OPNsense Forum
English Forums => General Discussion => Topic started by: e111111 on February 01, 2021, 05:28:09 pm
-
Hello all,
sorry for my poor English ...
I am new here, and I'm coming to seek your help on a subject that I have a little trouble understanding.
First, the context:
On a new machine, devoid of any other installation, I installed Truenas 12, this one configured and working correctly, I created a VM in which I installed Opnsense, which boots well.
I configured all this connected to my network, but without really inserting it in its final location (between the box and the rest of the network) so as not to create a problem for me while the debugging takes place.
On the machine I have 3 network interfaces, this is how they are assigned:
LAN> TRUENAS [igb0] OPNSENSE [em1]
WAN> TRUENAS [em0] OPNSENSE [em0]
LAN2> TRUENAS [ue0] OPNSENSE [em2]
So far everything is fine, even if you have to find your way around the different naming of the same physical interfaces by the two systems.
Where I am wondering, it is on the allocation of IPs, I have a little trouble understanding how to do this, and especially how a physical interface can be addressed by two IPs, here is my current config:
LAN> TRUENAS [192.168.1.42] OPNSENSE [192.168.1.248]
WAN> TRUENAS [192.168.0.253] OPNSENSE [192.168.0.252]
LAN2 not used at the moment, in the future dedicated to IOTs that I have in large numbers
LAN IPs are assigned based on the rest of the current network config.
The web interfaces of Truenas and Opnsense work perfectly with their respective IPs on the LAN interface (TRUENAS [igb0] OPNSENSE [em1]).
For the WAN, I have no error message, but before trying to put this into service I would like to be reassured about my config and understand the miracle of two IPs on the same interface.
I spent a lot of time reading tutorials and other forums to try to understand a little, I only got confused even more with bridges, VLANs and others which I do not get much.
I end by specifying that I have always worked in IT maintenance since the 80s, then as a dev. hardware HMI for 10 years, so I know the PC world quite a bit, but I am not far from being a nozzle in the network field.
If you could enlighten me a bit on how it all works and tell me about any mistakes and how to fix them ...
thank you in advance
-
Because Opnsense is running as a virtual machine therefore its network connections are also virtual, this is normal for VM's. My own MS Server 2019 is running 4 virtual machines on one its LAN ports , and another two are running on another LAN port along with the management interface, so 7 addresses in total on two ethernet ports, all courtesy of virtual switches.
-
ah, ok, a good simple explanation!
Thank you very much, so no need for bridge or Vlan ...?
-
If you intend only the OPNsense VM to have a connection to the WAN port, don't configure an IP address for that interface in TrueNAS. Just leave the field empty. On the LAN side of TrueNAS use the IP address of the OPNsense as your default gateway and probably DNS server.
This way all external traffic of the TrueNAS is routed through your OPNsense firewall. I assume this is what you want to achive with your setup.
Whether you want to put an IP address for TrueNAS on your LAN2 depends on if the IoT devices need to talk to TrueNAS directly on that network or if you want to control this traffic going through your OPNsense, too.
Important: never ever hook up your TrueNAS directly on a WAN port with an unfiltered Internet connection. It is not built for that and will get hacked if thus exposed. This is not a deficiency but a design decision. TrueNAS is supposed to run on a private network behind a firewall.
If you run into TrueNAS related problems with your setup, please consider joining the TrueNAS forum as well as this one.
https://www.truenas.com/community
Kind regards,
Patrick
-
Thank you very much, so no need for bridge or Vlan ...?
There is a need for a bridge, which is the equivalent of a VMware "vSwitch". But the necessary bridge interfaces should be created automatically if you attach a VM to the physical ports.
If you want me to check, then configure as suggested and with the VM running post the output of
ifconfig -aon your TrueNAS host.
-
Thank you pmhausen
In fact, I want to put Opensense behind the ADSL box (DMZ in the box),
then truenas behind Opnsense, even if it is in fact its container.
