Hi All,
I know ideally the OPNSense box should be the only router, but I'm using it locally for my personal devices at the moment rather than for the whole house.
I have my ISP modem/router as edge router that serves wireless to the rest of the house. It is not in bridge mode because I need the wireless functionality.
My OPNSense box WAN port receives IP via DHCP connected to the LAN port of the ISP router.
If the ISP router is not in bridge mode, I assume it is performing NAT. Does OPNSense also perform NAT by default? Is that a double NAT situation?
If yes, what should I do to avoid double NAT until such a time when the OPNSense box (+switch(es)+WAP's) becomes the whole house router? Is there an option to disable NAT on the OPNSense box and would that be the correct approach?
Or am I just worrying about a non-issue?
Many Thanks
P195
Possibly the last.
If you have no ports or services intentionally exposed to the internet then all is sweet. Opnsense has already handled outward NAT as does the ISP router.
Do not bridge your ISP router until you have placed it 'inside' Opnsense else your wireless devices will be fully exposed.
Yes, you are likely doing double-NAT (can't say for sure without details about your ISP router/setup, but would be willing to bet). OPNsense does outbound NAT automatically by default (Firewall > NAT > Outbound)
Is double-NAT terrible? Maybe, or maybe not, depending on what you need to do - e.g. if you need to port-forward inbound, you'll have to do it in two places. IPv6 could be tricky too. If you don't care about things like that, and just want basic internet access, it may be OK.
If you turn off NAT in OPNsense, you'll have to add static routes for your OPNsense LAN(s) to your ISP router, and hope that it will do NAT for routed networks. It depends on what the ISP router will let you do....
Usually double nat is not an issue. Only Thing might be udp based VPN whithout setting a mtu inside tunnel could lead to fragments
Hi all, thanks for your replies.
Quote from: passeri on March 06, 2025, 02:25:13 AMIf you have no ports or services intentionally exposed to the internet then all is sweet.
I don't have any ports or services intentionally exposed, whether I have any unintentionally exposed is another question. What's the best way to check?
If that reveals that no ports or services are exposed, to confirm, does that mean that the double NAT concern is a non-issue?
Quote from: passeri on March 06, 2025, 02:25:13 AMDo not bridge your ISP router until you have placed it 'inside' Opnsense else your wireless devices will be fully exposed.
I don't want to bridge the ISP router anyway because the rest of the family use it for the wireless functionality and as far as I'm aware, if I put it in bridge mode then that is disabled. Have I understood you correctly that the edge router (ISP router in this case) has to perform NAT to keep the wireless devices secure and by enabling bridge mode you are disabling NAT?
It's not too important anyway because I'm either leaving it set up as it is now or ditching the ISP modem/router to replace with dedicated modem going directly to OPNSense box, it's just I'm still a bit overwhelmed by all the options and settings, and I wanted to be sure I can understand OPNSense well enough before putting it as the whole house router and then getting grief from the family when I can't administer it with confidence!
===
Another question I have which is completely unrelated to the thread title (sorry) is whether I need managed switch(es) or not if I want to separate my network into categories. My understanding so far is this:
My OPNsense box has 4 ports, 1 WAN, 3 LAN. If I wanted to segregate network connections into 3 categories: My Network / Wireless Devices / Work Devices, Then I could use 3x unmanaged switches connected to each LAN interface port, wire devices / WAP's from these switches and then use firewall rules to block access between each port.
If I wanted to segregate my network into six categories: My Network / IOT devices / Work Devices / Guest Devices / Security Devices / VPN, Then I would need a managed switch because I would need to setup VLAN's. In this case I could in theory do everything from only one LAN port on the OPNsense box if I bought a switch with enough ports.
And lastly about the difference between a L2 and L3 switch and what would be the factors in deciding which type to get.
Probably way of the mark with most of this, but would be grateful for any corrections / advice.
Many Thanks
Quote from: P195 on March 06, 2025, 11:54:38 PMI don't have any ports or services intentionally exposed, whether I have any unintentionally exposed is another question. What's the best way to check?
If that reveals that no ports or services are exposed, to confirm, does that mean that the double NAT concern is a non-issue?
You can find web services which will probe for open ports, or you can use nmap via VPN. Double NAT outbound is not an issue.
QuoteHave I understood you correctly that the edge router (ISP router in this case) has to perform NAT to keep the wireless devices secure and by enabling bridge mode you are disabling NAT?
It is not NAT that keeps it secure but firewall rules during routing. A normal bridge does not support those. The need for NAT is a by-prduct of address translation by the router. L2 bridging skips both components.
Quote===
Another question I have which is completely unrelated to the thread title (sorry) is whether I need managed switch(es) or not if I want to separate my network into categories.
Yes you will need switches which support VLAN tagging. I am not well placed to help you further on that because my network has long been established with a couple of internal firewall/routers so I break up sub-nets at the point of need rather than splitting everything from the top. Thus (almost) all my switches are dumb.
