"Quote from: Patrick M. Hausen on May 06, 2025, 05:23:03 PMHint: a static DHCP lease in OPNsense can register a DNS name which can then be used in Home Assistant or similar.
Thanks!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 06, 2025, 07:05:47 PMThanks!
#2
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 06, 2025, 05:10:53 PMQuote from: EricPerl on May 06, 2025, 04:48:08 PMReally? Example?
I don't know that I own one that supports that. Requiring it seems like such a poor design decision.
Sorry, I mean with my setup. The IoT device itself can use DHCP - what I mean is other things in my home automation expect them to be static.
A few things off the top of my head:
ESP devices depending on firmware, there's no mDNS due to limited flash - I have a LOT of these. One good example is Hyperion which connects to an ESP8266 to control LEDs. Some of my smart plugs have a fairly rubbish integration with my home automation as well and need to be static because it always expects them to be in the same place. The Hue hub is a good example too - if the IP changes, you have to manually reload the config after specifying the new IP for it to be picked up again. I also have a lot of automation scripting that would require altering each time if the IP changes.
Edit: Tasmota firmware has no mDNS either.
#3
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 06, 2025, 03:55:23 PMQuote from: meyergru on May 06, 2025, 01:55:06 PMI object to the highlighted networks. Please read this first...
Thanks for the info, very helpful. I will make sure I factor this in when I change my setup.
#4
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 06, 2025, 12:11:49 PMQuote from: Patrick M. Hausen on May 06, 2025, 09:10:54 AMThese devices do not use DHCP?
Some yes, like phones, watches etc. but for most I define static leases as the vast majority of them are IoT devices that require static addresses. Unfortunately not all of them have mDNS. So it's not so trivial to just change everything. It's at least a whole days work with a non-working house. The reason I originally chose 192.168.0.0/16 is because I thought it would be tidier and easier to organise to have it like this:
192.168.0.x - routers and switches
192.168.1.x - servers
192.168.2.x - bulbs
192.168.3.x - plugs
192.168.4.x - sensors
192.168.5.x - audio and visual
192.168.6.x - cameras
etc
Well, you get the point. Obviously knowing what I know now, I would have done things differently.
#5
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 06, 2025, 09:03:20 AM
Thank you for the advice. I will treat my current solution as a temporary fix and have a think about which of those I would be best using.
#6
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 06, 2025, 12:56:41 AM
Having kicked myself for this a lot over the course of the last few hours, I have been reading a lot about networking subnets. If anyone is interested or finds themself in the same situation in future: I have changed my subnet to /19 which only covers 192.168.0.0 - 192.168.31.255. This avoids having to reconfigure ~150 devices. I can now access the modem UI without any VIP or outbound NAT.
Once again I would like to apologise to everyone who spent time on this.
Once again I would like to apologise to everyone who spent time on this.
#7
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 05, 2025, 07:09:47 PMQuote from: Bob.Dig on May 05, 2025, 06:22:01 PMNot only his. ;)
Sorry, I was referring to everyone who has chimed in, but I am sorry to have wasted your time also. Thanks for trying to help.
#8
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 05, 2025, 03:27:07 PM
Ahh ok, thanks. I'll have to see if I can reconfigure everything on /24 then try again. Thanks for persevering and I am sorry to have wasted your time.
#9
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 05, 2025, 01:22:44 PMQuote from: Bob.Dig on May 05, 2025, 12:56:49 PMMaybe you shouldn't. WAN should be PPPoE in your case.
I can try this and see if it makes a difference.
#10
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 05, 2025, 01:20:44 PMQuote from: meyergru on May 05, 2025, 12:22:25 PMA outbound NAT rule from the LAN to the WAN.
Sorry to be dumb here, but haven't I done this with: https://imgur.com/mZ2j0rw.png ?
Quote from: meyergru on May 05, 2025, 12:22:25 PMA firewall rule allowing the traffic from your LAN to the modem. You do not need a reverse rule, since the responses are allowed automatically.
So the existing allow all isn't enough? Sorry I'm confused. What do I need to add as a firewall rule then?
Quote from: meyergru on May 05, 2025, 12:22:25 PMP.S.: How did you configure your LAN client? I assume that OpnSense's LAN IP is the gateway?
Yes, OPNsense is the gateway 192.168.0.1
Quote from: meyergru on May 05, 2025, 12:22:25 PMCan you ping 8.8.8.8 from your LAN client?
