OPNsense Forum

English Forums => General Discussion => Topic started by: bpayne on June 26, 2017, 07:28:13 pm

Title: Trying to Replace ASA on Comcast Biz - OPNSense will not pass traffic to Modem
Post by: bpayne on June 26, 2017, 07:28:13 pm

I did a forum search for this issue, and didn't see any related posts, but I'm hoping that someone has seen this before.

I have Comcast Biz internet, and currently have an ASA as the firewall. I want to replace it with OPNSense, but I cannot get it to pass traffic to the modem. I have taken quite a bit of troubleshooting steps (which I'll outline), which lead me to believe that there's some setting on the modem which is creating the problem.

My Setup Current Setup:
Modem (Cisco DPC3941B; Bridged Mode) --> Switchport 48 [Untagged VLAN 99]
ASA e0/0 (outside)--> Switchport 46 [Untagged VLAN 99]; Static IP's config'd; /29 subnet
ASA e0/1 (inside) --> Switchport 44 [Untagged vlan 1]

My Attempted Setup:
Modem (no change)
ASA switch ports disabled
OPNSense FW Running in a VM; clear ARP on switch; trunk ports to esxi, VLAN 99 tagged on a port group. WAN interface in VLAN 99, LAN interface in VLAN 1. Configure WAN and LAN interfaces with the same IP's/Subnet as the ASA had.

Problem:
I cannot even ping the modem interface from the OPNSense VM

Troubleshooting:

• I put a windows VM in the same port groups and assigned one of the statics to the VM. I could ping both the OPNsense WAN interface, and the modem interface.
• I put an OPNSense device with the WAN interface in my LAN segment, and its LAN interface in a private VLAN to verify the OPNSesnse the setup is not problematic - this device works perfectly. VM's that I put in the private VLAN get out to the internet through the OPNSense (and then the ASA) device with no problem.
• spoofed the MAC of the ASA outside interface on the OPNSense WAN interface
• The gateway monitor briefly showed my modem up, and I could ping it, then it showed down and i could not
• enabled all ICMP traffic on both LAN and WAN interfaces
• I can manage the OPNSense device from its LAN interface

The logs from the modem are useless, but given that I can ping the modem from my windows VM, and the gateway monitor was briefly showing it as up, it seems like the modem starts rejecting the OPNSense device, even with the MAC spoofing. Any suggestions?