Multihomed bridge

Started by giuliopaci, Today at 06:11:56 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 06:11:56 PM
Hi all,
  I am new to opnsense and I am trying to configure a small network with it.

The ISP CPE modem is multihomed (public network X, with X gateway, public network Y, with Y gateway, private network Z, with Z gateway).

I have a opnsense router that I phisically connected to the ISP CPE modem using an interface and to an internal switch using another interface. The ISP CPE modem is connected to internet and X and Y network are configured to be accessible from outside.

I would like to allow devices on VLAN 1000, attached to the switch, to be able to use addresses from Y network and be accessible from outside and use an address from X network for the router. I also want to use port-forwarding on X router address.

I decided to create a bridge between VLAN 1000 and ISP CPE modem, and assign WAN to it.

So:
  • I created PUBLIC (VLAN 1000, vlan0.1000) and MODEM (ISP CPE modem, igc0) interfaces
  • I created bridge0 bridge on top of PUBLIC and MODEM (I also disabled pfil_member and enabled pfil_bridge and set outbound NAT mode to hybrid)
  • I created WLAN (bridge0), I assigned IP from X and defined X gateway
  • I assigned some devices attached to VLAN 1000 IPs from Y and defined Y gateway as default
  • I created LEGACY (VLAN 100, vlan0.100) and assigned private network to it, with the opnsense router acting as a gateway
  • I defined some port-forwarding rules (with reflection), mapping some services from LEGACY network

Current situation is:
- I can access port-forwarded services and Y devices from internet;
- I can access port-forwarded services from LEGACY;
- I can access Y devices from the router itself;
- I cannot access Y devices from LEGACY: packets get SNATed to the X router address, but they do not reach the device;
- I cannot access port-forwarded services from Y devices: packes get DNATed to the internal address of the services, but they do not reach the service.

I spent several hours trying to understand/solve the issue, but I was not able to find any solution yet.

What can be the issue?
Today at 08:10:52 PM #1
That's a rather unusual architecture. Three L3 services with no L2 partitioning? Yak!

For OPNsense -> Y, I assume that's a fixup on the modem side, but I'd have to look at the equipment to be sure.

For Legacy -> Y, it's probably a return-path issue (below).

For Y -> VLAN 100, I would assume that Y devices do not have specific routes to the VLAN 100 public NAT IPs, so packets are DNAT'd and sent to the Y gateway, which drops them (at some point). You could confirm this from packet capture (look at the destination MAC).

Ideally you could just configure a couple (additional) VRFs on the firewall and convince it that your WAN interface belongs to all three (a bit of a challenge, even on a real router). I can think of a few lousy solutions...

e.g. You could try assigning a virtual IP from Y to the firewall (bridge) and adding a static route to your Y test machine with the destination of the public NAT block and gateway of said virtual IP.

I figure I'll see if someone else here has a better solution. (Or if I'm simply dead wrong, dead.)
Print
Go Up Pages1
User actions