¶ Outbound Internet Access
¶ Purpose
All corporate VLANs and DMZ networks reach the internet through the OPNsense firewall.
Traffic is NATed on the OPNsense WAN (10.10.10.2) and routed via pfSense to the Fritzbox and ISP.
pfSense does not perform NAT, it acts only as a router.
¶ Configuration
¶ OPNsense
- WAN IP: 10.10.10.2/30
- Default Gateway: 10.10.10.1 (pfSense)
- Outbound NAT: automatic (all internal subnets translated to 10.10.10.2)
¶ pfSense (Edge Router)
- WAN IP: 192.168.178.100/24
- LAN (P2P): 10.10.10.1/30
- Default Gateway: 192.168.178.1 (Fritz Box)
- NAT: disabled
- Firewall rules: allow any on P2P, WAN restricted to mgmt (ICMP/HTTPS from 192.168.178.0/24)
¶ Fritz Box
- Static route:
- Network: 10.10.10.0
- Subnet mask: 255.255.255.252
- Gateway: 192.168.178.100 (pfSense WAN)
¶ Traffic Flow example
Corporate Client → OPNsense (NAT to 10.10.10.2) → pfSense (route only) → Fritz Box → ISP
Return traffic → Fritzbox → pfSense → OPNsense → Client