Nat masquerade between vlan

[slusk]

Hi.
I have just moved over from Unifi to Opnsense and I am starting to get a hang of it.
But one thing I cant get to work or understand how to fix is to masq the traffic between 2 vlans.
I need it to be able to access some Xiaomi hardware on my IoT Vlan from my main vlan. It refuses traffic from other than its own vlan.

Is this possible to fix on opnsense and in that case how? 

On Unifi I could load it using a json file like this.. hope it helps my bad description.

Code: [Select]

{
   "service":{
      "nat":{
         "rule":{
            "5010":{
               "description":"IoT",
               "destination":{
                  "address":"192.168.20.0/24"
               },
               "log":"disable",
               "outbound-interface":"eth0.20",
               "protocol":"all",
               "source":{
                  "address":"192.168.1.0/24"
               },
               "type":"masquerade"
            }
         }
      }
   }

[Greelan]

Outbound NAT rule on the IoT interface?

[marjohn56]

You can do it the way I do it between my primary VLAN and my IOT VLAN. Primary can talk to any device on my IOT, IOT devices have no access to anything on the primary VLAN.

On your Primary VLAN you add a rule, this one should be there already, but if not.

Action: Pass
Proto: IPv4/6
Source: Any
Dest: Any

and on the IOT VLAN

Action: Block
Proto: IPv4/6
Source: Any
Dest: VLAN_Net

There are some others to block/allow specifics, but that's the basics.

[slusk]

Outbound NAT rule on the IoT interface?

This seems to be the way, I will just need to figure out how

[slusk]

You can do it the way I do it between my primary VLAN and my IOT VLAN. Primary can talk to any device on my IOT, IOT devices have no access to anything on the primary VLAN.

On your Primary VLAN you add a rule, this one should be there already, but if not.

Action: Pass
Proto: IPv4/6
Source: Any
Dest: Any


and on the IOT VLAN

Action: Block
Proto: IPv4/6
Source: Any
Dest: VLAN_Net

There are some others to block/allow specifics, but that's the basics.

The VLAN separation is working as it should all ready.
the problem is that the Xiaomi equipment reject the connection if its coming from another subnet.
There for I need to masq it so that it cant see that it coming from another subnet or else I wont be able to get the stuff info Home Assistant

[Greelan]

Outbound NAT rule on the IoT interface?

This seems to be the way, I will just need to figure out how

Enable hybrid mode, then in the rule make the translation/target “interface address”, the rest should be self-explanatory

[slusk]

Outbound NAT rule on the IoT interface?

This seems to be the way, I will just need to figure out how

Enable hybrid mode, then in the rule make the translation/target “interface address”, the rest should be self-explanatory

Yes this did the trick! Thx!

[Greelan]

Glad you could replicate your previous setup on UniFi.

But instead of doing NAT, have you looked at the udpbroadcastrelay plugin: https://github.com/marjohn56/udpbroadcastrelay. Installable under the plugins tab. As I understand it, the issue is Xiaomi devices using multicast, which of course can’t cross VLANs without help.