OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: bucky2780 on November 11, 2023, 11:14:57 am
-
2023-11-11 Initial tutorial published
~
This is similar to another tutorial on the subject, but going to use Virtual IP's rather than an additional wan interface to accomplish the task at hand. For original tutorial and inspiration see here : https://forum.opnsense.org/index.php?topic=33497.0
Who is this for?
opnsense only accepts ethernet as physical connection for your wan.
If your ISP is using older vdsl protocols to connect you to the internet, you will need another device (modem) which you'll need to configure. Usually this a spare router you have lying around which you will dumb down and run it in bridged mode. Physically you plug an RJ11 line from wall to modem for adsl/vdsl, and then plug an ethernet port from the bridged modem to the router's wan port. This way your router will perform all the handshaking with your ISP, and the modem only worries about protocol translation between vdsl and ethernet.
This arrangement works fine, but you lose access to the modem gui, which is very annoying. The modem is behind the wan port, and its management ip is not accessible, since the wan port is busy connecting you to the internet. Should you wish to consult the modem gui to have a look at your sync rate, well you can't. You would need to pull the modem out of its position, reset to defaults and then connect to a pc sitting on your desk. What a pain.
Solution:
opnsense does have a solution which is a little complex though only uses a couple of configuration lines, hence this tutorial. Once you get your head around some of the key concepts it is very gratifying as it teaches you quite a bit about networking... so worth giving it a go in my opinion.
The nature of the solution is to use your physical wan link to to run 2 x different networks. Network 1 is your normal wan, and network 2 is a small subnet we create to talk directly to the modem. We use a virtual ip address as a means to create this second network. Piece of cake. Read on...
There are 4 x steps in this tutorial as follows: We will show each step in some detail... so please stop stressing.
- Configure your modem's GUI IP address
- Create a virtual IP address
- Configure Outbound NAT to direct traffic to the modem over the wan link
- Firewall rule to allow flow between your lan and the new subnet targetting your modem
IP addressing:
Before we start let me say I will be using a set of addresses that suit my personal situation. I don't like using standard addressing schemes as these are constantly being probed for security flaws. For this tutorial please adapt IP addressing schemes to suit your own installation.
LAN
192.168.92.1/24 mask 255.255.255.0 (254 usable ip addresses)
Modem network - A tiny subnet is created to connect opnsense to the modem via its own subnet.
192.168.5.1/30 mask 255.255.255.252
- 4 x addresses of which only 2 are usable
- 192.168.5.0 - network id
- 192.168.5.3 - Broadcast
- 192.168.5.1 - usable address pointing to the modem
- 192.168.5.2 - usable address pointing to the vip
Hardware:
I use a 4 x port qotom box for my opnsense platform
I use a draytek vigor 130 router/modem. Turn off dhcp and set into bridged mode.
Step 1: Setup modem
I put the modem into bridge mode.
(https://i.postimg.cc/p92dFBmv/vigor1.png) (https://postimg.cc/p92dFBmv)
Assign it an ip address of 192.168.5.1/30 (note subnet mask of 252)
(https://i.postimg.cc/Mn0THLKt/vigor2.png) (https://postimg.cc/Mn0THLKt)
Step 2: Create the vip
In opnsense navigate to: Interfaces-> virtual IP's->Settings, and add a new vip like this. Make sure to tunnel it via the physical wan interface
I give the vip an ip address of 192.168.5.2
(https://i.postimg.cc/y3JxNYkS/opn1.png) (https://postimg.cc/y3JxNYkS)
Step 3: Outbound NAT
In opnsense I need a way to shuffle all traffic bound for the modem subnet, via the wan physical interface, Outbound NAT is your friend here
Navigate to Firewall-> NAT -> Outbound, and create a rule which looks like this:
(https://i.postimg.cc/YhrdqdB7/opn2.png) (https://postimg.cc/YhrdqdB7)
step 4: Firewall
Since in opnsense all subnets are configured to reject traffic by default, we need to specifically open up traffic from Lan to the modem subnet. I use a simple fw rule to acheive this.
Navigate to Firewall-> rules -> Floating, and add a rule like this:
(https://i.postimg.cc/LYy7Tj2G/opn3.png) (https://postimg.cc/LYy7Tj2G)
Time to test this config... fire up a web page, and enter the modem gui address:
(https://i.postimg.cc/4YGfD1bc/opn4.png) (https://postimg.cc/4YGfD1bc)
Job done....
For extra credit you can try some of the following ideas....
if you run a reverse proxy best to use it, rather than trying to remember a pesky ip address. I added an entry to my reverse proxy, and can access the modem gui with my domain... eg. modem.mydomain.net. Nice one....
When starting out... you may wish to point your vip at the existing subnet defined in your router. Otherwise you cannot get to the modem without pulling it out and resetting to defaults. Once you have the scheme working you can configure your modem in a more exact way.
-
Great guide, thanks!
Question: from the modem standpoint, my Vigor 166 port is configured with a subnet of /24, would this create any issues?
Tia.
-
no issues.
My vigor was originally 192.168.5.1/24 and worked fine in this scenario. This is actually desirable at first, since you can't really manage the modem until you have the scheme working. Best to use your existing /24 subnet, and then adapt later once you got things working.
I chose to narrow the size of the network with /30, so as to minimise the threat surface.
By the way, I have 2 x modems, since lightning strikes are famous for blowing modems out of the water. Can always keep your spare modem on your desk, configure it, and then when ready place it into your network.
-
So, I'm following your guide but with no success :(
This is my config:
1) Modem IP address = 192.168.2.1/24 (DHCP disabled)
2) OPNsense LAN = 192.168.0.1/24
3) VIP = 192.168.2.2/24 (on WAN interface)
4) Outbund NAT attached
5) Floating rule attached
And I've also attched what I see in the firewall -> live view
Any help would be much appreciated.
Thanks.
-
your setup looks clean to me.... Mystery however abounds....
A couple of things to try...
- On your WAN interface, uncheck "Block local networks" (at least temporarily)
- ping 2.1 and 2.2 (from 0.7), what do you get ?
- perhaps post modem setup, can be some wacky modem setup thing that interferes - try to dumb down as much as possible.
- might help to post vip setup too
- Are you getting an error or is there just lack of connectivity ?
-
- On your WAN interface, uncheck "Block local networks" (at least temporarily)
Will try when nobody is connected or they will 'kill' me ;D
- ping 2.1 and 2.2 (from 0.7), what do you get ?
request timed out
- might help to post vip setup too
attached - what about the gateway?
- Are you getting an error or is there just lack of connectivity ?
lack of connectivity
-
I strongly suspect the first item... since it generates a firewall rule by default disallowing the 192.x.x.x ip addresses from reaching the wan interface.
I have this ticked atm, and it still works. I suspect because the floating rule is being assessed first.
Go ahead... put it in temporarily... they will never know. :)
-
I really appreciate you patience/help, but I clearly don't know what I'm doing wrong, it's just doesn't work for me :-\
I got it working by having an additonal interface on top of the WAN interface and a NAT rule - so I'm wondering if that method is less 'secure' than the VIP one or it's basically the same and if so I'll probably move on 8)
Many thanks!
-
The tutorial is fine, however, it should be noted that for some ONTs, it will just not work because they disable IP access when PON is activated. That is: You can only access the device without GPON attached. Thus, it may seem that this method does not work when in fact it would - somehow.
This is true for the whole range of Nokia/Alcatel G-010G-x series (https://hack-gpon.org/ont-nokia-g-010g-q/), for example.