Messages

I made a previous post in the VPN forum but that's not where it belongs and now I have new info and am on site.

topology
desired:
- raisecom fiber ONT (aka modem-like)
- apu2c4 box 3 LAN ports with opnsense 22.1 on it.
- speeport plus, which also has a rj11 telephone jack

The ONT has multiple VLANs available.
VLAN 100 - Internet v4
VLAN 101 - VOIP
VLAN 103 - TR069
VLAN 1500 - IPTV with a dedicated 10.* IP range

In order to establish a connection one has to create a pppoe client bound to WAN (port 0) VLAN 100.
I have yet to try this, previously I tried with only the WAN igb0 and it didn't work, but I'm confident it will work when attached to ibg0-vlan100.

Now why do I want the opnsense box there?
2 reasons,
- site to site VPN
- having access to IPTV between 2 countries via proprietary set top box.

Now my question regarding network setup in opnsense;
For starters I'd like everything passed to the speedport plus box so operation can continue as normal.
I have created all the VLANs on igb0 (WAN), I assume I'll have to do the same on LAN.
Do I have to create a bridge between WAN and LAN?
Do I have to create a bridge between all the WAN VLANs?
How do I configure this?

Alterative:
Everything coming from the ONT should be passed to LAN except VLAN 1500 IPTV, which should be passed on OPT (igb2).
I would connect the STB to OPT and the speedport router to LAN.
(And later I would create a wireguard connection for the IPTV network)

I connected the box to the modem
But WAN didn't receive an IP address.
So I connected the speedport plus router.

You know what, since no one bothered to reply, I think this is the wrong forum.
I'll start from the beginning, since it's a network issue first.

In Croatia I have an ISP that provides
- internet access (no VLAN) (let's call this network A)
- TV (VLAN 1500) (let's call this network B)
- telephone via VOIP (not sure)
no IPV6 connectivity sadly, only IPv4.

The topology is
fiber cable <-> modem <-> router
The router then has 4 RJ45 ports
2 for the LAN, 2 for the TV with separate IP ranges.

Now I bought an APU2C4 a few years ago and I'll put Opnsense on it.

There is a TV box that acts as a streaming client in IP ranges 10.0.0.0,
as noted above it's provided with VLAN tag 1500.

What I'd like to do:
modem <-> apu <-> router

- opnsense/apu should pass all traffic to the router
so that the local network works as usual

- I'd like to be able to connect from Germany to network A and network B
I'd like to carry the TV box to Germany and be able to watch that TV there by connecting to network B, which will then give the TV box an IPv4 address via DHCP
Likewise I'd like to be able to connect to network A to access cameras or storage

I'll travel to Croatia in 3 days and hopefully arrive there healthy.

Now in Germany I only have a FritzBox 7590, which doesn't have wireguard so I'll probably have to buy some hardware to put wg there, probably some Pi/Clone or put OpenWRT on a very old FritzBox Fon 5140 there.
I'll find a solution for that. Connecting to network A is not an issue from Linux or Windows.
Sadly the shop here has the cheapest hardware listed starting with 550€, which is way too much.

What I'm interested in is the Croatia setup.
If anyone has already done something like this, I'd appreciate if you shared your experience.
Or if anyone has a solution, I'm all ears.
Also if you know any cheap hardware for the German location.
This whole thing is problematic because the locations are so far apart so I can't really test the setup.
I can connect to Germany from Croatia via the FritzBox 7590 VPN and I have a server in Germany that could act as a proxy, but I wouldn't like to mess with it, aka mix private stuff and business.

My take is,
have a dyndns client on the APU router,
configure wg for each network, provide on different ports.

I'm more interested in the general theory but will revisit this thread with specific questions or write a log of what I did.

Update 0: Good news, AVM has a "labs" version of their firmware which supports wireguard
https://avm.de/fritz-labor/frisch-aus-der-entwicklung/neues-und-verbesserungen/unterstuetzung-von-wireguard-fuer-den-einfachen-aufbau-von-vpn-verbindungen/

Hey fabian,
thanks for reply and sorry to the late reply.

