Is there a best practise to configure OPNSense in a Multi-Subnet L3 setup?
I have this example:
OPNSense has the IP
In order for OPNsense to accept traffic from other subnets that are routed to OPNSense by the core switches (like
- Add a routing entry
- Add a Firewall Rule in LAN, allowing inbound traffic from
- Add a manual NAT rule to NAT from
Surely this can't be best practise, right?
I have this example:
OPNSense has the IP
10.2.1.2/16
and needs to do normal NAT / Firewall, but all the other hosts are located in other subnets (and VLANs) like 10.10.0.0/16
, all the Inter-VLAN Routing is handled by some beefy L3 Core switches (so OPNsense can only reach the other hosts in the network by going through the gateway on the core switche)In order for OPNsense to accept traffic from other subnets that are routed to OPNSense by the core switches (like
10.10.1.1/16
), I had to make a couple of modifications:- Add a routing entry
10.0.0.0/8 via 10.2.1.0
(10.2.0.1
is the virtual gateway address of the core switch VE in OPNsense's subnet)- Add a Firewall Rule in LAN, allowing inbound traffic from
10.0.0.0/8
- Add a manual NAT rule to NAT from
10.0.0.0/8
to WANSurely this can't be best practise, right?
Last edited: