Issues with static routes between L3 switch and firewall

Question

Problem

I'm having considerable issues getting some very simple static routing between an L3 EdgeCore ECS4620-28P and an OPNSense firewall. I want to route from my VLANs on my L3 switch, through to my firewall but have the L3 switch handle interVLAN routing where necessary.

---

EDIT: Known working

What is particularly odd is that my firewall can ping my workstations, but I cannot ping out to the firewall or reach the internet.

---

VLANs

I have 5 VLANs on the L3 switch for device networks, tagged:

• 10
• 20
• 30
• 40
• 50

Plus one for the routing interface, tagged:

• 100

Right now I'm just testing connectivity from a machine on VLAN 10, assuming that replication of config across the other VLANs will reflect functionality.

So far I can get access to the firewall at 10.0.0.254 and my various SVIs (10.0.x.200) on the switch, if I tag my current access port with the respective VLAN of course.

---

Systems & network diagram

Here is the network diagram:

...and here are some config screenshots

Edgecore (L3 switch):

System routing table

Static route

VLAN 10 SVI

VLAN 100 SVI

Devices port

Switch to firewall port

All the VLANs on this switch

---

OPNsense firewall:

NAT table

VLAN 100 firewall rules

Static routes back to VLANs

VLAN_100_STATIC Interface

Answer 1

EDIT:

I've revisited this after a while to setup my rules and actually configure my firewall properly. As it turns out, the traffic is indeed being routed through to the LAN interface and not the VLAN interfaces. This is irrelevant however, as the VLAN interfaces created on the OPNsense firewall merely exist so the firewall can recognise the tagged traffic.

In actual fact, I can assign a SOURCE address or net as that of a VLAN on the LAN firewall list. Meanwhile the firewall rules on ALL of the VLAN interfaces created on the firewall are irrelevant and thus not created. The only rules necessary are those created on the LAN interface (the destination of the default route from the L3 switch).

e.g. ACCEPT -> (source) VLAN_10_DHCP -> (destination) ANY -> (gateway) WAN

Here is a visual example:

---

OK so I have solved the problem and now even more confused than before.

I have changed a few things:

1. I made the default route in the L3 switch, point to the LAN interface of the firewall, not the virtual interface but the physical address: 10.0.0.254

2. Despite #1, I still have to create VLAN interfaces in the firewall for all the VLANs on the L3 switch and assign an SVI with ip address. In this case I chose 10.0.x.1 though I suspect it wouldn't matter what the actual ip address is at that interface.

3. Tagged port 1 of the L3 switch with all of the VLAN tags (10-50).

4. Removed all the static routes from the firewall.

5. Removed vlan 100 as it's now superfluous

---

Config breakdown:

• Port 1 has all VLANS
• Any port which I want to assign to a VLAN gets that VLAN
• each VLAN also has an SVI on the switch (10.0.x.200) and a seemingly corresponding SVI on the firewall (10.0.x.1), the SVI on the switch is the default GW for the devices on that respective VLAN
• the default GW for the switch is the LAN interface of the firewall (0.0.0.0 -> 10.0.0.254)
• no static routes in the firewall
• the firewall rules for each VLAN interface are non-existent, everything seems to be handled through the LAN interface firewall rules

---

Very confused. It works and that's great but I don't like it.

Anyone with some insight into what is happening here I would greatly appreciate your clarity.