Skip to content

Instantly share code, notes, and snippets.

@robinchrist

robinchrist/gist:723c235af59e6691b6311e058efeb040

Last active October 20, 2023 08:57
Show Gist options
  • Save robinchrist/723c235af59e6691b6311e058efeb040 to your computer and use it in GitHub Desktop.
Save robinchrist/723c235af59e6691b6311e058efeb040 to your computer and use it in GitHub Desktop.
Download ZIP
OPNsense in Layer 3 setup
Raw
gistfile1.md

OPNsense in Layer 3 setup

Assume the following base setup:

  • OPNSense exclusively as WAN Gateway / Firewall
  • Segmented Layer 3 / VLAN Setup
  • Speeds > 1G -> Wirespeed Inter-VLAN Routing needed -> Big Enterprise Core Switch/Router that does Inter-VLAN Routing at Wirespeed

Let's say we have the following IPs / IP Ranges:

  • 10.2.0.0/16 -> VLAN2 Service Range, e.g. DHCP, WAN Gateway are located here
    • 10.2.1.2/16 -> opnsense LAN1, clients shall use this IP to access WAN. No management access via this IP!
  • 10.3.0.0/16 -> VLAN3 Management Range, the OPNsense management interface shall reside here. This range is protected by ACLs on the core switch
    • 10.3.5.2/16 -> Opnsense OPT1, this range shall be used to manage OPNsense!
  • 10.7.0.0/16 -> VLAN7 Admin Range -> Administrators are located in this range
  • 10.20.0.0/16 -> VLAN20 Client Range -> Unprivileged clients

The core switch / router config in a nutshell:

  • Router Interfaces / VEs 10.2.0.1/16 VLAN2, 10.3.0.1/16 VLAN3, 10.7.0.1/16 VLAN7, 10.20.0.1/16 VLAN20 to allow the core switch to do inter-VLAN routing
  • Default route (0.0.0.0/0) via 10.2.1.2 (Proxmox LAN1)

The Proxmox interfaces in a nutshell:

  • WAN1 -> Can be whatever you want
  • LAN1 -> 10.2.1.2/16, clients shall use this IP to access WAN. No management access via this IP!
  • OPT1 -> 10.3.5.2/16, this range shall be used to manage OPNsense!

In order to make this work, you will have to add the following settings on OPNsense:

  • OPT1 / Management Interface: Firewall rule Allow from source 10.7.0.0/16 -> Otherwise no access from an IP in admin range 10.7.0.0/16 to opnsense management is possible (default block everything rule on OPT1 interface). Default Anti-Lockout (allowing access from all sources) only applies to LAN1 interface, but not to OPT1 interface.

  • Disable Anti Lockout -> Otherwise management access from LAN1 interface is possible

And now things get nasty:

  • Add a new Gateway 10.2.0.1 on Interface LAN1 and add a route to 10.0.0.0/8 via LAN Gateway 10.2.0.1 so that OPNSense can reach stuff outside 10.2.0.0/16 via the core switch

  • Add a new Firewall rule on the LAN1 interface allowing 10.0.0.0/8 -> Otherwise traffic outside the 10.2.0.0/16 will be blocked, by default it only allows traffic from the subnet in which the LAN1 interface resides

  • Add new NAT rule: 10.0.0.0/8 -> WAN: By default, only addresses within the subnets of interfaces are NATed. That means clients 10.7.0.0/16 and 10.20.0.0/16 can't access WAN by default

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment