Connection from WAN to VLAN

Started by tellauri, April 10, 2024, 12:21:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 10, 2024, 12:21:52 PM
Good morning,
This question has probably been asked before but I haven't found the answer yet.

Here is the network architecture:

Internet <> Router <> LAN(192.168.129.X/23) <> Proxmox(192.168.129.254) <> OPNsense(192.168.129.64) <> VLAN10(192.168.129.10.X)

The LAN connection becomes the WAN connection for OPNsense. A ping from VLAN10 to the WAN works.

The OPNsense LAN connection is only used for OPNsense management.

The OPT1 interface manages the VLAN10 interface.

How to connect from WAN to VLAN10?

THANKS.
April 10, 2024, 12:32:25 PM #1
1. Allow traffic from WAN (=LAN of your router) IP range to VLAN10 IPrange on OPNSense
2. Alternative 1: Define routes on every LAN host that wants to connect to VLAN 10 to route the traffic towards OPNsense
2. Alternative 2: Define a route from your router to OPNSense. However, in many cases you will encounter strange behaviour so setting up a transfer network from your router to OPNSense would make sense. Don't know if you can do that on your router.

BTW: I guessed your VLAN10 has IP range 192.168.10.X - without the 129

Whenever you have mutliple routers you need to think about routes in addition to firewall routes.
April 10, 2024, 12:35:44 PM #2
It is always the same story:

Are there routes in place in and out and does the firewall enable the Traffic in the correct direction?

In your case: does the ISP Router know the Route to your VLAN10? Probably not.
If you cannot set a route there, you likely need NAT and port forwarding. Keep in mind that from the real WAN, this is a double NAT setup.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
April 11, 2024, 01:28:08 PM #3 Last Edit: April 11, 2024, 02:48:07 PM by tellauri
Hello,

1.

IPV4* -> WAN net * VLAN10 net * * *
IPV4* -> WAN net * This Firewall(192.168.129.69) * * *

2. for the creation of routes, I am blocked by an error

On debian 12

ip route add 192.168.10.0/24 via 192.168.169.69 dev ens18
==> Error: Nexthop has invalid gateway

IP client : ens18 : 192.168.129.73/23

opnsense interfaces : VLAN10 : 192.168.10.254/24 - WAN : 192.168.129.69/23


April 11, 2024, 02:49:23 PM #4
On ubuntu server :

192.168.10.0/24 via 192.168.129.69 dev ens18
but ping fails
April 11, 2024, 05:32:20 PM #5
On Debian 12: Try using the correct IP address of the router. Hint: It has to be in the same subnet.

Note: Configuring every host individually is quite work intensive and error-prone.

Check if OPNSense receives icmp messages for the target and if yes, sends them back - and where. Therefore you need to run a packet capture. If something is missing also check the firewall's live view.

And always make sure there is no NAT or any misconfigured route on OPNsense, too.

I would really recommend using a transfer network and set up a route in your other router.
April 24, 2024, 03:14:30 PM #6
  :D Wonderfull it works !

I have another question :
I have a torrent client on a vlan10 machine. If I receive the data perfectly, I cannot send any.
I tried ssh -R from the port to a WAN machine (129.X) and did port forwarding from my ISP's modem to that machine. without success.
I've activated the DMZ zone opensense
April 24, 2024, 04:07:31 PM #7
I'd like to quote meyergru from a post earlier:
QuoteAre there routes in place in and out and does the firewall enable the Traffic in the correct direction?
Print
Go Up Pages1
User actions