Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - opnsense@f2f10.com

#1
so, for the vlan that we want to have STATIC IP as a transit network of other networks, we can simply define this "EMPTY" subnet and list all other subnets here, while we "ENABLE" dhcp service on this interface. This TRANSIT network will be used at INTERNAL interface of opnSense hauling traffic back and forth for remote networks going to Internet or other opnSense aware networks via directed interface or static routing.

https://community.spiceworks.com/topic/1331562-isc-dhcp-server-for-multiple-vlans (****post on bottom of page***)

The last link that B-C posted was what I used to get it working. The key was dropping all the need for multiple virtual NICs and just use the one. Then spec the ranges and use the "IP Helper" command on my cisco switch for each VLAN definition.

Works flawlessly. Only gotcha is you need to specify a DHCP subnet for the subnet that the DHCP Server is on, but it can be empty (mine is).

Here is my dhcpd.comf and VLAN description from my Cisco switch. I have many more than these two VLANs, but you should get the idea from them.

In isc-dhcp-server's configuration:

# This subnet is the one that the DHCP server is in, has to be here in order
# the server to hand out addresses. It won't hand out IPs on that subnet since
# there is nothing between the curly brackets.

subnet 10.20.20.0 netmask 255.255.255.0 { }

#VLAN - 211
subnet 10.21.12.0 netmask 255.255.252.0 {
   range            10.21.12.3 10.21.15.254;
        option routers                  10.21.12.1;
        option subnet-mask              255.255.252.0;
        option broadcast-address        10.21.15.255;
        }

#VLAN - 212
subnet 10.21.20.0 netmask 255.255.252.0 {
   range            10.21.20.3 10.21.23.254;
        option routers                  10.21.22.1;
        option subnet-mask              255.255.252.0;
        option broadcast-address        10.21.23.255;
        }
       
In Cisco switch:

interface Vlan211
description VLAN 211
ip address 10.21.12.1 255.255.252.0
ip helper-address 10.20.20.41

interface Vlan212
description VLAN 212
ip address 10.21.22.1 255.255.252.0
ip helper-address 10.20.20.41


It seems to me that both pfSense and opnSense use freeBSD and isc-dhcp-server; if it's doable in isd-dhcp-server, it might be just a matter of have these optional settings available in GUI.

It would be something like, for this opnSense, we have choice of serving DHCP on this interface (yes/no). If we choose no, then DHCP server will not listen on this interface. If we choose yes, then it will listen DHCP request on this interface. We can then define subnet options. With those subnet options, it could have local interface subnet if we want to have this local interface to be serviced; otherwise, we have choice of just to leave it EMPTY. then, we can add more subnets we what this DHCP server to serve for dhcp request coming on this interface.

For the moment, I followed these post in other links and created a LXD container on Ubuntu 16.04. The container running ubuntu 16.04 and it serves well for these subnets for those DHCP request of remote networks, together with Ip-helper on Cisco switches.

I just don't want to add one more box in the network, if we can just use opnSense; since, opnSense is already in the network, is running isc-dhcp-server and just a modification enhancement, we can then do it .
thanks
peng
#2
Franco,

Yes, it seems similiar request.

Here's more how people are doing it in an attempt.
https://happy-coder.com/2014/06/27/pfsense-custom-dhcpd-configuration/   (**on pfSense)

https://blog.tinle.org/2013/01/09/single-dhcp-server-for-multiple-subnets-vlans-one-single-interface/

Hope all these links give you guys some idea to have this happen. It seems they can do it well with these ideas. I am not a coder, but wish you guys can have it happen.

Thanks a lot.
peng
#4
18.1 Legacy Series / Automatic NAT Rules Generation
March 13, 2018, 11:00:09 AM
HI all,

Just deployed pfSense and opnSense together and noticed a small difference.
https://doc.pfsense.org/index.php/Automatic_NAT_Rules_Generation

pfsense says this above and does it. In my case, I have a static routes to all my internal network (10.16.0.0/16). Indeed, I see this on NAT. This is good as I'd like to have my other internal networks transverse this firewall out, but I don't want my firewall has interface to those remote networks.

On opnSense, this seems not the case; after a fairly troubleshooting with tcpdump, I realized that this has to be manually added in NAT rule to get it work.

My question is, is this a "intentionally" done difference, or , is it a "bug".  I am ok with either method of getting it to work, just want to clarify.

Thanks
peng

#5
Hi Wonder team here!!

I am in a project with an opportunity of replacing Windows AD/DHCP/DNS stuff with BSD/Linux. I have to do it piece by piece.

I plan to have one LAN only with CARP serving as default Gateway for all company's outgoing traffic. This only LAN will be something like, 10.16.229.0/29 with one IP for Primary OpnSense and another for Secondary and a VIP.  I prefer to not have DHCP on this VLAN, becase all these IP are only for OpnSense to use; however, if I have to enable it for the purpose of getting my following purpose served, it's ok for me to enable DCHP on this VLAN as well. The rest of LANs (VLANs) will be on the remote Cisco access switches. They are not directly connected to OpnSense. Otherwise, I can to extend those VLANs across mutiple switch/links to OpnSense, which will be a mess with STP. I'd like to use Layer 3 Routing on those switches to take care of routing to get those remote VLANs.

