Hi,
I just set up my first VLAN.
I added it on the Firewall, Switch and AP (is for guest wireless).
I tried to connected to it with my phone and it is: displayed, it connects, it get an IP from DHCP, looking at firewall live logs it seems to reach outside, but seems traffic won't come back or get dropped by the WAN interface cleanup rule.
What I did on the firewall was:
- Creating the VLAN, interface, set DHCP pool
- Added a rule in VLAN_Guest allowing Any-Any (now just for testing)
- Added a rule in WAN allowing source WAN destination VLAN_Guest
- Disabled NAT from VLAN_Guest to WAN (as it seems it was NATting and I think it should not, NAT it is done from WAN to the connected router)
But it won't works. Any idea, stuff that I am missing?
This VLAN it is created on LAN (real) interface. LAN works no problem, this VLAN does not go to internet.
Fun fact: I work everyday with CheckPoint and Fortigate firewalls, and I cannot get a simple, free, open source program to work. It is frustrating.
Hi,
if you don't intend to run a server pool in your VLAN please don't
- Added a rule in WAN allowing source WAN destination VLAN_Guest
For normal client internet access this is not needed and imposes a security risk (esp. on IPv6).
Since you switched of NAT in an internal network, make sure your "connected router" has the appropriate routes to your VLANs IP range. Otherwise, you will not see any traffic coming back.
Obviously fortigate and checkpoint do not prepare you for IP basics. :-)
Thanks for the WAN rules suggestion as I was not sure about it.
I disabled the NAT because it already occurs later down the chain and didn't want to double NAT.
Thanks also for the Router suggestion. It is not a fact of basic IP knowledge, but wrong assumption about a router that's not mine. That is my ISP router and in the login page, I found no section about routes, so I thought it would at least send all private network inside, even if not directly connected.
But apparently not.
So I think know I have 3 options:
- Enable NAT for that VLAN. But that would do double NAT (I think)
- Put a better Router between my ISP Router and my Firewall that supports Routes.
- Change my ISP router with a better one.
Am I missing something?
Actually, your three options boil down to 2 if you stick with another router.
- NAT within the RFC1918 range. Not very nice - but it works; as long as you just want to provide internet access, that's fine. In other cases it might get nasty. Depends on your scenario.
- Use a router at your network's edge (connection to ISP) that is able to route NAT'ed traffic accordingly
If you could replace your ISP router by a simple modem that serves your OPNSense's WAN that would be a another option. In that case OPNSense uses the public WAN IP and everything is fine.
Quote from: Saarbremer on March 04, 2024, 04:02:15 PM
If you could replace your ISP router by a simple modem that serves your OPNSense's WAN that would be an another option. In that case OPNSense uses the public WAN IP and everything is fine.
I was looking at a DrayTek Vigor 167. It should be just a Modem, may it be fine in your opinion?
I am sorry but my experience with xDSL modems is very limited. So I can't give you any evaluation on that. From the specs it sounds ok.
Quote from: Saarbremer on March 04, 2024, 08:16:43 PM
I am sorry but my experience with xDSL modems is very limited. So I can't give you any evaluation on that. From the specs it sounds ok.
Thank you much for the help.
I'll try.
Do you have to have an ISP router in front of OPN? You might want to look for one that can be put in bridge mode, that way, all it does is terminate the xDSL connection. It would be good if you could find out the method it uses for connection i.e. PPoE. It might be that you only need OPN.
Thanks for suggestions.
I solve the issue and apparently, it was a misconfiguration of Unbound DNS.
I changed time ago the default action to deny DNS and I forget to add this new network in the Allow list for Unbound DNS query.
So it was not a problem of routing (not this time) since NAT in the WAN port was done correctly it seems.
Anyway, I will probably look in any case at just a Modem to pair with my Firewall so that I will minimize research area next time. Also that ISP route I think it is giving me some other troubles, moreover, it would be nice to have the public IP directly on the firewall, is that possibile with any modem or should I look for something in particular?
if you tell us the answers to the questions I asked, it would be easier to help ;)
Quote from: cookiemonster on March 04, 2024, 10:23:00 PM
Do you have to have an ISP router in front of OPN? You might want to look for one that can be put in bridge mode, that way, all it does is terminate the xDSL connection. It would be good if you could find out the method it uses for connection i.e. PPoE. It might be that you only need OPN.
Yes, I have my ISP router in front of my Firewall. I am speaking about a private home network, not enterprise.
I tried looking inside but has an extremely simple GUI, I cannot se barely any option.
I may ask on some forums of the ISP and/or my provider directly the parameter of ADSL in order to configure a Modem separately.
Quote from: cookiemonster on March 05, 2024, 10:26:17 AM
if you tell us the answers to the questions I asked, it would be easier to help ;)
I tried to answer as best as I can.
Ok for xDSL. Varies by what the ISP use for authentication.
In the UK for instance, you can have PPoE with username and password. Some ISPs use VLAN tags, some don't.
Some don't use PPoE and don't use username/password, but instead what we used to call "full network authentication" which goes by the card/frame/port in the DSLAM or MSAN at the local exchange and could only be used by the physical cable reaching the customer's property.
Some examples of types. The router they provide will be reflecting this setup and often you can just put those in OPN. OPN can do PPoE with username/password for instance, hence the question.
