English Forums > Tutorials and FAQs

Using OPNsense with seperate Layer3 Switch, SVI, and Routing

(1/1)

iTninjasaki:
I want OPNsense to act solely as a firewall and to do NAT translation for me. I have a robust Layer 3 switch I'm using to do my routing by utilizing SVI. What's the best implementation of this? And what advice would you offer or best practices would you point out? A point to point between the firewall and the switch? Do I need to build those VLANs on OPNsense as well? Any advice is appreciated.

Livius:
Hi iTninjasaki, have you found a solution for it?

I'm stuck with NAT and a layer 3 switch, RVI.
My setup:

OPNsense
LAN: 192.168.40.1  /24

VLANS
192.168.41.0 /24
192.168.42.0  /24

Switch
LAN IP: 192.168.40.5
GW: 192.168.40.1
And IP in each VLAN for RVI:
GW: 192.168.41.1
GW: 192.168.42.1

Because the switch doesn't do NAT I configured in OPNsense a new gateway on lan interface, the switch IP
GW2: 192.168.40.5.

And added the two static routes to VLANs via GW2.

The problem is that OPNsense doesn't NAT the traffic from VLAN client.
I've tried with Hybrid Outbound rules and Manual Outbound rules.
And without luck so I'm stuck.

I sent ping from a VLAN client: 192.168.41.10 to a public IP running Wireshark.
OPNsense did the routing the packet was captured.
But the source IP inside the packet was 192.168.41.10 not the WAN IP as expected.

I believe that NAT occurs only when the source IP is part of OPNsense LAN.

The not so smart solution:
Add OPNsense in each VLAN as a secondary gateway and configure static permanent routes in each client, inter-VLAN traffic goes to IRB, Internet traffic goes to OPNsense.
Something like:

RVI: 192.168.41.1  /24  and 192.168.41.2  /24
OPNsense: 192.168.41.2 /24 and 192.168.42.2 /24


The smart solution:
Figure out why it doesn't do NAT to an IP which is not part of its network (LAN).



 

Livius:
After a few days full of attempts, the solution was pretty basic, by just reading carefully the help I solved it.
The Outbound rule should be configured:
Hybrid outbound

And a rule for each VLAN:
Interface: WAN
Source:   192.168.41.0/24
NAT Address: Interface address
and
Interface: WAN
Source:   192.168.42.0/24
NAT Address: Interface address

Outbound NAT only controls what happens to traffic as it leaves an interface. It does not control the interface though which traffic will exit the firewall. That is handled by the routing table (Static Routes) or policy routing (Policy routing).

bimbar:
The real answer is, you should not use a switch as router unless you have to, if you have a better device to do routing and firewalling for you.
The only real reason in small networks to use routing on a switch is performance.

Navigation

[0] Message Index

Go to full version