What am I trying to do?

As per the diagram above, OPNsense is the gateway and firewall that allows all internal networks to talk to the internet. I have few logical L2 networks configured in NSX and I want them to talk to the internet and physical networks (vlan 20, vlan 30) connected to OPNsense.

  • Routing information will be exchanged between NSX and OPNsense using BGP.
  • BFD will be used to detect any faults between NSX and OPNsense.

After configuring BGP and BFD in OPNsense and NSX, all logical L2 networks configured in NSX will be able to go out to the internet and be able to talk to the other networks connected to OPNsense.

NSX-T Configuration

Lets review the NSX configuration first.

  • NSX Version:
  • Two Edge Nodes for an Active/Active configuration.
  • Edge nodes are uplinked to vlan 10 - 172.16.0.x/22

Tier-0 Gateway Configuration

Two external interfaces:

Configure a default static route to the OPNsense Router

BGP and BFD configuration

BGP Neighbor Config

Opnsense Configuration

Install the FRR package in OPNsense

Go to System->Firmware->Plugins and install the os-frr package.

Configure BGP and BFD in OPNsense

Go to Routing->General->Enable->Save->Start/Restart Service.

Go to Routing->BGP->General->enable->Enter BGP AS Number(For eg. 65001)

Set Route Redistribution to “Connected routes(directly attached subnet or host)” and “Statically configured routes”

Go to Routing->BGP->Prefix lists->Check Enabled

Description: Allow Any Name: OPNsense-any Number: 10 Action: Permit Network: any

Go to Routing->BFD->Check Enable

Go to Routing->BFD-> + -> Check Enabled and enter Peer-IP->Save

Go to Routing->BGP->Neighbors-> Add(+)->Save

Description: nsx-t0 Peer-IP: IP configured in the t0 router Remote AS: AS Number configured in the t0 router BFD: Enable Prefix-List In: OPNsense-any Prefix-List Out: opnsens-any Route-Map: In: Allow-All Route-Map Out: Allow-All

Configure NAT for nsx networks to go out to the internet on the WAN Interface.

NSX networks in my lab are in the subnet

Go to Firewall->NAT->Outbound->Add("+")->Save

Interface: WAN Protocol: any Source address: Single host or Network. Source port: any Destination address: any Destination port: any Translation/ target: Interface address