[Solved] Cannot route Subnet (VLAN) over VPN using gateway OPNsense 23.1.3

Started by someone1337, April 25, 2023, 12:21:47 AM

Previous topic - Next topic
I'm hitting a roadblock here, and not sure how to make my routes work correctly.

Basics:

LAN: 10.35.35.1/24

Several [wireguard] VPN connections configured via https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html, and working perfectly via selective IP addresses (aliases).  I also have gateways to each of the VPN tunnels.  Everything works perfectly.

Recently, I added a WAP that allows me to tag a certain WiFi network with VLAN, so I'm trying to create a WiFi network that, when connected to, routes automatically over one of my VPN connections.

The concerned VLAN is "VLAN20" ... and no matter how I specify the routing, I can't get VLAN20-tagged packets to route over the VPN.  DHCP is working for VLAN20 (192.168.20.1/24), and I get good addresses when I connect; just no internet (over the VPN) when connected.

From my understanding, this requires two new rules:

  • Direction to send VLAN20 packets to the VPN_gateway
  • NAT outbound rule to change anything in the VLAN20 net to the VPN interface's address

I have tried forcing VLAN20 packets to use the VPN_gateway via:

  • Firewall -> Rules -> VLAN20 (* * * * VPN_gateway)
  • Firewall -> Rules -> LAN (VLAN20 Net * * * VPN_gateway)

And added the NAT:
Firewall -> NAT -> Outbound (VPN_interface VLAN20 net * * * Interface address *)

But no matter which way I force the gateway, no connected clients get internet through the VPN_gateway.

I even tried hard-coded IPv4/32 addresses in both Firewall rules and NAT ... still no internet though VPN_gateway.

I have read other tutorials online that seem to indicate I am addressing the right rules, but I cannot get connected clients within VLAN20 to use the VPN_gateway.

:(

Can anyone help me with the rules I am bungling or missing?

I finally figured out a combination of rules that will allow this routing to happen.  Here's what I did:

In Firewall -> Rules -> VLAN20, I have:

  • (IPv4  VPN_hosts_alias  *  !RFC1918_Networks  *  VPN_gateway  *)
  • (IPv4 * * * * * *)

I have DHCP set up on VLAN20 to serve 192.168.20.100-192.168.20-225 ... so, I added this range to VPN_hosts_alias.

Adding the DHCP range to VPN_Hosts_alias takes care of the NAT translation to the VPN interface's address, since I already have the NAT rule set up for that alias.

Now, anything that connects to my VLAN20 automatically gets routed to VPN ... excellent!