[Solved] Multiple Subnets Behind L3 switch

Started by devrandom, April 30, 2021, 04:45:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 30, 2021, 04:45:28 PM Last Edit: May 02, 2021, 03:07:58 AM by devrandom
I am having issues getting my Subnets (behind a L3 switch) to be able to connect to the internet. I am reasonably sure my switch configuration is good as I've had this exact topology working with my Unifi Security Gateway (what I'm trying to replace) as well as a SonicWall and OpenBSD before that. I've attached a diagram of my topology.

My setup:

OPNsense LAN: 10.1.0.0/24
OPNsense LAN IP: 10.1.0.1
L3 Switch LAN IP: 10.1.0.254
Workstations Subnet: 10.1.1.0/24
Servers Subnet: 10.1.2.0/24
Wireless Subnet: 10.1.3.0/24

What works:
- All subnets can ping each other and ping the OPNsense LAN IP (10.1.0.1)
- Any devices on the OPNsense LAN (10.1.0.0/24) and ping the other subnets behind the L3 switch and ping addresses on the internet.

What doesn't work:
- None of the subnets behind the L3 switch can ping the internet

What I've done:
- Created a gateway to the L3 switch.
- Created static routes for the subnets
- Tried creating firewall rules to allow the subnets through the firewall
- Tried disabling Static Route Filtering

Logs:
- When I try to ping external addresses from the subnets behind the L3 switch, I don't see any corresponding log entries. This makes me think it's a routing or NAT issue even though all those subnets can ping the LAN IP of OPNsense.

The only other thing I haven't tried (after reading another post on VPN) that I will when I get home is creating creating an Outbound NAT rule.

I'm at work and will have to wait until I get home to try this.

But I'm curious if anyone else has any suggestions for things I might be missing.

April 30, 2021, 06:35:48 PM #1
I have a similar setup, with a layer3 Mikrotik router on the LAN side of my home network. In order to get those subnets internet access I:

-Created a Firewall alias for the lab network
-Added an outbound NAT rule for the lab network alias to allow WAN access

After I did that, the lab network VMs could route to and from the internet.

May 02, 2021, 03:07:19 AM #2
Thank you very much!

That was exactly what I needed to do and everything is humming along happily now.
Print
Go Up Pages1
User actions