OPNSense, multiple LANs, and VPN solutions together
OPNSense, multiple LANs, and VPN solutions together
I'm working on configuring OPNsense with three LANs, a gateway, a VPN, and four interfaces. The setup involves DHCP from the cable modem, which is about to switch to gigabit internet, currently running 300/75 BCE1 and 75 BCE2. On the LAN side, I have a 10.10.1.1/24 for TVs, Roku devices, smart gadgets, and Wi-Fi, plus a second 10.10.2.1/24 for servers, desktops, laptops, and cell phones. The WAN uses 10.10.0.1/24 with VPN access via PIA 10.10.2.1/24. I need all devices to communicate freely, but the firewall is not cooperating—I can set up DHCP and interfaces easily, yet the firewall blocks everything except the VPN. I've followed pfSense tutorials and tried manual NAT, but the rules are confusing. The guides suggest simple default settings, but they don't explain how to restrict PIA-only access while keeping the rest of the network open. I'm unsure if I need to enable NAT on the firewall or configure it separately for each interface. Also, I want the modem's NAT functionality to work alongside OPNsense, and I'm trying to connect the VPN only to the PIA network without affecting LAN access. Could you help me understand how to adjust the firewall rules properly?
I'm planning to activate three additional autonomous switches to eliminate the VLANs, and reset everything from scratch. If it functions as expected, I'll transfer it to the L3 Switch. I'm still uncertain if my current switch settings are the issue.
I completed a factory reset and introduced two additional networks. I configured DHCP servers for each network and established pass rules between them. LAN Spoiler Firewall: Rules – LAN allows traffic to any rule, IPv4; PIA net allows traffic to any rule, IPv4; MAN net allows traffic to any rule, IPv4. LAN net MAN net allow traffic to any rule, IPv4. PIA Spoiler Firewall: Rules – PIA permits traffic from any rule to any rule, IPv4; PIA net allows traffic to any rule, IPv4; MAN net allows traffic to any rule, IPv4. LAN net PIA net allow traffic to any rule, IPv4; MAN net allows traffic to any rule, IPv4. WAN Spoiler Firewall: Rules – WAN permits traffic to any rule, IPv4; MAN net allows traffic to any rule, IPv4; LAN net blocks private networks (IANA reserved). Bogon networks are blocked. I didn’t address anything else. Should I proceed? I can reach the internet on all LAN interfaces and ping other LAN devices, but I’m unable to connect to clients on MAN or PIA. LAN interfaces can reach the internet and respond to pings, while MAN and PIA interfaces cannot. LAN and PIA interfaces can reach the internet and respond, but not to MAN or PIA devices. I don’t see any overly complex configuration beyond what you’d expect from a Netgear or Linksys router setup. You seem confident this is sufficient.
Window interference is increasing again... Defender's Firewall is preventing pings from foreign networks. Here’s what I can do now:
- Ping all devices
- Transfer files between subnets
- Browse the internet from subnets
- Connect to PIA
Currently, I’m stuck because:
- The thought was that the "PIA VPN" link to the internet (network 10.10.2.0/24 renamed to "PIA_NET") differs from "PIA_VPN"
- All internet traffic from "PIA_NET" must go through "PIA_VPN"
Understand how to configure a gateway route for the VPN tunnel exit. Set up an advanced outbound rule for the PIA_NET subnet so it uses the VPN tunnel interface. Ensure all traffic for this subnet goes through the VPN instead. Verify the VPN tunnel exit is properly set up to allow internet access if needed.
I managed to activate PIA and configure selective routing with firewall aliases. Still struggling with routing between the two subnets. DHCP is assigning DNS addresses—1.1.1.1 and 1.0.0.1 for the PIABypass subnet, and 209.222.18.222 and 209.222.18.218 for the PIATraffic subnet. The gateway and firewall details are outlined in the spoiler below. I’ll continue reviewing guides and applying firewall rules... Spoiler: I once had working routing before a factory reset restored selective VPN routing.