Best Practice: OPNsense multiple LAN as double NAT behind ISP router

[IPghost]

Hello OPNsense community,
I've been conducting some research and 've noticed that there is a lot of confusion surrounding the configuration of the OPNsense behind an ISP router. In order to address this, I would like to create a Best Practice that covers all possible configuration scenarios.

This is the network:
                                                                                                     10.10.10.0/24
                                                                                                     10.10.20.0/24
                                                   192.168.178.0/24                        10.10.30.0/24   
Internet - - - - - - - - - ISP router - - - - - - - - - - - - - - OPNsense ≡≡≡≡≡≡≡≡≡≡≡≡≡≡ ServerX
                                192.168.178.1                      192.168.178.102                           10.10.10.X
                                                                                10.10.10.1                               10.10.20.X
                                                                                10.10.20.1                               10.10.30.X
                                                                                10.10.30.1
                                                                                10.10.0.1 (VPN)

- The ISP router is configured as Uplink Gateway in the OPNsense.

Now i need your assistance in defining the following rules, routes, and NATs:
> Communication between server networks must be prohibited.
> All servers must have internet access.
> All servers must be accessible from the internet via port forwarding on the ISP router and HA balancing on the OPNsense.
> A VPN should be established to connect to the 10.10.20.0/24 network.

Thank you for your effort and time
Dani

[meyergru]

1. You cannot cover "all possible scenarios" - what you give here is your specific configuration needs and it will most likely not result in a "best practice".

2. You cannot have 192.168.178.0/24 as the inter-router LAN and 192.168.0.1 / 192.168.0.102 as the endpoint IPs. Choose one.

3. The configuration needed depends as much on the switches behind OpnSense and the ISP router before it as it does depend on OpnSense, yet you have not said what you use. Do not believe me? Well, first off, if you have subnets that differ from the ISP router's own LAN (192.168.{178/0}.0/24, depending on what you choose), namely 10.x.y.z, you will have to create routes to those on the ISP router, not on OpnSense. That will be neccessary if you do not want to use NAT on OpnSense.
To make your servers accessible, you also will have to define port forwards at least on our ISP router (the latter may or may not have a setting like "exposed host") in order to make that easier. Same goes for VLANs, you will have to configure them on your switch(es), too.

4. You did not specify what type of VPN you want and what the other side is to be used for (site-2-site or road warrior).

There are guides in the forum for any sub-topic:

HA Proxying:

https://forum.opnsense.org/index.php?topic=38714.0
https://forum.opnsense.org/index.php?topic=23339.0

(Several guides for all VPN types (Wireguard, IPsec, OpenVPN))

(Several guides on how to create VLANs and secure them)

And as I said:

You will either have to forward the needed ports on your ISP router, too, plus set all routes to the needed subnets with OpnSense as the gateway (in this case, OpnSense only needs the ISP router as default gateway) OR:

you can use NAT on OpnSense in order to hide your VLANs. For access from outside, you will need port forwards on the ISP router, plus either a reverse proxy or another port forward on OpnSense.


That being said, if at all possible, I would avoid double NAT like the plague.

[cookiemonster]

>  I would like to create a Best Practice that covers all possible configuration scenarios.
.
.

> Now i need your assistance in defining the following rules, routes, and NATs:

You could have been a project manager in one of my previous employers. I.e. they claim will do something, only to go away and ask somebody else to do it.
I thought from the firtst sentence that YOU were going to do it :)

[IPghost]

Thank you for your quick response.

You cannot have 192.168.178.0/24 as the inter-router LAN and 192.168.0.1 / 192.168.0.102 as the endpoint IPs.

Sry 192.168.0./24 was my old network, i corrected my post  ;)

The ISP router is a FritzBox, with port forwarding configured to direct traffic to OPNsense.
The OPNsense router has four individual interfaces, each connected to completely separate networks (so no VLANs)
I assumed that setting the OPNsense as the default gateway for the 10.10.x.0/24 networks would be enough, since it has routes to all networks and knows the FritzBox as the internet gateway.

For VPN access, I'm using WireGuard, which is currently configured as a separate interface, with a rule allowing access to all networks and the internet.
But strangely i don't can access the server 10.10.10.5 even when i can access the webinterface of OPNsense at 10.10.10.1

However, I'm having difficulty configuring the firewall rules correctly to provide internet access to the servers on each network and also keep them seperated. HAProxy seems to be working fine, as I can access the VPN without issues.

[mooh]

I one has control over the ISP router to use port forwarding, add routes, etc it's probably not best practice to use double NAT because that makes it unnecessarily hard to expose hosts behind the OPNsense.