opnsense as a router on a stick

[Dazanix]

Kindly help me...I am new to opnsense!

I currently use ClearOS 7 and I am migrating to opnsense 23.7

My current setup with ClearOS 7 is a router-on-a-stick connected to a managed cisco switch which has 5 vlans. I can access all the VLANs devices and can browse from them with my current setup.

However, tried implementing the same thing using opnsense and my VLAN devices can't access the internet  any more.

Is there any tutorial to help with this??

[ilya_rt]

Hi!
What is your current Opnsense router  configuration?
Did you setup VLANs interfaces, with addressess?
Did you setup firewall rules for VLAN-to-WAN connectivity?
Can you troubleshoot your setup via SSH with tools like tcpdump, traceroute, ping?

[Dazanix]

Thank you ilya_rt for the response.

What is your current Opnsense router  configuration?

My Opnsense router has two interface: WAN and LAN.
=> The WAN interface is connected to a Broadband modem with static a IP and gateway to the ISP
=> The LAN interface is connected to a cisco managed switch with 3 VLANs

I set the IP for my LAN to 172.31.255.254/29 and on the cisco switch (port 1/0/1) to 172.31.255.249/29.

The VLANs on the cisco managed switch are as follows:
* VLAN 300 ip address: 10.0.30.254/24
* VLAN 16   ip address: 172.16.16.254/24
* VLAN 1    ip address: 172.17.16.254/24

I create routes on Opnsense to the VLANs on the cisico managed switch with 172.31.255.249 being the
Gateway for each route.

So, diagrammatically:

ISP <=>  (wan) OPNSENSE (lan) <=> SWITCH00 <=> CISCO MANAGED SW (VLANs)

I have connected my Laptop to SWITCH00 to be able to access Opnsense and the CISCO VLANs and my internal network. My LAptop IP address is 172.31.255.250/29.
From my laptop I can reach the internet through the Opnsense router. I can ping the VLAN from my Laptop also.
However, none of the VMs and devices on my VLANs can reach the internet. The default route on the CISCO managed switch is: ip route 0.0.0.0 0.0.0.0 172.31.255.254
I can ping the Opnsense LAN ip (172.31.255.254) and WAN ip (199.x.x.x) from the hosts on the VLANs, but I cannot ping anything on the internet.

I created Aliases on Opnsense for my VLAN networks as follows:

dc_vlan01: 172.17.16.0/24
dc_vlan16: 172.16.16.0/24
dc_vlan300: 10.0.30.0/24

I have a floating rule on Opnsense firewall to allow traffic from dc_vlan01, dc_vlan16, dc_vlan300 through LAN net to any . This I am expecting will allow for the VLAN hosts to get internet, but that is not working.

What should I do to change this?

[ilya_rt]

I suppose your issue is connected to your switch configuration.
I don't know your goals with such network design - ip address on the switch and interconnection between router and switch via network 172.31.255.254 (btw, pay attention 172.31.0.0 is not RFC 1918 and IS REAL address in the internet and assigning it to LAN is a flaw). Perhaps you want to route between VLANs at a L3 switch instead router "for cheaper and faster".

At my point it is more rationale to create 3 VLANs at router and route everything on the router but not the switch.

May be I get you wrong, but at least provide switch configuration as I don't see any possible way to transfer packets from VLAN networks into the router LAN network via switch 1/0/1 port. Switch (depends on model and license) not doing NAT and not intended for this.