Yes:
Code Select
/ # ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=21.2 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=20.6 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=19.6 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 19.628/20.460/21.197/0.644 ms
Quote from: meyergru on May 05, 2025, 12:22:25 PMOr did you assign a 192.168.100.0/24 IP on a second network card? Essentially: Does the routing for the target network from your LAN client work at all?
192.168.100.0/24 isn't assigned to a second interface, but I do have bonding:
Code Select
bond0: flags=5187<UP,BROADCAST,RUNNING,MASTER,MULTICAST> mtu 1500
inet 192.168.1.10 netmask 255.255.0.0 broadcast 192.168.255.255
inet6 fe80::x:x:x:x prefixlen 64 scopeid 0x20<link>
ether de:d0:x:x:x:x txqueuelen 1000 (Ethernet)
RX packets 468115983 bytes 463457888920 (463.4 GB)
RX errors 97642 dropped 166624 overruns 0 frame 74250
TX packets 345940032 bytes 233493783457 (233.4 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#11
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 05, 2025, 10:55:58 AM
Ok, just to make sure I didn't mess something up (which is not out the realms of possibility as this is totally out of my comfort zone) I restored from a snap before I even posted here. First I checked "Log packets that are handled by this rule" on the allow any LAN rule.
I pinged 192.168.100.1 from OPNsense and this is what I see: https://i.imgur.com/660OonZ.png
Unless I am wrong, this looks like the connection is allowed out of LAN in the logs?
The ping looks like this:
Then I added the VIP (IP Alias, WAN, 192.168.100.2/24 - nothing else) and looked again: https://i.ibb.co/hFQNhdm0/wan.png
Shouldn't the LAN also be listed in the logs once the VIP is added?
This time the ping doesn't time out (from OPNsense again):
Now I added the outbound NAT: https://i.ibb.co/Fqqr9HqF/outbound-nat.png (but logging was checked too, this is a screenshot from earlier)
Firewall logs: https://i.ibb.co/rGLZx6jw/nat-logs.png
Ping from OPNsense:
Ping from machine on LAN:
When I ping from the LAN machine, there is no additional entries in the firewall log.. also not sure why the ping shows it's trying to ping the LAN machine itself.. something is very wrong.
I pinged 192.168.100.1 from OPNsense and this is what I see: https://i.imgur.com/660OonZ.png
Unless I am wrong, this looks like the connection is allowed out of LAN in the logs?
The ping looks like this:
Code Select
root@OPNsense:~ # ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
ping: sendto: Host is down
^C
--- 192.168.100.1 ping statistics ---
11 packets transmitted, 0 packets received, 100.0% packet lossThen I added the VIP (IP Alias, WAN, 192.168.100.2/24 - nothing else) and looked again: https://i.ibb.co/hFQNhdm0/wan.png
Shouldn't the LAN also be listed in the logs once the VIP is added?
This time the ping doesn't time out (from OPNsense again):
Code Select
root@OPNsense:~ # ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=4.617 ms
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=4.555 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=4.469 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=4.502 ms
64 bytes from 192.168.100.1: icmp_seq=4 ttl=64 time=4.565 ms
64 bytes from 192.168.100.1: icmp_seq=5 ttl=64 time=4.554 ms
^C
--- 192.168.100.1 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
Now I added the outbound NAT: https://i.ibb.co/Fqqr9HqF/outbound-nat.png (but logging was checked too, this is a screenshot from earlier)
Firewall logs: https://i.ibb.co/rGLZx6jw/nat-logs.png
Ping from OPNsense:
Code Select
root@OPNsense:~ # ping 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=6.595 ms
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=2.918 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=2.918 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=3.008 ms
64 bytes from 192.168.100.1: icmp_seq=4 ttl=64 time=2.870 ms
64 bytes from 192.168.100.1: icmp_seq=5 ttl=64 time=2.950 ms
64 bytes from 192.168.100.1: icmp_seq=6 ttl=64 time=2.897 ms
64 bytes from 192.168.100.1: icmp_seq=7 ttl=64 time=2.916 ms
^C
--- 192.168.100.1 ping statistics ---
8 packets transmitted, 8 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.870/3.384/6.595/1.214 ms
Ping from machine on LAN:
Code Select
/ # ping -c 4 192.168.100.1
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
From 192.168.1.10 icmp_seq=1 Destination Host Unreachable
From 192.168.1.10 icmp_seq=2 Destination Host Unreachable
From 192.168.1.10 icmp_seq=3 Destination Host Unreachable
From 192.168.1.10 icmp_seq=4 Destination Host Unreachable
--- 192.168.100.1 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3068ms
pipe 3
When I ping from the LAN machine, there is no additional entries in the firewall log.. also not sure why the ping shows it's trying to ping the LAN machine itself.. something is very wrong.
