Two LAN/subnets; cannot connect from one to other - Firewall rules?

[MarvinParanoidAndroid]

Hi!

So I have a (hopefully) simple question.

I have my system configured like this:
- OPNsense (with clients on range 192.168.0.2-100).
- One of those IP's is another router; "Router2", which has additional clients connected in the range 10.0.0.2->10.0.0.100).

From clients connected to Router2 I can hit my OPNsense-router control-panel/SSH, but I cannot SSH into any clients connected to OPNsense (example: 192.168.1.50) via LAN.

If I hit my WAN-IP (from my Router2-client) on a forwarded port to 192.168.1.50 I can get it... But that's pretty inconvenient.

Is there a simple FW-LAN rule to add to allow LAN-traffic coming from Router2 (10.0.0.x-range) to OPNsense clients (192.168.1.x?).


PS: I set the system up with two subnets like this to disallow traffic from 192.168.1.x being able to see clients connected to Router2 (10.0.0.x). I.e I can ping 192.168.1.50 from 10.0.0.3 but not the other way around.

Would greatly appreciate any input :)

[hbc]

Are you using NAT or doing real routing in router2? If last case,  do you have a reverse route on OPNsense to your router2?

Code Select Expand


   WAN / Internet
            :
            :
            :
      .-----+-----.
      |  OPNsense | 10.0.0.0/24 --> 192.168.1.router2-IP
      '-----+-----'  0.0.0.0/0 --> Internet
            |
        192.168.1.0/24
            |
      .-----+------. 
      |  router2   | 0.0.0.0/0 --> 192.168.1.1
      '-----+------'   
            |
        LAN | 10.0.0.0/24
            |
            |
    ...-----+------... (Clients/Servers)

[MarvinParanoidAndroid]

Thank you for responding hbc - I appreciate it :)

I am doing "real routing" in router2 (Dual NAT?), and I don't believe that I am having a reverse route configured on OPNsense. How can I verify this? Sorry; I am just an amateur so I don't have much experience with networking.

I attached a network topology map to ensure that you know what I am talking about. The issues is that the "light blue" clients on the left hand side cannot reach the "light green" ones to the far right.

I've seen others on here upload their OPNsense network configuration. is that something which would be beneficial? If so, how should I do it without exposing any personal information? :)

[hbc]

Routing and Dual NAT? Please decide what you are using.

If you are doing Dual-NAT, then your 10.0.0.0/24 addresses are rewritten to 192.168.1.100 (1st NAT) and your company clients just see 192.168.1.100 as source address. When your 10.0.0.0/24 clients connect to internet, they get rewritten to 192.168.1.100 in 1st step (1st NAT) on your router2 and in 2nd step (2nd NAT) to your WAN-IP (on opnsense).

Problem: Your company clients cannot reach your private clients without port forwarding. Your company clients just see 192.168.1.100 as source address, but not the real IP within 10.0.0..0/24 network.

If you do real routing, you do not need any NAT/masquerading rule on your router2, but proper routes. Your clients in 10.0.0.0/24 network have router2 as gateway. Every network that is not directly attached (everything else that is not 10.0.0.0/24) gets forwarded to router2. It will then deliver 192.168.1.0/24 traffic direct to clients and forward everything else to your opnsense.

And now the important thing about reverse route. If a client in 10.0.0.0/24 sends traffic to 192.168.1.0/24 with router2 as gatway, everything perfect this way BUT your company clients do not know that 10.0.0.x is behind router2. So it sends the reply to its default gateway (opnsense). And without reverse route opnsense does not know either where to send 10.0.0.0/24 packets and routes to its default gateway (=WAN) where it will get dropped due to "do not route private networks" policy.

So either you have to tell every company client that router2 is gateway for 10.0.0.0/24 or you create a static route on opnsense that points to router2.

System: Gateways: Single --> router2 (192.168.1.100)
System: Routes: Configuration --> 10.0.0.0/24 - Gateway router2

Then company clients thatt want to send traffic to 10.0.0.0/24, forward traffic to opnsense. opnsense knows that it has to forward packets to 192.168.1.100 (router2) for this network and router2 finally knows 10.0.0.0/24, since directly attached.

[MarvinParanoidAndroid]

Thanks a lot for your comprehensive answer! I have been very busy the last few days so I haven't been able to test reverse route yet. Will look into it and (hopefully) figure it out.

Thanks again!