The ISP router usually shows if it using username/password and the method it is using, even if the functionality will be very locked down as you've already found. Look for an option to put in bridge mode. Might or not have it.
Essentially this would be an equivalent to having a modem only in front of OPN.
Quote from: cookiemonster on March 05, 2024, 03:53:25 PM
Ok for xDSL. Varies by what the ISP use for authentication.
In the UK for instance, you can have PPoE with username and password. Some ISPs use VLAN tags, some don't.
Some don't use PPoE and don't use username/password, but instead what we used to call "full network authentication" which goes by the card/frame/port in the DSLAM or MSAN at the local exchange and could only be used by the physical cable reaching the customer's property.
Some examples of types. The router they provide will be reflecting this setup and often you can just put those in OPN. OPN can do PPoE with username/password for instance, hence the question.
The ISP router usually shows if it using username/password and the method it is using, even if the functionality will be very locked down as you've already found. Look for an option to put in bridge mode. Might or not have it.
Essentially this would be an equivalent to having a modem only in front of OPN.
Just to be sure, I just contacted my ISP, asking if I can replace the router with just a Modem that gives data to a Router/firewall behind.
They said yes, that I will need to provide information about the new devices (the Modem) and I will be contare by a technician instructing me on how to do it and provide the needed informations.
At this point, I just purchased that Vigor 167, it should arrive in 2 days. We will se, I am really curious.
Just as a side question, can I just stay with that Modem and the Firewall? Why would I eventually want to put a router in the middle of the Modem and Firewall?
Thanks.
Quote from: LtCol_Davenport on March 05, 2024, 04:52:52 PM
Just as a side question, can I just stay with that Modem and the Firewall?
If the modem is matching your DSL link's technology, yes, of course.
Quote from: LtCol_Davenport on March 05, 2024, 04:52:52 PM
Why would I eventually want to put a router in the middle of the Modem and Firewall?
I can't think of a reason why you would. I definitely wouldn't.
What you need to consider if you replace an all-in-one consumer router that includes WiFi with a modem and OPNsense is that you might need a WiFi access point. Frequently one can configure the former router as such and then place it in the LAN
behind OPNsense.
Quote
I can't think of a reason why you would. I definitely wouldn't.
What you need to consider if you replace an all-in-one consumer router that includes WiFi with a modem and OPNsense is that you might need a WiFi access point. Frequently one can configure the former router as such and then place it in the LAN behind OPNsense.
Thanks.
I already have a full network (for my needs).
I have two Mikrotik AP (configurabile and with VLANs)
Two Mikrotik Switches (managed and PoE).
A ProtecLi Firewall running OPNSense.
That's why I wanted to remove my ISP router as it is the only weak link, they one that I conati fully control, manage and replace.
Hopefully most is now clear(er). To add to what Patrick wrote, you wouldn't add a router to the mix if you have one already. A consumer router normally has two or three parts: 1) router ; b) firewall ; 3) optionally a modem.
When you have OPN you have 1) and 2).
The conversation has been whether you can replace 3).
When you put an ISP router in bridge mode, you are disabling 1) and 2) and only using 3)
Looking at your purchased Vigor 167, that'll do. Is a modem/router that can be put in bridge mode. The question was if your current one could also be put in bridge mode and save you buying the Vigor.
Anyway, seems you're on your way :)
Quote from: cookiemonster on March 05, 2024, 10:25:29 PM
Hopefully most is now clear(er). To add to what Patrick wrote, you wouldn't add a router to the mix if you have one already. A consumer router normally has two or three parts: 1) router ; b) firewall ; 3) optionally a modem.
When you have OPN you have 1) and 2).
The conversation has been whether you can replace 3).
When you put an ISP router in bridge mode, you are disabling 1) and 2) and only using 3)
Looking at your purchased Vigor 167, that'll do. Is a modem/router that can be put in bridge mode. The question was if your current one could also be put in bridge mode and save you buying the Vigor.
Anyway, seems you're on your way :)
I tried looking online on forum about my ISP and looking into the GUI of the router but it seems there no option.
I found that Vigor 167 used on Amazon (which usually are all like new items) for like €70 instead of €120, so I thought it was fine.
If that works, it will give me the peace of mind to be completely separated from my ISP and that if something won't work in the future I know it will definitely be my own fault but that also have the ability to asses it, if that makes sense :)
I will jist need to probably change the WAN interface on the OPNSense and maybe NAT rule, since now the WAN has a privet address going into the Router. When putting the modem, if I understood it correctly, I will have the public IP directly on the WAN interface of the firewall, so it will change some stuff.
I had the same problem doing that for the first time, what you need to do its going to the firewall->rules->your vlan interface, mine its called OPT1
There you need to make 2 rules, one to have internet access and another one to block acces to your lan(if u want that)
so press the + button and for the 1st rule
*action - block
*interface - your vlan (OTP1)
*source - your vlan net (OPT1 net)
*destination - LAN net
*description - Block lan access
*press save
2nd rule
*action - pass
*interface - your vlan (OTP1)
*source - your vlan net (OPT1 net)
*description - Allow internet
*press save
Now you need to make sure that the block lan access rule its first and the allow internet rule its under if not check the allow internet rule and press the move selected rule to the end button "<-" and after that press apply changes
should look like in the attached picture
i hope this helps