I set something up recently as part of another thread:
https://forum.opnsense.org/index.php?topic=45558.msg228062#msg228062 (https://forum.opnsense.org/index.php?topic=45558.msg228062#msg228062)
Disabling NAT on the internal OPN is trivial.
Most of the config changes were on the edge router. I'm not sure how easy that would be on a consumer router.
I don't believe I would bother if all traffic on the internal router was outbound (to the internet).
If the machines behind the internal router need to communicate with machines on the primary network, you'll have to disable reply-to.
Quote from: P195 on March 06, 2025, 11:54:38 PMAnother question I have which is completely unrelated to the thread title (sorry) is whether I need managed switch(es) or not if I want to separate my network into categories. My understanding so far is this:
My OPNsense box has 4 ports, 1 WAN, 3 LAN. If I wanted to segregate network connections into 3 categories: My Network / Wireless Devices / Work Devices, Then I could use 3x unmanaged switches connected to each LAN interface port, wire devices / WAP's from these switches and then use firewall rules to block access between each port.
If I wanted to segregate my network into six categories: My Network / IOT devices / Work Devices / Guest Devices / Security Devices / VPN, Then I would need a managed switch because I would need to setup VLAN's. In this case I could in theory do everything from only one LAN port on the OPNsense box if I bought a switch with enough ports.
I suppose the implied question here is "Is my understanding correct?". I believe that it is. Basic managed switches are cheap nowadays, so I'd probably recommend doing VLANs from the beginning - it'll give you more flexibility going forward - but you could use physical separation while you have enough physical NICs on your firewall to support it.
Quote from: P195 on March 06, 2025, 11:54:38 PMAnd lastly about the difference between a L2 and L3 switch and what would be the factors in deciding which type to get.
Layer 3 switches implement routing between subnets on the the switch. In this case, OPNsense is not in the path between subnets, and so it can't enforce policy on traffic from one subnet to another. You probably don't want that.
Quote from: dseven on March 07, 2025, 10:20:44 AMI suppose the implied question here is "Is my understanding correct?". I believe that it is. Basic managed switches are cheap nowadays, so I'd probably recommend doing VLANs from the beginning - it'll give you more flexibility going forward - but you could use physical separation while you have enough physical NICs on your firewall to support it.
Quote from: dseven on March 07, 2025, 10:20:44 AMLayer 3 switches implement routing between subnets on the the switch. In this case, OPNsense is not in the path between subnets, and so it can't enforce policy on traffic from one subnet to another. You probably don't want that.
Thankyou these are very clear and simple answers - I appreciate that!
Would you go out on a limb to recommend me a 2.5gb PoE managed switch (I assume layer 2 based on what you said above) to support VLAN tagging which is fairly priced but reliable for home use? Netgear? MikroTik? Unify? Other? I guess you'd advise to steer away from cheap Chinese switches?
Quote from: P195 on March 07, 2025, 06:12:50 PMWould you go out on a limb to recommend me a 2.5gb PoE managed switch (I assume layer 2 based on what you said above) to support VLAN tagging which is fairly priced but reliable for home use? Netgear? MikroTik? Unify? Other? I guess you'd advise to steer away from cheap Chinese switches?
Actually I use a couple of "Horaco" brand AliExpress specials - 8 x 2.5G plus 1 x 10G SFP+ for fibre link between them (they're in different rooms). The management interface is a bit primitive, but they're working OK so-far. I haven't really tried to stress-test them. No PoE on these, though - I don't have anything that needs 2.5GbE *and* PoE, so I have separate dumb PoE switches.
The only reason I said PoE was because I was thinking I'd mount the WAP's on the wall's or ceiling and would save hassle of mains supply for them. So do you take ethernet from managed non-PoE switch to unmanaged PoE switch and connect your WAP's to that? I didn't know you could do that.
Is the management interface good enough for what most home users would need? Do you think it's worth paying more for something more refined in this area? and do you think the concern about dodgy Chinese firmware is justified? Seeing as I'm a beginner I'd like to take the cheap route to begin with but not at the expense of network security and privacy.
Yes, my PoE switches "hang off" these managed ones, to connect APs and security cameras. The dumb PoE switches (that I use) actually pass VLAN tagged frames, so still it's possible to do things like different WiFi networks on VLANs. Some caution is required though, as you're relying on the connected devices to handle the tagging properly, and ignore frames tagged for other VLANs (since you can't control that at the switch). Windows NIC drivers are known to blindly strip VLAN tags and process frames for VLANs that the PC is not supposed to be on, so it'd be best to keep PCs and the like on the managed switch. If you don't need VLANs on your APs, you could just uplink the PoE switch to a port on the managed switch where only one VLAN is available, untagged, and that should be straightforward.
As for untrustworthy firmware... I haven't really worried about it with these switches. You could use OPNsense firewall rules to prevent the switch from accessing the internet (but still be manageable from your LAN)...