I've been a long user of OPNsense firewall and I just started using OpenWRT. My OPNsense firewall has a complex configuration with many VLANS and OpenVPN clients (I run VMs and containers)- I feel its a lot of CPU load for the R7800 that I have running OpenWRT. Looking for some ideas on how I could get best of both worlds?
My ISP gateway directly connects to OpenWRT.
My OPNsense firewall WAN connects to OpenWRT in one of its LAN.
All my physical and WIFI clients connect to OpenWRT (192.168.1.0/24 range)
OPNsense has one major feature that I dearly miss in OpenWRT: ntopng deep packet inspection. Not sure how to make this work in OpenWRT - other than 'mirror traffic' then send to a separate port. The other option softflowd seems that would require me to purchase ntop nProbe license for 200 euro
I may be OK living without ntopng for traffic happening in 192.168.1.0/24 (OpenWRT and WIFI), any suggestions on allowing these subnets to route to OPNsense to make my containers and VMs available to clients of OpenWRT only (no internet)?
OPNsense has subnets:
172.16.0.0/24
172.22.0.0/24
Thinking about a simple solution, I guess I could do a static route for those private netblocks in OpenWRT to go via 192.168.1.100 (opnsense.local) then disable outbound NAT so traffic between openwrt and opnsense doesn't get masqueraded.
Another idea was to turn off DHCP in openwrt, then separate WIFI to a different VLAN other than LAN. Anyone done anything similar?
I'm running a similar setup.
ISP -> R7800 -> 4VLANs -> IntelNUC with proxmox + pfSense
For the three user VLANs (Lan, Guest, IoT) the pfSense is the DHCP+DNS server.
The R7800 distributes these VLANs as separate SSIDs.
The fourth VLAN is the transfer network between R7800 and pfSense WAN-IF.
For this VLAN the R7800 is the DHCP server.
I know, the internet traffic it it double NATed by the pfSense firewall and R7800, but this is negligible.
I chose this setup mainly because of better openVPN performance and pfBlockerNG filtering.