Instead of setting up another pair of DHCP/DNS server to serve remote VLAN network with centralized pool of multiple subnets, just like what Windows DHCP server does, I'd like to utilize OpnSense's DHCP/DNS function to do this. I don't like to get these remote VLANs directly connecting to OpnSense which complicates things with STP on all switches across the whole company.

For DNS part,  I assume by just pointing to remote DHCP client pc with a DNS IP option with DHCP server, it would work. Correct?

For DHCP server handling out multiple subnets based on remote VLANs interface IP as source of DHCP request, it seems hard to get it set up. All my switches with those VLANs will have Cisco "ip dhcp helper x.x.x.x" configured on Layer 3 VLAN (with one IP  and IP subnet configured on VLAN). When client do DHCP request, this helper will forward that to DHCP server x.x.x.x with source IP of this VLAN's IP.  Windows DHCP server can assign pool of ip subnets well based on IP Helper's source IP.

When I tried do this on OpnSense LAN, I find out no way of doing this. Even I enable DHCP server on this LAN, the additional pool range must be within this LANs Interface subnet.

However, base on the bottom of this post, https://community.spiceworks.com/topic/1331562-isc-dhcp-server-for-multiple-vlans

Only thing we need to to get it isc-dhcp server working for this purpose, is to add this simple declaration within dhcpd.conf.

Quote
# This subnet is the one that the DHCP server is in, has to be here in order
# the server to hand out addresses. It won't hand out IPs on that subnet since
# there is nothing between the curly brackets.
subnet 10.20.20.0 netmask 255.255.255.0 { } 
#VLAN - 211
subnet 10.21.12.0 netmask 255.255.252.0 {
   range            10.21.12.3 10.21.15.254;
        option routers                  10.21.12.1;
        option subnet-mask              255.255.252.0;
        option broadcast-address        10.21.15.255;
        }

#VLAN - 212
subnet 10.21.20.0 netmask 255.255.252.0 {
   range            10.21.20.3 10.21.23.254;
        option routers                  10.21.22.1;
        option subnet-mask              255.255.252.0;
        option broadcast-address        10.21.23.255;
        }
       
BASH
interface Vlan211
description VLAN 211
ip address 10.21.12.1 255.255.252.0
ip helper-address 10.20.20.41

interface Vlan212
description VLAN 212
ip address 10.21.22.1 255.255.252.0
ip helper-address 10.20.20.41
Unquote.

Another effort is here.
https://happy-coder.com/2014/06/27/pfsense-custom-dhcpd-configuration/

Another here,
https://blog.tinle.org/2013/01/09/single-dhcp-server-for-multiple-subnets-vlans-one-single-interface/

If this is the case, can you guys help to make this available in the OpnSense? So, ideally, we can choose a OpnSense LAN interface, enable DHCP service on this LAN, but not assigning DHCP address for this LAN (by making an empty declaration for this subnet). It has option then for us to add addition SUBNET info. This will make OpnSense a replacement for Windows DHCP server.

Or, at least, we can still allow assign DHCP address for this specific LAN, at same time, allowing to server other SUBNETs, if "not serving dhcp address" on this LAN is difficult to acchieve.

My project actually goes live on Monday Mar 5 2018. I just didn't plan this and just realized this issue. Would this be a quick easy fix with a minor update from you guys?

My next option plan (least favorite) would be either using a standalone box for this purpose as standalone DHCP server, or extending all those VLANs across many switches to OpnSense.

Thanks
peng

#6
17.7 Legacy Series / Re: NAT Reflection
February 18, 2018, 12:08:24 PM
here's screen capture
#7
17.7 Legacy Series / Re: NAT Reflection
February 18, 2018, 12:07:46 PM

Just reload OpnSense again after trying pfSense; I noticed that one of my rules was using ICMP, instead of IPv4. Once it got fixed, Mailinabox checks everything fine. So, it's not the fault of Pure NAT, it's my fault of configuration.

#8
17.7 Legacy Series / Re: NAT Reflection
December 25, 2017, 03:42:08 PM
https://github.com/opnsense/core/issues/1417

I saw a similar bug tracking post and posted it under it.....
#9
17.7 Legacy Series / Re: NAT Reflection
December 25, 2017, 03:41:07 PM
however , i do have another GateWay set up with my private VPN to redirect all traffic through this vpn, except those DMZ traffic which includes this email server....

Not sure whether this is relevant...
#10
17.7 Legacy Series / Re: NAT Reflection
December 24, 2017, 04:35:29 PM
I'm not using multi-wan ....
#11
17.7 Legacy Series / Re: NAT Reflection
December 24, 2017, 04:33:48 PM
A side question, why do I see so many "rule nat" in the drop-down menu????
#13
17.7 Legacy Series / Re: NAT Reflection
December 24, 2017, 04:31:13 PM
Thanks for the reply!!! Understood it's holiday ...    ;)

It's a production server. This email server was working fine with OpenWRT due to correct NAT Reflection function..However, after switching to OpnSense almost 3 months, this issue was discovered at time of updating let's encrypt certs. Putting this email server back behind openWRT works fine again.. Details are on that URL.. I will repost here... thanks in advance......!!!!

https://discourse.mailinabox.email/t/letsencrypt-expired-and-dns-errors/2704
#14
17.7 Legacy Series / Re: NAT Reflection
December 24, 2017, 02:27:58 PM
@franco

Any thoughts?tks.
#15
17.7 Legacy Series / Re: NAT Reflection
December 24, 2017, 02:25:57 PM
17.7.11 (installed) is the version of opnSense