Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Seeking advice on setting up wireguard on with a separate L3 switch?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Seeking advice on setting up wireguard on with a separate L3 switch? (Read 410 times)
surfrock66
Newbie
Posts: 19
Karma: 0
Seeking advice on setting up wireguard on with a separate L3 switch?
«
on:
July 18, 2024, 09:10:48 pm »
I've been on a network learning journey and have built a network with an L3 switch and multiple vlans in my house. Opnsense is acting as the firewall for WAN connection. The architecture is, I have a 99 VLAN for network devices, then I have 7 VLANS in the house, all their gateways are my L3 switch, and all the VLANS with external access go through opnsense, which only has a LAN interface on my 99 (networking) VLAN, a WAN interface, and a wg0 interface.
Primarily, I tried to adapt this guide, though my separate L3 setup I think deviates heavily from this:
https://www.zenarmor.com/docs/network-security-tutorials/how-to-setup-wireguard-on-opnsense
I want to create a WireGuard VPN into the house (I had one working in a prior iteration of my network and have restarted, wiping that out). I'm having difficulty wrapping my head around the architecture of this. Ultimately, Wireguard clients would come in, I assume, on their own VLAN/subnet (I'm designating this 6). My opnsense box is connected to my L3 switch with a 2-port LACP trunk currently carrying VLANS 6 and 99.
My L3 switch (a brocade icx-6610) has a virtual interface on VLAN6, as at one point I assumed this would be my gateway device but maybe that is not necessary? Also, I'm assuming the wireguard network does NOT need DHCP, but it will need DNS (as I have both internal DNS resolution, and then upstream to a family-filter DNS provider for the kids) which is already on my LAN and easy enough to configure. Internal communication would require wireguard clients to go through the L3 switch then to their destination, and my assumption is WAN traffic would go directly back out the WAN interface of opnsense (after LAN dns resolution).
Everything I've done to try to make this work has been unsuccessful, so I'm willing to start this part of the system from scratch. I've set up the wireguard instance, I have a tunnel address, and my endpoints can actually successfully connect. I have a successful handshake from my phone from the WAN, and I can see it in the Wireguard status. Everything past this is lost, and I think it's because I'm so turned around in my routes/rules that I need to just reconsider that part of this from whole cloth.
Per the above guide, I have a firewall rule passing all traffic from the wg0 interface net to any destination.
My connected client can ping 8.8.8.8., can ping the opnsense box at the wg0 ip address, but CANNOT ping my LAN DNS server or any other LAN resources, so at this point it appears no routing is passed between the LAN VLANS whatsoever.
My instinct is that I need a second interface on the 6 VLAN that defines connects back to the L3 switch? At one point I had added a gateway called "LAN_GW_VLAN_6" on the wireguard interface but that broke things in a way that confused me and I just disabled it.
Any advice on what the interfaces, gateways, and routing/firewall rules would need to look like would be appreciated. High level is ok, as I'm very much learning.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Seeking advice on setting up wireguard on with a separate L3 switch?