OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: crash on August 24, 2019, 08:48:45 pm
-
hey everyone straight to the point ...
this is my network setup:
dsl1(192.168.100.0/24)>pppoe1>wan gateway>lan(192.168.0.0/24)
dsl2(192.168.200.0/24)>pppoe2>wan gateway2>lan2(192.168.1.0/24)
as the title says what i want to do to is to access dsl modems or simply be able to talk to <192.168.100.0> and <192.168.200.0> from my lan (192.168.0.0)...
as i have two different gateways using the outbound NAT rule in firewall doesn't work...(that i found out before in pfsense)...
the thing is on pfsense with some simple allow rules in firewall (allow access to <wan1modem net (192.168.100.0/24)> from lan ) it would work and i had access to the modems but the same setup doesn't work on opnsense for some reason ....
i did some googling couldn't find anything useful some help would be appreciated...
some additional info:
inerfaces:
lan net > (192.168.0.0\24)
lan2 net >(192.168.1.0\24)
wan > pppoe1
wan2 > pppoe2
wan1modem net > (192.168.100.0\24)
wan2modem net > (192.168.200.0\24)
modem 1 has static ip of 192.168.100.1
modem 2 has static ip of 192.168.200.1
i want access from lan net to wan1modem net and wan2modem net...
-
Did you allow private networks on WAN?
Else you can check the other threads with the same problem: https://forum.opnsense.org/index.php?topic=12094.msg55343#msg55343 (https://forum.opnsense.org/index.php?topic=12094.msg55343#msg55343)
-
Did you allow private networks on WAN?
Else you can check the other threads with the same problem: https://forum.opnsense.org/index.php?topic=12094.msg55343#msg55343 (https://forum.opnsense.org/index.php?topic=12094.msg55343#msg55343)
no why would ii do that?
wan is its own interface with pppoe and wan_modem is its own...
as is stated in OP yes i have read the forum and googled about it , my situation is a bit different because of having 2 Independence wan/lans therefore not using default gateway ....
-
shameless bump...
ive been searching the webs i still dont know why i cant access different subnets...
-
you can access one at a time? or none at all?
migth be hard to do since it is using a different subnet...
not unless you are on opnsense server it self...
you migth need to make a port forward in your opnsense server, to redirect your local subnet to the other subnet.
or possible make a dns resolve to route data to the other subnet.
in general you should be able to access the modem using the correct/same subnet as you PC.
only a opnsense server will be able to see both.
-
I solved it with an SSH port forwarding.
My Vigor DSL modem has the IP 192.168.244.1
OPNsense has the IP 192.168.11.1
Allow ssh login on the OPNsense.
Use the following command to get the port of the DSL modem to the local PC.
ssh -p 9998 OPNSenseUser@192.168.11.1 -L 8082:192.168.244.1:443
9998 = SSH Port OPNSense
Now directly access the modem in the WEB browser on the local PC with the following URL:
https://127.0.0.1:8082/
So I can see all parameters and also do firmware updates.
Possibly the solution is also interesting for others.
-
I would suggest to get rid of PPPoE.
This means make your router provide a "Transfer Net", eg. 10.0.200.0/29 (3bit subnet, 4 Addresses + Broadcast + Net). Configure your router to 10.0.200.1/29, dail itself in and even do DynDNS stuff if required. Define Address 10.0.200.2 to be an exposed host, basically NATing/Forwardng everything from WAN to 10.0.200.2.
Now configure your WAN Interface on OPNsense to 10.0.200.2/29 and basically that's it.
To get the traffic flowing you could set your OPNsense WAN interface to do NAT to 10.0.200.1 or set a route in your Router for 10.0.0.0/8, 192.168.0.0 -> 10.0.200.2.
The reason why I actually did this is because I wanted to use OPNsense active/backup config, and PPPoE is just not working for that. But with CARP I can create a virtual IP in that subnet (10.0.200.4) and expose that IP on my router, so all the traffic comes in on the active instance.
Unfortunatly the automatic Gateway stuff and outbound traffic didn't work for me as expected, since you can only reference interfaces but not VIPs in the Gateway interface, Outbound traffic will always take the active FIrewall IP. Still works, but one doesn't get the interruption free failover I was hoping for (SSH session not dropping).
-
i think we have some misunderstanding here...
my sole goal is to have unrestricted access to a different subnet ....
a diffrrent subnet can be my modem <192.168.100.0> or my LAN2 <192.168.1.0>....
room what i understand this firwall rule:
source destination policy
192.168.0.0 192.168.100.0 allow
should grant my lan <192.168.0.0> access to <192.168.100.0> but it doesnt work ...
what could be the culprit here? is there a ddifferent setting that i also have to do?
-
yes and no...
opnsense may have allowed the connection but
does not mean your PC/machine will be able to received it...
since it is of different subnets...
assuming you have 2 NICs connected to both subnets... then your PC/machine should have NO ISSUE routing your request to the right subnet. as it "knows" to which NIC to send and received the request.
-
what steps you recommenced for troubleshooting this?
i watched some firewall logs and it boiled down to that no on the other subnet is responding (192.168.100.0)
which got me confused because if i ping 192.168.100.1 with opnsense setting source as 192.168.100.0 net i get responds back...
so 192.168.100.1 is responding on x.x.100.0 network ...
-
the simplest way would be, for your machine. to have 2(or 3) nics with direct connection to your modems.
you don't want that right?
you still want to go trough your opnsense server/lan?
since it is configured as multiwan... opnsense will somehow allow only connection to one gateway at a time.
since it would not be possible for one client to have 2 gateways at a time
when you say
"i want access from lan net to wan1modem net and wan2modem net..."
you mean you just want to administer the modem/router via its HTTP configuration?
-
Crash, I believe i have the same setup as you working.
From memory the thing that made it work was creating an upstream gateway on each of the modemnet interfaces, with the IP address of the gateway being the address of the respective modems.
Some notes about other things that are are or are not set. No static route set, No NAT port forward set, outbound NAT has auto generated rules for modemnets', No floating or Lan firewall rules referencing modemnets'*, no modemnet firewall rules (not even any auto generated as "Disable force gateway" is ticked)
* I have a catch all allow RFC1918 at the top of my Lan firewall rules which lan->modem traffic does hit.
Hope this helps.