#12
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 04, 2025, 11:53:45 PM
I am using DHCP on the WAN port.
In some the posts above I think I have said modem, but it's technically a router in modem mode.
Ok, thank you for taking the time to troubleshoot this, I really appreciate it.
Out of interest, I have seen some people say that double NATing isn't usually an issue - even for torrents and VPNs etc - could this be a possible workaround? Put it back in router mode, disable wifi then do it that way? The reason I am so keen to get this working is that I am having some latency issues at the moment, and I really need to be able to access the router to diagnose.
In some the posts above I think I have said modem, but it's technically a router in modem mode.
Ok, thank you for taking the time to troubleshoot this, I really appreciate it.
Out of interest, I have seen some people say that double NATing isn't usually an issue - even for torrents and VPNs etc - could this be a possible workaround? Put it back in router mode, disable wifi then do it that way? The reason I am so keen to get this working is that I am having some latency issues at the moment, and I really need to be able to access the router to diagnose.
#13
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 04, 2025, 08:32:55 PMQuote from: Patrick M. Hausen on May 04, 2025, 08:01:42 PMDon't you allow destination "any" on the LAN interface, anyway?
Yes, I only ever added one rule to LAN before now.
Quote from: Bob.Dig on May 04, 2025, 08:02:37 PMSo show all your LAN and Floating rules and maybe Outound-NAT if you changed something there.
Rules: https://ibb.co/Z1GRdWrY
Outbound NAT: https://ibb.co/S4BbN9r2
#14
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 04, 2025, 07:55:41 PM
Yes I have a rule and no, the gateway is set as default:
Apart from default, the options I have in the drop down are:
I tried WAN and WAN - IP but there was no change. Have I messed something else up?
Apart from default, the options I have in the drop down are:
I tried WAN and WAN - IP but there was no change. Have I messed something else up?
#15
25.1, 25.4 Production Series / Re: Outbound NAT to access WebUI of DSL Modem
May 04, 2025, 06:49:26 PM
@meyergru Ok, let me start this again. With the VIP added, I logged into OPNsense and I can ping the modem:
I checked ifconfig:
Then I added the outbound NAT:
But I am still unable to ping 192.168.100.1 from a machine on LAN or access the web UI. So I guess this is a firewall problem?
@Bob.Dig When port 4 of the modem is connected to OPNsense's WAN port, it shows my public IP, but if I unplug it (after setting up the VIP) it shows 192.168.100.2
Code Select
root@OPNsense:~ # ping -c 10 192.168.100.1
PING 192.168.100.1 (192.168.100.1): 56 data bytes
64 bytes from 192.168.100.1: icmp_seq=0 ttl=64 time=4.667 ms
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=4.575 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=5.996 ms
64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=4.854 ms
64 bytes from 192.168.100.1: icmp_seq=4 ttl=64 time=4.588 ms
64 bytes from 192.168.100.1: icmp_seq=5 ttl=64 time=4.569 ms
64 bytes from 192.168.100.1: icmp_seq=6 ttl=64 time=4.573 ms
64 bytes from 192.168.100.1: icmp_seq=7 ttl=64 time=4.535 ms
64 bytes from 192.168.100.1: icmp_seq=8 ttl=64 time=4.606 ms
64 bytes from 192.168.100.1: icmp_seq=9 ttl=64 time=4.536 ms
--- 192.168.100.1 ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 4.535/4.750/5.996/0.425 ms
I checked ifconfig:
Code Select
em1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN (wan)
options=4e507bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
ether 00:1f:x:x:x:x
inet 82.x.x.x netmask 0xfffffc00 broadcast 82.x.x.x
inet 192.168.100.2 netmask 0xffffff00 broadcast 192.168.100.255
inet6 fe80::x:x:x:ec81%em1 prefixlen 64 scopeid 0x2
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>Then I added the outbound NAT:
But I am still unable to ping 192.168.100.1 from a machine on LAN or access the web UI. So I guess this is a firewall problem?
@Bob.Dig When port 4 of the modem is connected to OPNsense's WAN port, it shows my public IP, but if I unplug it (after setting up the VIP) it shows 192.168.100.2
