OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: fbeye on January 11, 2023, 08:18:58 pm
-
Hello, I love my Cisco and have no issues with it but I like to explore and was curious about something.
Currently my DSL Router is in BRIDGE mode and my Cisco FPR does the PPPoE. I do have a Block of 8 static IP's (6 usable). My FPR1010 grabs the default IP x.x.x.182 which leaves x.x.x.177 to x.x.x.181.
Currently I have STATIC NAT's;
x.x.x.177 255.255.255.0 192.168.5.55
x.x.x.178 255.255.255.0 192.168.5.56
x.x.x.179 255.255.255.0 192.168.5.57
x.x.x.180 255.255.255.0 192.168.5.58
x.x.x.181 255.255.255.0 192.168.5.59
So naturally any host on the LAN that has those IP's have their specific WAN IP. Works fine
I also then of course of ACL's/firewall to allow ports on those hosts.
I will say that the Subnet/DHCP Server on the Cisco is 192.168.1.0. So, GE1/2 (192.168.1.1 (FPR)) connects to a L3 Cisco Switch. On the Switch, GE 1/1 is 192.168.1.2. I then have a PBR on the switch and a subnet 192.168.5.0. So, 192.168.5.0 has access to the Internet via GE 1/1 (192.168.1.2) which leads back to the Cisco FPR. Also, the FPR does have a route '192.168.5.0 255.255.255.0 192.168.1.1'.
Everything works as I want it.
I have a FPR subnet going to a different Subnet on the Switch because I do want my 192.168.1.0 (other IP's on that subnet) not part of the 192.168.5.0 subnet. I have various reasons why, thugh maybe not all legit..
Anywho; Is this same set up doable in OPNSense?
I COULD simplify it and just make the OPNsense LAN subnet 192.168.5.0 just to eliminate more code, but I'd rather have it this way.
-
Yes it is, for testing you can put WAN of OPN in 192.168.1 and spin up 192.168.6 behind it so you can run both parallel and test :)
-
Hello!
I think I understand your meaning, but then I get confused thinking about it.
You mentioned 192.168.1.x for WAN, let us say 192.168.1.3. You mention create a new LAN 192.168.6.X. Are you suggesting I act like my WAN is an actual outside IP and the LAN is simply a new LAN, and I can create NAT to test? I guess I am lost as to how I would, if the Cisco FPR1010 is still in front of it. I apologize for my ignorance and I may be over complicating this.
Thank you!
-
Alright so apparently I have failed.
1.) I set my WAN to PPPoE and I see it grabbed correct IP and DNS
2.) I made Virtual IP’s for the remaining 5 Usable IP’s (6th is WAN/Main IP)
3.) My LAN is 192.168.1.0
4.) I made an Alias Network 192.168.5.0/24 Network
5.) I made a static route ‘192.168.5.0/24 192.168.1.2’ (not being verbatim here)
6.) I made 5 1:1 NAT from each WAN to its respective LAN (Outside In)
I made NO entires for DNS beyond the dashboard page showing it grabbed the ISP DNS
I made NO entries for Forewall Rules on inside or outside. Unless there was a default “allow in to out”, I made none.
I made NO entries for NAT Inside to Out.
The point of my static route is that I have a Switch on the LAN side that hosts 192.168.5.0 Network, but the Opnsense LAN is 192.168.1.0 so I made the static route and on the Switch I have a PBR for 5.0 Network to access internet via 192.168.1.2 which leads back to Opnsense.
None of my Hosts can connect to the Internet. Can’t even ping outside my Internet. I’m going solely based on my Cisco knowledge here; I only had to make 1 static NAT, and it created reverse NAT as well.
Am I NEEDING to make “outbound” NAT as well as Firewall Rules to access the net? Do I NEED to set up DNS beyond the PPPoE grabbing my ISP name servers? Or is my config just wrong?
Please help!!!
-
I think that you require a networking knowledge, sorry to be a bit blunt here... OPNsense can do everything FRR does and more...
When creating a network, you need to create a DHCP/DNS info on it. If you are planning on using a 1:1 NAT, then you would need to associate that with the network. But you should not forget that you only have one IP for your WAN, so you'd need to set up routes to send the traffic to the WAN.
-
Trust me, I am fine with being told what’s what.
I have 1:1 NAT because aside from the 1 WAN IP I have 5 Servers running that require such, such as email servers on each of the hosts with their own domains etc.
Apparently I was indeed spoiled with the Cisco FPR cause really all I mentioned I did prior, was all
I did on Cisco and it worked. With that said, Cisco has more faults than not which is why I looked hard for a replacement and found OPN. When I set it up for fun solo, not worrying about the Block of IP’s I had internet etc, I think I messed something up with the configurations.
I guess what threw me off was, even the Host I was on that simply uses the OPN WAN IP didn’t access the Internet I kind of shrunk in my head.
What I will do is connect a host to the OPN default (192.168.1.0) Network and see if I have access. If I do then I messed up my NAT (s) with everything on the SG500X Cisco Switch using the 192.168.5.0 Network.
