OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: strebor on May 16, 2017, 01:35:37 pm

Title: Topology
Post by: strebor on May 16, 2017, 01:35:37 pm
Hi opnsensative types. I’d like to ask a question about the choices of topology available to me under  Opnsense. I’m not new to networking but see myself as more a victim than practician. I want to host a couple of very low volume web sites and some remote access software, VPN etc.

Should I go for the usual double NAT  behind the ISPs router, I could use IPv6 which is more static than the IPv4 address provided but as I can barely cope with v4 two more vs might be too many!


Should I drop in a transparent Bridge to the existing LAN and let the ISP router do DHCP etc?

Do I put the internet facing servers in a DMZ from the ISP router or create a DMZ off the Opnsense host.

Answers on a postcard, thanks in anticipation Strebor
Title: Re: Topology
Post by: bartjsmit on May 16, 2017, 01:49:56 pm
Hi Strebor,

The neatest solution is to run your ISP router in modem only mode (if it supports it) and do everything on OPNsense

Double NAT is fine for your use case, with IPv6 if you have a large enough delegation from your ISP (better than /64). It does create some problems with media streams and games.

Transparent (bridge) mode OPNsense is used widely too, mostly by those with restrictive uplink settings.

Title: Re: Topology
Post by: strebor on May 17, 2017, 01:47:30 pm
Thanks Bart, unfortunately I'm stuck with router as is, no bridge. If I were to go for a drop in TB will I still be able to OpenVpn an other functionality, in other word 'traffic shaping' aside what else will not work?

Title: Re: Topology
Post by: bartjsmit on May 17, 2017, 02:18:55 pm
Yes, OpenVPN only needs a public IP/NAT to work. I've not used bridge mode, but logically you would only miss out on the routing functions; Quagga, gateway failover, etc.

The nice thing about bridge mode is that it's easy to test since you don't need any changes to your router.