OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: nam061 on November 23, 2022, 05:51:19 pm
-
Hi Guys
I have zero experience in OPNsense and I am looking for some advice before I proceed with installing and using it. I read some documentation and I am not 100% sure if OPNsense is the right product for me, therefore, hoping the community can provide some insight on this, please.
I have four Linux boxes, each with two NICs. One NIC has a publicly assigned IP and the other NIC has a privately assigned IP using the 192.168.50.0/24 subnet. Each of these four Linux boxes can ping each other on either network successfully.
Sadly, however, my ISP where I am renting these boxes has completely isolated my private network from accessing the internet, meaning if I run a simple ping test to google.com using the private NIC from any of my boxes, it fails immediately. They said that the private network is completely isolated from their public uplink, meaning I cannot have them assign my private network to the uplink infrastructure they have.
After numerous googling, it came down to the that I need to get an additional Linux box and configure that box as a gateway server where my clients on the 192.168.50.0/24 subnet can route traffic to the internet successfully.
I would like to know if I get a fifth Linux box with the same 2x NIC setup and install OPNSense, would I be able to configure it as a gateway server for my private subnet? If yes, can you please confirm the steps I would need to take? I assume I would need to forward all traffic from the LAN interface to the WAN interface for it to work and then use this fifth server's IP address as the gateway IP in my private subnet, yes?
Kindly provide basic steps I can take to achieve this with OPNsense or an article that best describes how I can implement this.
If OPNsense is not possible to achieve this, was there any other open-source solution?
I appreciate your time and any assistance contributed towards my query.
-
Hi Guys
Was there any sort of feedback on this? I would really appreciate any sort of update on this, please?
-
Have you asked your ISP if what you're thinking will work? Otherwise what makes you think you can circumvent the network isolation they've put in place for all machines?
-
Have you asked your ISP if what you're thinking will work? Otherwise what makes you think you can circumvent the network isolation they've put in place for all machines?
Hi, thank you for getting back to me, yes I have spoken to the ISP and they were the ones to recommend this. This was their response in this regard:
We cannot set up a gateway on the private network. The private network is a completely separate physical infrastructure and does not connect to our uplink network.
You will need to configure a NAT firewall yourself. Only one host is required to provide the gateway function for all your backlink hosts / VMs.
An example of a good, free and open-source NAT firewall is OPNsense (https://opnsense.org) but there are many others.
-
Ok but that is still odd.
Any solution you put in will require to be pointed to a gateway, and that is beyond your control and in control of your provider.
You see, any of your current machines can't go out by itself. Won't that be the same case with a new machine that is expected to NAT them?
Also you can't put opnsense on a "linux box", it runs on a slimmed-down version of freebsd. You won't find it too different though.
I really fail to see how they intend you to route traffic out. Maybe just a case of spinning up your new firewall and then ask them what gateway to use for it to send all the VM's traffic out. I suspect some misunderstanding (maybe mine).
-
@cookiemonster
He's got a private LAN for all of his machines. He can book another one with a connection to that private LAN and a second interface serving as public uplink. With any router/firewall OS, e.g. OPNsense, this system can serve as the NAT gateway and firewall for all the other hosts.
I wonder what precisely you think is odd about that? He seemingly does not want to have his hosts talk to the internet directly but through a common firewall ...
-
yes that is as normal as it can be. What I think odd is that the ISP is not doing the NAT for him. His machines seem to have two nics already.
Edit: I think I get it now. They don't want to have the responsibility for firewalling and NATing them for him.
-
@pmhausen
Correct, yes. Based on what they said, the public NIC would serve as the "gateway" in this case, based on @cookiemonster's concerns.
Does this mean OPNsense can accomplish this task and serve as a "basic firewall" for my hosts on the private LAN? If yes, are there any guides and or documentation you can recommend that would achieve this outcome?
Thank you in advance.
-
This is really just the standard setup. Of course OPßnsense can do that.
-
From what I see from your post all your servers have a public and and a private IP. To acheive this trying to introduce OpnSense may be an overkill.
Do you have root access into the boxes? Linux by default comes with routing between interfaces disabled. You will need to enable ip routing enabled and then provided there is no firewall in the boxes (iptables etc) then this will work. If you have firewalls running on the boxes then you will have to do additional configuration on the forward chain of the firewall.
Googling how to route between interfaces will give you a ton of resources on how it is done
-
Thank you very much, I tried using Linux basic NAT solution and it worked somewhat. However, I ran into issues on my VMs via stack and they could not reach the gateway.
In any case, I have successfully installed OPNSense on a new Linux box and I am pleased to confirm it works PERFECTLY out of the box. Thank you for your input.