L3 交换机和防火墙之间的静态路由问题

编辑：

I've revisited this after a while to setup my rules and actually configure my firewall properly. As it turns out, the traffic is indeed being routed through to the LAN interface and not the VLAN interfaces. This is irrelevant however, as the VLAN interfaces created on the OPNsense firewall merely exist so the firewall can recognise the tagged traffic.

In actual fact, I can assign a SOURCE address or net as that of a VLAN on the LAN firewall list. Meanwhile the firewall rules on ALL of the VLAN interfaces created on the firewall are irrelevant and thus not created. The only rules necessary are those created on the LAN interface (the destination of the default route from the L3 switch).

e.g. ACCEPT -> (source) VLAN_10_DHCP -> (destination) ANY -> (gateway) WAN

Here is a visual example:

OK so I have solved the problem and now even more confused than before.

I have changed a few things:

1. I made the default route in the L3 switch, point to the LAN interface of the firewall, not the virtual interface but the physical address: 10.0.0.254

2. Despite #1, I still have to create VLAN interfaces in the firewall for all the VLANs on the L3 switch and assign an SVI with ip address. In this case I chose 10.0.x.1 though I suspect it wouldn't matter what the actual ip address is at that interface.

3. Tagged port 1 of the L3 switch with all of the VLAN tags (10-50).

4. Removed all the static routes from the firewall.

5. Removed vlan 100 as it's now superfluous

Config breakdown:

• Port 1 has all VLANS
• Any port which I want to assign to a VLAN gets that VLAN
• 每个 VLAN 在交换机 (10.0.x.200) 上也有一个 SVI，在防火墙 (10.0.x.1) 上也有一个看似对应的 SVI，交换机上的 SVI 是相应 VLAN 上设备的默认 GW
• 交换机的默认 GW 是防火墙的 LAN 接口 (0.0.0.0 -> 10.0.0.254)
• 防火墙中没有静态路由
• 每个 VLAN 接口的防火墙规则都不存在，一切似乎都通过 LAN 接口防火墙规则处理

很困惑。它有效，这很好，但我不喜欢它。

任何对这里发生的事情有一些了解的人，我将非常感谢您的澄清。