Show Posts
1
22.1 Legacy Series / Re: request for help with: single public IP, a bridge, two opensense-fw VM > VMs
« on: February 12, 2022, 03:50:27 pm »
I don`t understand why you`re using a bridge at all. So this is just guesswork.
Maybe the problem is here: [ public IP #1 ]-[ eth0 ] -> [bridge]-[public IP #2] -> [ opnsenseVM]
Your Eth0 is the physical interface attached to opnsense VMS.
There is no need to use any routed interface on your VM host since your opnsense firewall/VM is the network default gateway.
Maybe you`re using the bridge interface for VM host management... but:
It would be best if you were controlling/filtering all of your traffic by using your Firewall -> This is a security best practice and also a global collaboration for the interwebz hygiene:)
Configure your firewall to filter it all, and use some VPN (Wireguard is your friend) for more secure/controlled management access.
In guesswork mode, I would exec the configuration this way:
1 - Configure dedicated VM host interwebz interface as WAN on opnsense VMs with RFC 1918 IPs ( 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 ) - Don't forget to go to Opnsense GUI and deselect the box that blocks private networks cause you`re using them for your setup with carp to work
2 - Go to Opnsense GUI -> Interfaces -> Settings -> Virtual IPs and Configure a CARP Interface with your first Public IP.
3 - Go to Opnsense GUI -> Interfaces -> Settings -> Virtual IPs and Configure your second Public IP as an IP Alias of your WAN Interface and select your WAN interface CARP VHID
4 - Configure your LAN/Opt interfaces
5 - Run a tcpdump on your WAN/Lan interfaces to confirm traffic is flowing
6 - Setup a Wireguard VPN for VMHost Management
7 - Create your Aliases/PortForward/NAT/Firewall Rules to redirect services to the correct LAN Hosts/Targets
Maybe the problem is here: [ public IP #1 ]-[ eth0 ] -> [bridge]-[public IP #2] -> [ opnsenseVM]
Your Eth0 is the physical interface attached to opnsense VMS.
There is no need to use any routed interface on your VM host since your opnsense firewall/VM is the network default gateway.
Maybe you`re using the bridge interface for VM host management... but:
It would be best if you were controlling/filtering all of your traffic by using your Firewall -> This is a security best practice and also a global collaboration for the interwebz hygiene:)
Configure your firewall to filter it all, and use some VPN (Wireguard is your friend) for more secure/controlled management access.
In guesswork mode, I would exec the configuration this way:
1 - Configure dedicated VM host interwebz interface as WAN on opnsense VMs with RFC 1918 IPs ( 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 ) - Don't forget to go to Opnsense GUI and deselect the box that blocks private networks cause you`re using them for your setup with carp to work
2 - Go to Opnsense GUI -> Interfaces -> Settings -> Virtual IPs and Configure a CARP Interface with your first Public IP.
3 - Go to Opnsense GUI -> Interfaces -> Settings -> Virtual IPs and Configure your second Public IP as an IP Alias of your WAN Interface and select your WAN interface CARP VHID
4 - Configure your LAN/Opt interfaces
5 - Run a tcpdump on your WAN/Lan interfaces to confirm traffic is flowing
6 - Setup a Wireguard VPN for VMHost Management
7 - Create your Aliases/PortForward/NAT/Firewall Rules to redirect services to the correct LAN Hosts/Targets