since original posting I've upgraded to 17.1.