Topics

[not]

Hello,
I have a network setup with 2 routers.
OPNsense is the secondary router.
It's WAN interface is connected to primary router's downstream interface.

Now I want to use a single LAN interface for administration, means primary router's LAN and secondary router's LAN are the same subnet.

Here's an overview of the IP adresses:
Primary router:
  WAN: <public IPv4>
  LAN: 172.16.1.1/24
  NET: 172.16.0.1/29
Secondary router:
  WAN: 172.16.0.2/29
  LAN: 172.16.1.2/24

In my understanding any traffic on subnet 172.16.1.0/24 (LAN) must be routed to primary router only.

How can I ensure that OPNsense is not routing LAN traffic over it's WAN interface?

THX

Hello,
based on this tutorial I started a setup of router cascade w/o double NAT.

This means primary router is setup with disabled NAT and additional routing rules.
The visualization would look like this:
clients ↔ OpenWRT router (no NAT) ↔ routing rules ↔ ISP router with NAT ↔ Internet

Actually the clients are represented in a LAN subnet (172.16.1.0/24) and DMZ subnet (172.16.11.0/24).

This works as expected.

Now I want to connect a secondary router to a free NIC of the primary router. This secondary router provides multiple subnets, e.g. Office, Guest, IoT.

The visualization would look like this:
clients ↔ OPNsense router (no NAT) ↔routing rules ↔OpenWRT router (no NAT) ↔ routing rules ↔ ISP router with NAT ↔ Internet

The secondary router's LAN subnet is identical to primary router's LAN: 172.16.1.0/24.
This subnet is only for router access (SSH and HTTPS).

As a result the following IPs are assigned:
primary router:
LAN: 172.16.1.1/24
DMZ: 172.16.11.1/24
eth1: 172.16.0.1/30
WAN: 192.168.1.2/24
secondary router:
LAN: 172.16.1.2/24
Office: 172.21.10.1/24 (VLAN)
Guest: 172.21.20.1/24 (VLAN)
WAN: 172.16.0.2/30

The current issue is:
No internet access from secondary router, means I cannot upgrade software packages.
The error message is this:

Code Select Expand

[thomas@lou ~]$ sudo pkg update
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/meta.txz: Connection refused
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/packagesite.txz: Connection refused
Unable to update repository OPNsense
Updating mimugmail repository catalogue...
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/meta.txz: Connection refused
repository mimugmail has no meta file, using default settings
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.txz: Connection refused
Unable to update repository mimugmail
Error updating repositories!

DNS on secondary router is (obviously) working, though.

I wonder which route secondary router should take when accessing internet?
Executing traceroute shows this:

Code Select Expand

[thomas@lou ~]$ sudo traceroute openwrt.org
traceroute to openwrt.org (139.59.209.225), 64 hops max, 40 byte packets
1 172.16.0.1 (172.16.0.1) 0.538 ms 0.433 ms 0.355 ms
2 172.16.0.1 (172.16.0.1) 0.355 ms 0.443 ms 0.392 ms

This means secondary router is not using default route of primary router. This is routing table of primary router:

Code Select Expand

root@eddie:~# ip route
default via 192.168.1.1 dev wan src 192.168.1.2
172.16.0.0/30 dev lan5 scope link src 172.16.0.1
172.16.1.0/24 dev lan2 scope link src 172.16.1.1
172.16.11.0/24 dev lan4 scope link src 172.16.11.1
172.21.0.0/16 via 172.16.0.2 dev lan5 onlink
192.168.1.0/24 dev wan scope link src 192.168.1.2

I don't understand how network traffic on this subnet would be routed to WAN interface of primary router.
Can you please advise how to troubleshoot this issue?

Hello,
I want to install package inxi.
This package is supplied by port sysutils.

According to documentation I have executed the following steps:

• opnsense-code ports tools
• cd /usr/ports/sysutils/inxi
• make install

Make install is now running for +12hrs, and I don't understand why it takes so much time for compiling a package with a few kB.

Please advise the correct procedure for installation of package inxi.

THX

Hello,

I have configured multiple interfaces:
WAN, LAN, DMZ, PROXY

Each interface is configured with a dedicated network (network segmentation), means
LAN: 172.16.1.0/24
PROXY: 172.30.1.0/24

Then I added a virtual IP from PROXY network: 172.30.1.9

After this I installed a service that is listening on this virtual IP.

Code Select Expand

root@clancy:~ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
root     AdGuardHom 97269 11 tcp4   172.30.1.9:80         *:*
root     AdGuardHom 97269 13 udp4   172.30.1.9:53         *:*
root     AdGuardHom 97269 20 tcp4   172.30.1.9:53         *:*


Question:
How can I access this service listening on 172.30.1.9:80 from LAN

THX

Hi,
I completed setup of Web Filtering following the documentation.

