I've been a long user of OPNsense firewall and I just started using OpenWRT. My OPNsense firewall has a complex configuration with many VLANS and OpenVPN clients (I run VMs and containers)- I feel its a lot of CPU load for the R7800 that I have running OpenWRT. Looking for some ideas on how I could get best of both worlds?
My ISP gateway directly connects to OpenWRT.
My OPNsense firewall WAN connects to OpenWRT in one of its LAN.
All my physical and WIFI clients connect to OpenWRT (192.168.1.0/24 range)
OPNsense has one major feature that I dearly miss in OpenWRT: ntopng deep packet inspection. Not sure how to make this work in OpenWRT - other than 'mirror traffic' then send to a separate port. The other option softflowd seems that would require me to purchase ntop nProbe license for 200 euro
I may be OK living without ntopng for traffic happening in 192.168.1.0/24 (OpenWRT and WIFI), any suggestions on allowing these subnets to route to OPNsense to make my containers and VMs available to clients of OpenWRT only (no internet)?
OPNsense has subnets:
Thinking about a simple solution, I guess I could do a static route for those private netblocks in OpenWRT to go via 192.168.1.100 (opnsense.local) then disable outbound NAT so traffic between openwrt and opnsense doesn't get masqueraded.
Another idea was to turn off DHCP in openwrt, then separate WIFI to a different VLAN other than LAN. Anyone done anything similar?
I'm running a similar setup.
ISP -> R7800 -> 4VLANs -> IntelNUC with proxmox + pfSense
For the three user VLANs (Lan, Guest, IoT) the pfSense is the DHCP+DNS server.
The R7800 distributes these VLANs as separate SSIDs.
The fourth VLAN is the transfer network between R7800 and pfSense WAN-IF.
For this VLAN the R7800 is the DHCP server.
I know, the internet traffic it it double NATed by the pfSense firewall and R7800, but this is negligible.
I chose this setup mainly because of better openVPN performance and pfBlockerNG filtering.
Thanks! @riodoro I think your setup is the way to go since I want to get ntopng and I also don't mind double NAT even on IPv6 traffic.
Leaving this for others to find, if you need to configure OPNSENSE IPv6 NAT (not enabled or straightforward out of the box) here's the settings you will need: https://forum.opnsense.org/index.php?topic=21795.msg102951#msg102951
@vgaetera thanks for the links. Its great to see the features seem to exist in case I want to migrate more of my clients to OpenWRT.
I ended up with:
ISP to OpenWRT (192.168.1.0/24 and IPv6 NAT via ULA)
- OpenWRT SSID points to OWRT LAN
- mySSID points to VLAN ID 11 (opnsense)
- created a bridge 'br-opnsense' to link WIFI and wired port from R7800.
My WIFI clients are now routing thru OPNSENSE - if it ever goes down, I can connect to WIFI "OpenWRT" and get troubleshooting.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.