OPNsense Forum
English Forums => General Discussion => Topic started by: bobzbobz on October 25, 2017, 04:33:37 pm
-
Hi
I have recently acquired an OPNsense appliance for my home network.
My setup will be: Internet -> Fiber modem -> OPNsense FW -> Router -> LAN.
My Router is an ASUS rt-ac68u - how should I configure this device, so that I am able to create (OPNsense) firewall rules based on the originating client(s) from the LAN:
- Will NAT need to be disabled on the WAN-interface (of the router)?
- and should I disable the built-in firewall?
- any other things I should look out for?
- The router will control DHCP, Wireless, and internal routing.
- OPNsense appliance will control FW rules, VPN-server (and other services).
(https://photos-2.dropbox.com/t/2/AACdg2CMLXhiVwHzLIJByEWsXLHjTEJOTMOPT0ezzUoppA/12/7646840/png/32x32/3/1508958000/0/2/fw%20setup.png/EJSF1wUY1zAgBygH/YiiAexWFst3LKfVjrsYDUs0jGbjS8HP-7xyikqqF9b8?dl=0&size=1280x960&size_mode=3)
Regards,
Soren
-
Double-NAT in general is not a good idea. Why do you think you need this ASUS-stuff first hand? :-)
-
If would recommend to remove the router and use a switch instead.
Do all the firewalling on OPNsense - DHCP etc. can also be done on OPNsense.
You might be more interested into an access point for WLAN which should be connected to the switch.
-
...or turn off DHCP on the Asus and connect it via a LAN (!, not the WAN) port to the LAN (or an OPT net, if you want to keep the wifi part separeted) of your OPNsense. Assign a STATIC IP to the Asus, which is OUTSIDE the LAN/OPT net, then you have a wireless access point.
Doing this with an old Cisco "router/wifi/firewall" for years, working great.
-
I do not have a switch, but the ASUS router has 4 interfaces.
The router can be set into "AP mode" (I guess the interfaces still work afterwards).
But if I do this - will the traffic between clients then have to cross the OPNsense appliance or does traffic flow within the switch (ASUS router/AP)?
I will be using latency sensitive services such as game streaming within the LAN and want the shortest route possible.
-
...the "LAN" interfaces (your 4 RJ45) on the consumer devices are a cheap switch, I use it that way on my Cisco router configured as a wifi access point as described above. So: should work! ;-)
Traffic inside the LAN goes directly to the client intended, why should it "flow trough" your router? :-)
-
If you can configure your ASUS rt-ac68u router as an AP (as you mentioned upon) DO IT, and never look back! (!) :)
Most likely (99% certainty - to be checked by you, since I don't know this exact model of ASUS brand) you will get the following:
1. [And the most important] All your LAN (wired or wireless) clients will be networked and network managed directly by OPNsense
2. All your LAN clients will be directly seen by OPNsense, for reports etc.
3. All your LAN clients are treated equal in spite of being wired (connected to any of 4 RJ45 ports of your ASUS router) or wireless (Wi-Fi connected to your ASUS router) - only speed/ bandwidth difference between wired and wireless interfaces will be noticeable.
4. All traffic in-between your LAN clients (again, wired or wireless) will be switched/ isolated at ASUS router level, who will act as a full switch between RJ45 <-> RJ45, RJ45 <-> Wi-Fi, Wi-Fi <-> Wi-Fi, Wi-Fi <-> RJ45 clients - just check to be sure that ASUS router will not keep an option like "WLAN clients isolated" or so, after being set to AP mode - it shouldn't, but check if still present and enabled, since I was never convinced by the default settings logic of ASUS.
5. [Very important] All network services like DHCP, DNS, NAT etc. etc. etc. are not double present both at your OPNsense level AND at ASUS router level.
For a remote location I have some ASUS routers set like this, like AP, and all my clients, wired or wireless, are fully seen by OPNsense like all of them are directly connected to OPNsense.
Good luck! :)
PS Feel free to come back if you run into troubles. But you souldn't!... ;)
-
https://www.dd-wrt.com/wiki/index.php/Asus_RT-AC68U
https://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point
Start where it says "long version" and do all the optional and recommended steps as well.