Configuring outbound access for multiple subnets on a layer 3 switch

[kurtbuff]

All,

I've got Opnsense up and running, and behind it I have a Ubiquiti layer 3 switch.

I struggled for a while, but finally figured out that I needed to add a rule on the firewall to allow a subnet access to the firewall.

So far, I have this:

Internet <> OpnSense <172.31.255.0/24 > Ubiquiti <172.31.120.0/24

Hosts on the 120.0 subnet can get to, but not beyond, the firewall. By this I mean that from a host on the 120.0 subnet, I can ping and log to the opnsense box via ssh/https, but I can't ping e.g. 8.8.8.8, nor get DNS requests from 8.8.8.8. I see lots of denies from the default deny rule for these hosts.

Requests for configs happily provided, I've got the config xml file available for perusal.

Thanks,

Kurt

[Maurice]

You need to add an outbound NAT rule for the 172.31.120.0/24 subnet.

Cheers

Maurice

[kurtbuff]

I've added a LAN rule that allows icmp to the firewall from 172.31.120.0/24, and that works. I can ping from that subnet to the firewall (at 172.31.255.1), and get echo responses.

I've configured the firewall for "Hybrid outbound NAT rule generation", and hosts on the 172.31.255.0/24 subnet can get out just fine.

I then added a manual rule to the outbound NAT set for 172.31.120.0/24, and that wasn't sufficient to allow traffic from a host on 172.31.120.0/24 out to the Internet.

I also added a LAN rule for ICMP from 172.31.120.0/24 to the "WAN net" destination, and still can't ping 8.8.8.8 from a host on that subnet.

I then deleted those rules, and tried a floating rule, where I selected the LAN and WAN interfaces, the direction of out, protocol icmp with type of echo request, the source of 172.31.120.0/24, and the destination of "WAN net", and then "any". Still no joy.

I'm baffled.

[Maurice]

You say hosts in 172.31.255.0/24 do have working Internet access. Is there any difference between your firewall rules for this subnet and the 172.31.120.0/24 subnet? Do you still see denies in the firewall log?
Did you add the Ubiquiti device as a gateway to OPNsense and configure a static route to 172.31.120.0/24 via this gateway?
Can you rule out misconfiguration of the Ubiquiti device?

Cheers

Maurice

[kurtbuff]

The Ubiquiti switch is the gateway to the 172.31.120.0/24 subnet.

The only rules for 172.31.255.0/24 are the automatically generated ones. I haven't configured any rules for that subnet.

I do see denies for the pings from 172.31.120.0/25 in the live firewall log, though interestingly I don't see allow entries in the live log for pings from that subnet to the firewall. Kinda weird.

I can ping from the firewall across the Ubiquiti to the host in 172.31.120.0, and vice versa. I'm uploading screenshots of the web interface to provide more precise information.

Kurt