However, after clicking "Download ACLs" there are no categories to select in the relevant field for any of the configured lists, in my case UT1 web filter (ftp://ftp.ut-capitole.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz) and shallalist.de web filter (http://shallalist.de/Downloads/shallalist.tar.gz).

Can you please advise how to troubleshoot this issue?

THX

Hello,

can you please advise how to create an anti-lockout rule for MGMT interface, means a duplicate of the automatically generated anti-lockout rule for LAN?

THX

Hello,

my ISP offers me 1 static public IP (not more).
I want to use this static public IP with multiple services, e.g. private cloud, mail-server, etc.

In a traditional setup I would configure a DMZ for these service. In addition there's a forward proxy in this DMZ to "route" traffic for cloud.mydomain.com, mail.mydomain.com, etc. to the relevant server.

Question:
Is the setup of a Transparent Firewall working for these conditions / restrictions?

THX

Hello,

my ISP (Vodafone cable) provides two internet access points:
- standard (like any ISP offers)
- static IP

The router (here: AVM Fritz!Box 6490 cable) basically works like any other Fritz!Box with only one exception:
1 port is configured for using the static IP.
I guess one could call this passthrough.

Anyway, this means that I have the following port configuration with this Fritz!Box:
Port 1 - LAN
Port 2 - LAN
Port 3 - static IP passthrough
Port 4 - Guest LAN

The other network device is a managed switch (here: D-Link DGS-1100).

The use case for OPNsense is this.
On a Proxmox VE I setup a VM with OPNsense as a router and firewall.
Having 5 ethernet ports on the Proxmox VE host, OPNsense VM will use 2 ports with PCI passthrough; eth0 for WAN (= static IP) and eth1 for LAN.

In addition I want to setup different VLANs, e.g. a for Smarthome network, DMZ and PVE Guest network.
I also consider a VLAN for Fritzbox LAN and Fritzbox Guest LAN.

As a result the following interface configuration is available in OPNsense:
screenshot interfaces
1 - Default
2 - Management network
10 - Fritzbox LAN
179 - Fritzbox Guest LAN
161 - DMZ
162 - Smarthome network
100 - PVE Guest network
110 - PVE Migration network
120 - PVE Corosync network

In my understanding the OPNsense LAN interface is untagged, because I don't know how to tag it when creating the interface.
All other interfaces are VLANs and this means they are tagged.
Should the OPNsense LAN interface be tagged, too?
In order to avoid collisions with the Fritzbox LAN?
Or it is recommended to have any LAN be untagged?

And how to configure the VLAN on the managed switch?
Means, what VLAN should be used?
My current understanding is that 802.1Q is the preferred mode when using multiple VLANs on a single port.
And with 802.1Q there are different VLAN modes: Access Port, Trunk Port and Hybrid Port.

In my understanding the OPNsense LAN interface is logically a switch.
If this is true, the VLAN mode of the connected managed switch port must be trunk.
But then the untagged LAN won't work, right?

Can you please advise what is the recommended configuration on the managed switch, in particular the recommended VLAN mode?
What should be tagged? What should be untagged?

THX

Hallo,
von meinem ISP (Vodafone Internet, vormals Unitymedia) ich habe eine FritzBox erhalten.
Zusätzlich zu einem Standard-Internetzugang habe ich noch eine statische IP.
Diese statische IP wird mit einer speziellen Funktion an Port 3 der FritzBox durchgeschaltet.
Somit kann ich 2 getrennte Internetzugänge nutzen.

Die FritzBox ist somit Router+Modem für
- LAN
- WLAN
- Telefon

An Port 3 der FritzBox habe ich die NIC von OPNsense WAN angeschlossen.
Die NIC von OPNsense LAN geht auf einen Managed Switch (D-Link DGS1100-16), der u.a. VLAN und Link-Aggregation 802.3ad unterstützt.

Am selben Switch ist FritzBox Port 1 (LAN) angeschlossen.

Dieser Switch bietet die Funktion
802.1Q VLAN
an, bei der dann ein VLAN mit der ID 1 als Management VLAN verwendet werden kann.

OPNsense soll als Router + Firewall konfiguriert werden.
Ich beabsichtige jetzt folgende OPNsense Netzwerk-Konfiguration:
VLAN 1 - 192.168.0.0/24 - Management
VLAN 10 - 192.168.1.0/24 - LAN -> dies ist auch das LAN der FritzBox
VLAN 100 - 192.168.10.0/24 - Netzwerk für VMs
VLAN 200 - 172.16.10.0/24 - DMZ

Ein PC hat die IP (im LAN) 192.168.1.20/32 und der OPNsense Server die IP (im Management) 192.168.0.1/32.

Ich stelle mir folgende Fragen:
Wird dieses Konfiguration funtionieren?
Wenn ja, worauf muss geachtet werden, damit ich von der PC auf die WebUI von OPNsense zugreifen kann?
Oder wäre es sinnvoller, OPNsense eine IP aus 192.168.1.0/24 (LAN) zuzuweisen?


Gruß
Thomas