Nat masquerade between vlan

Started by slusk, May 01, 2021, 12:38:17 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 01, 2021, 12:38:17 AM
Hi.
I have just moved over from Unifi to Opnsense and I am starting to get a hang of it.
But one thing I cant get to work or understand how to fix is to masq the traffic between 2 vlans.
I need it to be able to access some Xiaomi hardware on my IoT Vlan from my main vlan. It refuses traffic from other than its own vlan.

Is this possible to fix on opnsense and in that case how?  ::)

On Unifi I could load it using a json file like this.. hope it helps my bad description.


Code Select
{
   "service":{
      "nat":{
         "rule":{
            "5010":{
               "description":"IoT",
               "destination":{
                  "address":"192.168.20.0/24"
               },
               "log":"disable",
               "outbound-interface":"eth0.20",
               "protocol":"all",
               "source":{
                  "address":"192.168.1.0/24"
               },
               "type":"masquerade"
            }
         }
      }
   }
May 01, 2021, 01:33:39 AM #1
Outbound NAT rule on the IoT interface?
May 01, 2021, 10:15:36 AM #2
You can do it the way I do it between my primary VLAN and my IOT VLAN. Primary can talk to any device on my IOT, IOT devices have no access to anything on the primary VLAN.

On your Primary VLAN you add a rule, this one should be there already, but if not.

Action: Pass
Proto: IPv4/6
Source: Any
Dest: Any

and on the IOT VLAN

Action: Block
Proto: IPv4/6
Source: Any
Dest: VLAN_Net

There are some others to block/allow specifics, but that's the basics.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
May 01, 2021, 12:56:29 PM #3
Quote from: Greelan on May 01, 2021, 01:33:39 AM
Outbound NAT rule on the IoT interface?

This seems to be the way, I will just need to figure out how :D
May 01, 2021, 12:58:51 PM #4
Quote from: marjohn56 on May 01, 2021, 10:15:36 AM
You can do it the way I do it between my primary VLAN and my IOT VLAN. Primary can talk to any device on my IOT, IOT devices have no access to anything on the primary VLAN.

On your Primary VLAN you add a rule, this one should be there already, but if not.

Action: Pass
Proto: IPv4/6
Source: Any
Dest: Any


and on the IOT VLAN

Action: Block
Proto: IPv4/6
Source: Any
Dest: VLAN_Net

There are some others to block/allow specifics, but that's the basics.


The VLAN separation is working as it should all ready.
the problem is that the Xiaomi equipment reject the connection if its coming from another subnet.
There for I need to masq it so that it cant see that it coming from another subnet or else I wont be able to get the stuff info Home Assistant :(
May 01, 2021, 01:14:58 PM #5
Quote from: slusk on May 01, 2021, 12:56:29 PM
Quote from: Greelan on May 01, 2021, 01:33:39 AM
Outbound NAT rule on the IoT interface?

This seems to be the way, I will just need to figure out how :D
Enable hybrid mode, then in the rule make the translation/target "interface address", the rest should be self-explanatory
May 02, 2021, 01:47:02 PM #6
Quote from: Greelan on May 01, 2021, 01:14:58 PM
Quote from: slusk on May 01, 2021, 12:56:29 PM
Quote from: Greelan on May 01, 2021, 01:33:39 AM
Outbound NAT rule on the IoT interface?

This seems to be the way, I will just need to figure out how :D
Enable hybrid mode, then in the rule make the translation/target "interface address", the rest should be self-explanatory

Yes this did the trick! Thx! :)
May 02, 2021, 02:02:04 PM #7
Glad you could replicate your previous setup on UniFi.

But instead of doing NAT, have you looked at the udpbroadcastrelay plugin: https://github.com/marjohn56/udpbroadcastrelay. Installable under the plugins tab. As I understand it, the issue is Xiaomi devices using multicast, which of course can't cross VLANs without help.
January 03, 2025, 12:46:36 PM #8
Hello,

This is my first post here.

I'm having a similar problem like slusk because I cannot access my Bose soundbar from different VLAN where the soundbar is (it's on VLAN1). I can access all open ports on Bose from the same VLAN, so I created a temp rule to allow all traffic from VLAN3 to VLAN1, but Bose is did not respond to any traffic (icmp, http,...). I believe Bose is responding only to devices in the same subnet. Later, I created a Virtual IP inside VLAN1 and a port forward rule from VLAN3 to Bose IP through this Virtual IP. Still no success (firewall allow rule still exist).

I also tried with NAT outbound rule but didn't manage to get it working.

Please for help. If you need any detailed info please let me know.

Thanks and best regards,
Jure
January 03, 2025, 06:29:03 PM #9
Quote from: slusk on May 02, 2021, 01:47:02 PM
Quote from: Greelan on May 01, 2021, 01:14:58 PM
Quote from: slusk on May 01, 2021, 12:56:29 PM
Quote from: Greelan on May 01, 2021, 01:33:39 AMOutbound NAT rule on the IoT interface?

This seems to be the way, I will just need to figure out how :D
Enable hybrid mode, then in the rule make the translation/target "interface address", the rest should be self-explanatory

Yes this did the trick! Thx! :)

Any chance you would be able to share exactly what you did? I'm trying to do something similar, and you know when you look at something so much you just start seeing different things....

Thanks
January 03, 2025, 07:52:33 PM #10
Quote from: marjohn56 on May 01, 2021, 10:15:36 AMYou can do it the way I do it between my primary VLAN and my IOT VLAN. Primary can talk to any device on my IOT, IOT devices have no access to anything on the primary VLAN.

On your Primary VLAN you add a rule, this one should be there already, but if not.

Action: Pass
Proto: IPv4/6
Source: Any
Dest: Any

and on the IOT VLAN

Action: Block
Proto: IPv4/6
Source: Any
Dest: VLAN_Net

There are some others to block/allow specifics, but that's the basics.
So, How do you deal with, say Rpi PiHole on the Primary VLAN? I guess that would require another static rule...
Print
Go Up Pages1
User actions