The rest of my network will also be behind Opnsense, and IOTs will have a separate dedicated branch.
-
There is the ifconfig response, many lines ! :
# ifconfig -a
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: Interface Ethernet d'ENTREE WAN (vient de la box)
options=812099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER>
ether 00:30:64:47:5f:08
inet 192.168.0.253 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect
status: no carrier
nd6 options=9<PERFORMNUD,IFDISABLED>
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: Interface Ethernet de sortie LAN (vers le réseau interne)
options=a520b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6>
ether 00:30:64:47:5f:09
inet 192.168.1.42 netmask 0xffffff00 broadcast 192.168.1.255
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=9<PERFORMNUD,IFDISABLED>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
groups: pflog
ue0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
ether 00:50:b6:be:33:23
media: Ethernet autoselect (none)
status: no carrier
nd6 options=1<PERFORMNUD>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:fc:86:a4:07:00
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: vnet0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 9 priority 128 path cost 2000000
member: ue0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 5 priority 128 path cost 55
groups: bridge
nd6 options=1<PERFORMNUD>
bridge1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:fc:86:a4:07:01
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: vnet1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 10 priority 128 path cost 2000000
member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 2 priority 128 path cost 20000
groups: bridge
nd6 options=1<PERFORMNUD>
bridge2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:fc:86:a4:07:02
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: vnet2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 11 priority 128 path cost 2000000
member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 1 priority 128 path cost 2000000
groups: bridge
nd6 options=1<PERFORMNUD>
vnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
ether fe:a0:98:ff:ff:ff
hwaddr 58:9c:fc:10:ff:a5
groups: tap
media: Ethernet autoselect
status: active
nd6 options=1<PERFORMNUD>
Opened by PID 1783
vnet1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
ether fe:a0:98:ff:ff:ff
hwaddr 58:9c:fc:10:12:2f
groups: tap
media: Ethernet autoselect
status: active
nd6 options=1<PERFORMNUD>
Opened by PID 1783
vnet2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
ether fe:a0:98:2a:c4:61
hwaddr 58:9c:fc:10:34:44
groups: tap
media: Ethernet autoselect
status: active
nd6 options=1<PERFORMNUD>
Opened by PID 1783
-
Looks good. See the three bridge interfaces? Each of which connects one physical with exactly one virtual (VM) interface. The "member" lines ...
-
Thank you pmhausen
In fact, I want to put Opensense behind the ADSL box (DMZ in the box),
then truenas behind Opnsense, even if it is in fact its container.
The rest of my network will also be behind Opnsense, and IOTs will have a separate dedicated branch.
Are you using TrueNAS as a hypervisor to run OPNsense? I wasn't aware you could do that, but I don't know anything about TrueNAS. I have an ESXi system at home and virtualize OPNsense and use that VM as my router/gateway and it works pretty well.
-
I'm not sure what a Hypervisor is, I'm really newbie, in fact I wanted to install Opnsense to secure my network, and since I had just installed Truenas (Freenas is the same) I saw that the we could virtualize Opnsense in a Truenas VM, and it seems to work pretty well, however, now for the settings, I go fishing for information on the forums as soon as I have a doubt :)
"Looks good. See the three bridge interfaces? Each of which connects one physical with exactly one virtual (VM) interface. The "member" lines ..."
Ok, i see, This is done by itself during the installation, I have not configured anything at this level...
Edit : I see what is an Hypervisor, & yes, truenas is my Hypervisor i think...
-
Are you using TrueNAS as a hypervisor to run OPNsense?
Of course. TrueNAS/FreeNAS has been a full hyperconverged system since FreeNAS 11. I run Linux and Windows based virtual machines and FreeBSD jails on my TrueNAS systems in addition to providing storage.
To complete the picture: FreeNAS 12 has been re-branded as TrueNAS Core. Other than the name change it is still the same product.
-
Thank you all for having lifted the veil on these gray areas, I will be able to continue my configuration tests ...