Print Page - A one-legged OPNsense dilemma...

Title: A one-legged OPNsense dilemma...
Post by: benyamin on November 07, 2021, 01:50:25 PM

Was wondering if anyone had setup OPNsense with a single leg on LAN only. If so, any gotchas...?

I was thinking it might become necessary to spin up FreeRADIUS as a temporary PoC to get some answers for this topic (https://forum.opnsense.org/index.php?topic=25387.0).

Just wanted to know if it was possible... :-\

TIA,
Ben

Title: Re: A one-legged OPNsense dilemma...
Post by: Patrick M. Hausen on November 07, 2021, 02:40:05 PM

Perfectly possible. What is the supposed dilemma here? I am running that as a VPN server.

Bootstrap a fresh installation
Remove the WAN interface keeping the "allow all" rule on LAN
Disable the "anti lockout" NAT rule - Firewall > Settings > Advanced
Add the default gateway unless you set the LAN interface to DHCP
Probably disable Unbound and set the nameserver in System > Settings > General
Probably disable the DHCP server on LAN
Optionally disable the firewall entirely in Firewall > Settings > Advanced

Now you have an open host with a single connection.

Title: Re: A one-legged OPNsense dilemma...
Post by: benyamin on November 07, 2021, 02:45:56 PM

Thank you @pmhausen. That's a very helpful list.

The only dilemma is whether I should spend my time on it...

Some questions are better left unanswered - or answered by others... ;)

Title: Re: A one-legged OPNsense dilemma...
Post by: bimbar on November 07, 2021, 09:07:26 PM

I have a dev opnsense running with one leg. Not a problem.

Possibly also useful as mail gateway or reverse proxy or VPN concentrator or any number of things.

Title: Re: A one-legged OPNsense dilemma...
Post by: franco on November 08, 2021, 08:50:56 AM

Typically that is a WAN-only setup since that automatically uses DHCP to get an address and sets anti-lockout rules correctly.

It's a neat type of setup for special services to provide (mostly via VM using a plugin or some core feature) and you have a firewall for the service as well... :)

Cheers,
Franco

Title: Re: A one-legged OPNsense dilemma...
Post by: benyamin on November 08, 2021, 10:04:52 AM

Quote from: franco on November 08, 2021, 08:50:56 AM
Typically that is a WAN-only setup...

Good points, Franco. Thanks for that.

So pmhausen's list becomes:

Bootstrap a fresh installation
Add the default gateway unless your WAN interface gets one via DHCP (default)
Disable Unbound and set the nameserver in System > Settings > General OR accept DHCP nameservers
Optionally disable the firewall entirely in Firewall > Settings > Advanced

Anything else to add...? Did I drop too much / too little...?

Thank you all.

OPNsense Forum

English Forums => General Discussion => Topic started by: benyamin on November 07, 2021, 01:50:25 PM