Yeah, I know I am jumping into some intense stuff and I agree I need More knowledge and I am watching YouTube videos and google searching like a crazy person!
-
you may want to post a screenshot of one your 1:1 NAT's which may or maynot be setup the rite way!
-
I apologize for the delay, I got your response at bedtime and off to work. I’ll show you pics of each screen just to play it safe, that I messed with. Thank you!
-
Here are 2 replies with screenshots of all I have done.
thank you for your assisting me, I am eager to learn this stuff.
-
2
-
3
-
4
-
5
-
6
-
7
-
8
-
8
-
The least I believe that your picture 6 should be set to hybrid. as you do have NAT rules, and so whatever is selected is incorrect.
-
Morning!
Thank you for the help. When I get home I shall do that. I was thinking, should I remove the .182 virtual IP as it is the main pulled IP by PPPoE from my ISP?
-
Evening.
Well, I did exactly as mentioned changing OUTBOUND NAT to Hybrid, and I also removed the VitrualIP x.x.x.182 as it was the default grabbed Router WAN.
But, to no avail.
I did notice that when using the default 192.168.1.0 Subnet (192.168.1.5 I.E) I could get on the internet all is well, but when I connect to my 192.168.5.0 Network, nothing.
P.S. - I wanted to mention, I did my 1:1 NAT as NAT, Not BINAT (if that makes a difference) and then I made NO NAT at all for my .182 (OPNSense WAN) to my LAN but as I said, on the default LAN I could get internet, but not through to my SG500X, So I wonder if I need another NAT for that.
So basically on my existing server;
PPPoE w/ Block of 8 Static IP's (6 usable)
LAN; 192.168.1.0
--I have an SG500X Cisco 48Port Switch that hosts a 192.168.5.0 Subnet which has a PBR back to the 192.168.1.0 Network via 192.168.1.2 GE 1/1 on the SG500X. So, 192.168.5.0 gets onto the Internet through the PBR to 192.168.1.2 which is on GE1/1 (as well) on the Cisco.
I am wondering if maybe my issue is a missing or incorrect configuration for data to go to/through the SG500X and back. As I mentioned, I created a static route '192.168.5.0/24 255.255.255.0 192.168.1.2' (not verbatim) and then OPNSense I made a Gateway 192.168.1.2 and added it to the IP Route configuration.
I mean, I suppose (but would greatly hate) to reconfigure my complete network all using 192.168.1.0 Network as I know by heart my hosts etc, and I know it's not terrible, but then I will always wonder how to actually do it this way, the way I want.
I had it this way before because I had wanted ONE Subnet for everything to be on, but had 2 ISP's with 2 PBR's, 192.168.5.2-192.168.5.128 PBR1 and then 192.168.5.129 - 192.168.5.224 PBR2. Though I removed my 2nd ISP, I left my network as is.
I have no issues changing my concept etc for something better, I am absolutely open to learn.
-
Hello.
So I was thinking I jumped into some advanced (for me) configurations and wanted to go back to basics and build upon them as I go.
I set up my WAN to PPPoE and it grabbed the correct IP from my Block of Static IP's, so I did that right.
I set up my LAN as default, 192.168.1.0 and when I plug my PC in I get Internet access, so I did that right.
What I want to do, and correct me if I am wrong, is allow Internet access to my SG500X L3 Switch. On the Switch, GE1/1 is set to 192.168.1.2 (an IP from OPNSense) and I have a Network of 192.168.5.0. 192.168.5.0 gets on the Internet with a PBR via 192.168.1.2 which talks to 192.168.1.1 (On OPNSense) and will use it's WAN for Internet, x.x.x.182.
On Cisco, this is how I have it set and it works. I am assuming because 192.168.1.2 would be the same with Opn, I really do not need to change anything on the SG500X as the PBR is not changing... I also assume all I need on the OPNSense is a #1 Gateway such as 192.168.1.2 (5 Network is reached via 192.168.1.2) and #2 a Route to 192.168.5.0 using GW 192.168.1.2.
Naturally I am getting No Internet connection having it set up this way.. So I am missing something, which is probably the same something as before..But instead of trying to figure out all my virtual ip's etc I want to see in the least why 192.168.5.0 does not get Internet.
I want to do baby steps before I get all advanced.
Also, at this stage NO NAT or Firewall Rules or Outbound has been changed... I did change to hybrid outbound but to no avail.
-
NAT is one to many, so you should try binat.
-
Hello
I will give that a shot tonight.. For the STATIC WAN to LAN's.
Do I need to create a NAT for the 192.168.5.0? That would indeed be 1 to many, as that subnet would be using the WAN IP. By default clearly NAT goes to the 192.168.1.0 Subnet on the OPNSense because I could surf the web, but not through the 5.0 Subnet.
-
for every VLAN that needs to go to the Internet then yes.
-
Yeah I clearly am a no go on this. For whatever reason I can not get my INNER network to get on the net, and I did all we spoke of. This 192.168.5.0 is being generated/hosted on the SG500X and for some reason I can't get it to see the Internet.
I will give it a break for now.
Thank you.