OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: SiD67 on April 20, 2018, 07:55:13 pm

Title: NAT / Fake IP / IP rewriting from internal to dmz-vlan
Post by: SiD67 on April 20, 2018, 07:55:13 pm

Hi,

I am using OPNSense with a FritzBox as a DSL Modem for WAN connection.
I had connected the Fritzbox to WAN-Side on OPNSense and also connected to my internal LAN network, so I was able to login to the Fritzbox to watch the DSL-Status.

But I don´t want the Fritzbox to "see" my internal network and its devices, so I have created an vlan interface on opnsense and switch etc. for the fritzbox.

I am able to ping the Fritzbox from the vlan interface on my opnsense (interface / diagnostics) but i am not able to access it from my lan. A rule for allowing access from lan to everywhere exists.
Also a ping from my lan to the opnsense adress on the vlan-interface works.
I think the FB is blocking access to it from outside its own network.

So I am trying to implement nat or something to fake the ip accessing the fritzbox, so it looks like its coming from fritzbox internal network.

I tried port forwarding on LAN with a fake-ip to the real-ip but no success so far.

Someone got a solution for me ;)

Sorry for bad english ;)

Regards,

Dennis

Title: Re: NAT / Fake IP / IP rewriting from internal to dmz-vlan
Post by: Evil_Sense on April 22, 2018, 02:32:07 am

Quote from: SiD67 on April 20, 2018, 07:55:13 pm

Hi,

I am using OPNSense with a FritzBox as a DSL Modem for WAN connection.
I had connected the Fritzbox to WAN-Side on OPNSense and also connected to my internal LAN network, so I was able to login to the Fritzbox to watch the DSL-Status.

But I don´t want the Fritzbox to "see" my internal network and its devices, so I have created an vlan interface on opnsense and switch etc. for the fritzbox.

I am able to ping the Fritzbox from the vlan interface on my opnsense (interface / diagnostics) but i am not able to access it from my lan. A rule for allowing access from lan to everywhere exists.
Also a ping from my lan to the opnsense adress on the vlan-interface works.
I think the FB is blocking access to it from outside its own network.

So I am trying to implement nat or something to fake the ip accessing the fritzbox, so it looks like its coming from fritzbox internal network.

I tried port forwarding on LAN with a fake-ip to the real-ip but no success so far.

Someone got a solution for me ;)

Sorry for bad english ;)

Regards,

Dennis

Maybe I'm not entirely understanding your problem, but appart from the OPNsense IP you won't see anything behind it on the FritzBox, since OPNsense acts as another routing instance.

Title: Re: NAT / Fake IP / IP rewriting from internal to dmz-vlan
Post by: Davesworld on April 22, 2018, 08:19:46 am

Quote from: SiD67 on April 20, 2018, 07:55:13 pm

Hi,

I am using OPNSense with a FritzBox as a DSL Modem for WAN connection.
I had connected the Fritzbox to WAN-Side on OPNSense and also connected to my internal LAN network, so I was able to login to the Fritzbox to watch the DSL-Status.

But I don´t want the Fritzbox to "see" my internal network and its devices, so I have created an vlan interface on opnsense and switch etc. for the fritzbox.

I am able to ping the Fritzbox from the vlan interface on my opnsense (interface / diagnostics) but i am not able to access it from my lan. A rule for allowing access from lan to everywhere exists.
Also a ping from my lan to the opnsense adress on the vlan-interface works.
I think the FB is blocking access to it from outside its own network.

So I am trying to implement nat or something to fake the ip accessing the fritzbox, so it looks like its coming from fritzbox internal network.

I tried port forwarding on LAN with a fake-ip to the real-ip but no success so far.

Someone got a solution for me ;)

Sorry for bad english ;)

Regards,

Dennis

If at all possible the modem should be in bridge mode eg dumb modem mode where OPNsense handles the wan completely. Also most modems have a default ip that never changes so you can access it for firmware updates, stats etc. In bridge mode of which Fritzbox in bridge mode is one of the first things to come up in a google search, you simply  add a virtual ip to the wan interface on the same subnet as the modem's default ip, for example, I run a Draytek DSL modem in bridge mode and the default IP is 192.168.2.1 so I add 192.168.2.2 as a virtual ip to wan in OPNsense with a netmask of 30 since I do not need access up to  192.168.2.254 as a 24 netmask would give although you certainly could if you wish, it's just not necessary for more than a few ip addresses in that subnet. In my case I type the modem default ip in a browser and go, it works best if the browser uses OPNsense as the proxy. I'm able to update firmware, reboot the modem and all doing this yet the modem's own router is off and has no clue about what is controlling it eg dumb modem mode. You should see a publicly visible IP on OPNsense's wan otherwise you are double natting.

You should NEVER have your Fritzbox connected directly to the lan unless it is your edge appliance and not OPNsense. Do what I lined out and you will have access to info and at the same time OPNsense is doing it's job.