Multiple LAN subnets

Started by oliv05281, July 07, 2025, 05:58:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 07, 2025, 05:58:05 PM
Hi,

I am new to OPNsense and I have my first instance running. My setup is:

Code Select
  Internet
     |
SOHO router 1     
192.168.1.1
     |
192.168.1.2 (WAN interface)
OPNsense
10.1.100.1    (LAN interface)
     |
     +--------+--------+------.......
     |        |        |       
10.1.100.x 10.1.1.x 10.1.2.x

The LAN network is managed by a core switch (Aruba), with a VLAN per subnet.

Since the WAN interface is using a private network, I have deactivated the corresponding option in OPNsense for the WAN interface. From the 10.1.100.x subnet, I can access the internet through the firewall and the SOHO router. So far, so good.
However, I cannot access the internet from the other subnets. The catchall rule "invalid state" blocks it. So it looks like OPNsense does not like these unexpected subnets. After some research, I read about the following options:
  • Create virtual IPs for the firewall in the different subnets and assign them to the LAN interface
  • Use VLANs. But I am not sure if it is really a good idea to have the whole LAN traffic to go through the firewall
Is that correct? What is the recommended way? Are there any other options?

Thanks!
 
July 07, 2025, 06:07:11 PM #1
Look at the firewall rules for the first LAN interface (10.1.100.x) - you will find an "allow all" rule that must be manually created for every new VLAN.

Your next question will probably be: "how to separate those VLANs from one another while keeping internet access?"

Create a firewall alias consisting of all local interface networks and replace the "any" destination in every "allow all" rule by the negation of that alias.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
July 07, 2025, 06:08:45 PM #2
If the switch does the inter VLAN routing, you need on OPNsense:

- a gateway in the 10.1.100/24 subnet, i.e. the address of your switch
- a static route for each of your VLANs
- NAT mode set to hybrid and a NAT rule for each of your VLANs

Alternatively you can create the VLANs on OPNsense which would allow to filter inter VLAN traffic, configure DHCP in one place etc.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 07, 2025, 06:22:52 PM #3
O.K., if the switch routes by itself, you should do it like Patrick says. However, in that case you will take the inter-VLAN routing load off of OpnSense, but in order to have VLAN separation, you would need to configure it in the switch, too. It mainly depends what you are using the VLANs for: a. security zones or b. limiting broadcast traffic by imposing separate collision domains.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
July 07, 2025, 07:55:38 PM #4
Thanks for the quick and useful answers!

Sorry, I forget some important information. Patrick guessed it. The core switch does the VLAN routing. I have set its default gateway to the address of the firewall. I have also set static routes in the firewall for all the LAN subnets. I can ping everything from everywhere from within the LAN, including the firewall. The only thing which is not working is the internet access from the subnets which are unknown to the firewall. I assumed that the NAT would apply to any traffic coming from LAN to WAN, but based on "NAT mode set to hybrid and a NAT rule for each of your VLANs", I guess I was wrong and the NAT rules are the missing piece of the puzzle. I will try that as soon as possible.

One question though: by "each of your VLANs", do you mean "each of your subnets"? Currently, the firewall is not aware of the VLANs, and I would prefer to keep it this way, at least for now. This also answers meyergru's question. I have basically two VLANs, clients and servers. The servers are virtualized using Proxmox, and protected by rules in Proxmox's firewall. So I do not really need OPNsense firewall rules on top within the LAN.
July 07, 2025, 08:05:15 PM #5
Yes, each of the subnets which are not directly connected to your firewall need to be explicitly NAT'ed.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 07, 2025, 08:25:49 PM #6 Last Edit: July 07, 2025, 08:51:52 PM by opnsenseuser8473 Reason: redundant information.
[Redacted]
July 12, 2025, 01:00:11 PM #7
I had the opportunity to try it out today. The NAT rule alone was not sufficient, I had also to add an IN rule for the LAN interface, otherwise the packets did not even reach the NAT rules. So to sum up, one needs:
- to allow the private networks on the WAN interface
- a gateway in the 10.1.100.0/24 subnet
- static route(s) for the subnet(s)
- IN rules for the subnet(s) on the LAN interface
- NAT mode set to hybrid and a NAT rule the subnet(s)

It works now. However, I will probably have to go for a VLAN-based model in the end, because I need to manage several WLAN networks with different network permissions. The way I see it, VLAN are the best way to cover this, with OPNsense managing the permissions.
Print
Go Up Pages1
User actions