Meanwhile I switched to pfsense because it has those 2 packages but I really liked opnsense (except that they don't have those 2 features).
I'm a Linux guy, *BSD isn't really my world. Apparently everything is different in BSD land :)
I'm an ex PHP guy and now using Go since 4 years already (wow, time flies).
Nevertheless I remember phalcon but it has been a while and I'm sure they made advances meanwhile.

Oh... never mind, I see opnsense/core is using python for the services.
Would've been interesting to contribute isc-bind and tftp plugins/packages.

<...>

TFTP can be hard as the protocol is really a problem for firewall rules (it tells a port number which will be used in the protocol instead of a standard port) :(
If you know the server and it has a static IP it should work. You can set the next server IP in the DHCP options of OPNsense but there is no possibility to set up a PXE server on OPNsense via the GUI.

Yes the server would be "the box" aka 192.168.1.1 on LAN.
I backed up my config of dhcpd4, can post it no problem.

Of course people say "a firewall should be a firewall"
well 4 core 4GB RAM, there's room for more than just firewall :)

Unter Linux hab ich das mit einer Brücke gelöst

Code Select Expand


brctl add br0
brctl addif br0 eno1 #eth0 bzw das kabel iface
brctl addif br0 enp0s20u4 # das usb iface


Telefon vorher auf USB Tethering stellen
evtl mit dhcpcd eine adresse beziehen
und fertig

Unter FreeBSD keine Ahnung, das ging irgendwie nicht. Das USB iface wird nicht erstellt oder erkannt von *sense.

Ich hab via Amazon ein "CSL - USB 2.0 auf seriell RS232 Adapter (Com Port)" gekauft, 8€
Ein "ASSMANN Null-Modem Kabel D-Sub9 Bu/Bu 3m bulk beige" 7,17€
also rund 15€ zusammen.
Das war das günstigste das ich finden konnte. Sicher hätte ich 1€ sparen können wenn ich lokal ein Nullmodemkabel gekauft hätte, aber was solls.

Ansonsten auf "Corsair Flash Survivor Stealth v2 32GB USB-Speicherstick (USB 3.0, robust, wasserabweisend) schwarz" drauf ddt mit bs=4M weil ich nicht gern warte
Mit Rufus gehts auch im DD mode, kein Problem.

Man muss halt vorher das bunzip-en bzw. 7z kann das unter Windows sicher auch entpacken.

Man lädt sich die
amd64
serial
Version runter
verbindet das Kabel mit dem APU2C4
Ich hab auch putty unter Linux genommen
Connection type

• serial
  /dev/ttyUSB0 115200
  
  OPNsense ist echt toll, im Vergleich zu Pfsense gefällt es mir besser.
  Leider hat es weniger mods.

Ok, hello everyone.
I bought a PC Engines APU2C4 and installed opnsense (4core amd,4gb ram,16gb ssd,3 intel nics).
Previously I had a small dedicated intel nuc box with bind,dhcpd and tftpd, but it didn't act as a router/firewall.

Now, with opnsense, I use unbound dns resolver with overrides to provide local dns, but it's suboptimal, since I'd like to be able to manage my zone and add wildcard entries, etc.
aka a bit more configuration options

Also, I'd like to run a tftp server for booting via i/pxe. (to provide coreos,centos, etc...)

Then, in 2 days I'll be forced to a IPv4 only connection and I'd like to do 2 things:
1. Provide VPN access (by ipsec or openvpn, in order of preference) to my local network
2. Provide IPv6 via some cloud instance

topology will be
modem/gateway <-> WAN port
LAN port <-> switch
pretty simple
My workstation has 2 NICs and I could imagine connecting 1 nic to the switch and 1 nic to OPT1 for local to external ipv6 vpn

So any way to have
- access to zone records
- a tftp server
- vpn server
- vpn client

I know it's a lot in 1 post.