Site2site + DMZ + "usual"

1st time poster/newbie, so please pardon my ignorance and possibly/probably stupid questions.
I have read many of the docs and quite a bit of the forum but I am not progressing, so I thought I'd ask here.

  • I currently have 2 sites running on OPNsense using some old PCs, also linked via openvpn(PKI) so that I can access either sites LAN stations from wherever I am.
    • Site 1 has a NextCloud/NAS which is accessible from LAN and WAN.
      • currently using hosts entries for LAN access - I would like to replace with a BIND views based setup.
      • traffic shaping using IPFW for certain users occurs here - but it's not working as well as I'd like, and the management of this is annoying and inconsistent. It's difficult to track/monitor (possibly because I set it up badly :crazy_face:).
    • Site 2 has a webserver which is accessible via specific port forwards.
    • I use some external VPN services for internet traffic. When on the VPN, I can access "normal" traffic like receiving email, but sometimes cannot SEND email [probably port blocking by the provider] (this would be nice but not essential, and I don't know how to do it yet).

It is all workable as is, but I would like to change it all to OpenWRT on RPIs - something like the diagram below.

I have the basic services working (connect to internet to allow outgoing/return user traffic as usual).
I used UCI instead of LUCI-GUI for most of it - I can change from UCI to /etc/config/* changes if that's a better way.

Throughput feels a bit quicker than the OPNsense setup, but...
I obviously don't understand the system properly since I can't get the WAN incoming and also DMZ comms working properly.

Now the questions part.

  • Is it correct to use a separate DMZ subnet or must this be part of the main subnet?
    • I have "unmanaged LAN switches", so (I think) I need to do this without VLANs??
      • Can RPi be configured to create a VLAN?
      • Would I be better advised to get a couple of low-end/entry-level managed switches instead?
    • For users in the LAN to access the stations in the DMZ, do I need to route traffic between LAN/DMZ - and if so, what would a sample config include (and a typical associated firewall rule example if possible)
  • What would be the best setup sequence of these (happy to wipe/restart if there's a better way)
    • basic services (done), VPN site2site, DMZ services, VPN traffic bypass for VPNservice
    • basic services (done), VPN site2site, VPN traffic bypass for VPNservice, DMZ services
    • basic services (done), DMZ services, VPN site2site, VPN traffic bypass for VPNservice

Post is getting a bit long now, so I'll stop adding bits here for now.

Thanks for the great system, and the help.

PS: If anyone has set up something similar and doesn't mind sending me to a suitable post/link, I learn best from example :grimacing:

You are using an unmanaged switch, so there is not much sense in having a DMZ.

The unmanaged switch can pass tagged frames. The problem is that hosts will need to support .1q to remove the tags.


It depends on which zones do the lan and dmz interfaces belong. If they are in the same zone, you can enable the forwarding by selecting ACCEPT. Otherwise you'd need to allow uni or bi-directional forwarding. That depends on how tight your security settings are.

It doesn't really matter, as long as the VPN traffic bypass is after VPN s2s.

1 Like

Thank you for the info/update.

You are using an unmanaged switch, so there is not much sense in having a DMZ. So DMZ requires VLAN?

Assuming no VLAN/DMZ, would I open ports to the network for the hosted services, or is a port-forward to a specific machine better/safer?

It doesn't really matter, as long as the VPN traffic bypass is after VPN s2s. How do I achieve the "after" part - is that just linked to the sequence of the routing config file?

Can you offer an opinion on whether it's best to use GUI, UCI commands, or CLI config files to work/learn? I am not well versed in OpenWRT, but I am not a total retard on linux CLI.

Last - I have searched for sample/example configs - is there any resource available that shows a heavily commented config which serves as a "scenario explainer" - (I know this is a long shot, but a non-ask is an automatic no :upside_down_face:)


Splitting a network into segments with isolation between them requires either physical interfaces, one per segment, or VLAN-aware switches and routers. A "DMZ" that has unrestrained connectivity to other subnets is a contradiction of its common definition.

Once you have publicly accessible services running on your network, your security is pretty much hozed.

Unless you have multiple, public IPs from your ISP, you can't just open a port to a machine with a non-public IP. While you could do some fancy configuration, the common way to manage exposing services behind a single IP address is using static NAT ("port forwarding") for the selected port on the public interface to an appropriate host and port on the internal "service host".

Thanks Jeff.
I have 3 ethernet ports available - built-in, +2 USB LAN devices. I could add another if needed.

I had planned to set up the publicly accessible devices on a different subnet, but I would like to be able to configure those from my W/S which would be on the "default" LAN. I thought I'd be able to have not-quite-unconstrained connectivity for this part by implementing firewall rules - but don't know how so far. The VLAN and DMZ theory is a maybe at best for the moment - I will rethink this if I can get some equipment that'll work.

I don't (yet) grasp how one does the routing/firewall for this in OpenWRT.

DMZ requires isolation. You can achieve that with different vlans in a managed switch or with separate switches for each segment.

I meant it has to be chronologically done after.
You can search the forum for policy based routing. There is a package available.

Luci is the easiest, but not all options are visible.
Uci commands are the toughest in my opinion, but offer some rollback protection.

I think the documentation includes examples with comments explaining.

Routing will work automatically, all the networks are connected to the same router. So as long as the hosts use the OpenWrt as default gateway, they will be able to route to each other. The firewall is another case. Interzone traffic is not allowed by default, so you'd need to allow it, lan to dmz for sure. Dmz to lan maybe not completely, but per case.

1 Like

Thank you again for the time and trouble.
This answers the concept questions, so I have marked it "solved" - I may still need to bother you all again for specific/syntax type info, and again when I get to the more complex tasks.

Much obliged!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.