Messages

[not]

Hello,
I have a network setup with 2 routers.
OPNsense is the secondary router.
It's WAN interface is connected to primary router's downstream interface.

Now I want to use a single LAN interface for administration, means primary router's LAN and secondary router's LAN are the same subnet.

Here's an overview of the IP adresses:
Primary router:
  WAN: <public IPv4>
  LAN: 172.16.1.1/24
  NET: 172.16.0.1/29
Secondary router:
  WAN: 172.16.0.2/29
  LAN: 172.16.1.2/24

In my understanding any traffic on subnet 172.16.1.0/24 (LAN) must be routed to primary router only.

How can I ensure that OPNsense is not routing LAN traffic over it's WAN interface?

THX

Hello,
based on this tutorial I started a setup of router cascade w/o double NAT.

This means primary router is setup with disabled NAT and additional routing rules.
The visualization would look like this:
clients ↔ OpenWRT router (no NAT) ↔ routing rules ↔ ISP router with NAT ↔ Internet

Actually the clients are represented in a LAN subnet (172.16.1.0/24) and DMZ subnet (172.16.11.0/24).

This works as expected.

Now I want to connect a secondary router to a free NIC of the primary router. This secondary router provides multiple subnets, e.g. Office, Guest, IoT.

The visualization would look like this:
clients ↔ OPNsense router (no NAT) ↔routing rules ↔OpenWRT router (no NAT) ↔ routing rules ↔ ISP router with NAT ↔ Internet

The secondary router's LAN subnet is identical to primary router's LAN: 172.16.1.0/24.
This subnet is only for router access (SSH and HTTPS).

As a result the following IPs are assigned:
primary router:
LAN: 172.16.1.1/24
DMZ: 172.16.11.1/24
eth1: 172.16.0.1/30
WAN: 192.168.1.2/24
secondary router:
LAN: 172.16.1.2/24
Office: 172.21.10.1/24 (VLAN)
Guest: 172.21.20.1/24 (VLAN)
WAN: 172.16.0.2/30

The current issue is:
No internet access from secondary router, means I cannot upgrade software packages.
The error message is this:

Code Select Expand

[thomas@lou ~]$ sudo pkg update
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/meta.txz: Connection refused
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:13:amd64/22.1/latest/packagesite.txz: Connection refused
Unable to update repository OPNsense
Updating mimugmail repository catalogue...
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/meta.txz: Connection refused
repository mimugmail has no meta file, using default settings
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.txz: Connection refused
Unable to update repository mimugmail
Error updating repositories!

DNS on secondary router is (obviously) working, though.

I wonder which route secondary router should take when accessing internet?
Executing traceroute shows this:

Code Select Expand

[thomas@lou ~]$ sudo traceroute openwrt.org
traceroute to openwrt.org (139.59.209.225), 64 hops max, 40 byte packets
1 172.16.0.1 (172.16.0.1) 0.538 ms 0.433 ms 0.355 ms
2 172.16.0.1 (172.16.0.1) 0.355 ms 0.443 ms 0.392 ms

This means secondary router is not using default route of primary router. This is routing table of primary router:

Code Select Expand

root@eddie:~# ip route
default via 192.168.1.1 dev wan src 192.168.1.2
172.16.0.0/30 dev lan5 scope link src 172.16.0.1
172.16.1.0/24 dev lan2 scope link src 172.16.1.1
172.16.11.0/24 dev lan4 scope link src 172.16.11.1
172.21.0.0/16 via 172.16.0.2 dev lan5 onlink
192.168.1.0/24 dev wan scope link src 192.168.1.2

I don't understand how network traffic on this subnet would be routed to WAN interface of primary router.
Can you please advise how to troubleshoot this issue?

Hello,
I want to install package inxi.
This package is supplied by port sysutils.

According to documentation I have executed the following steps:

• opnsense-code ports tools
• cd /usr/ports/sysutils/inxi
• make install

Make install is now running for +12hrs, and I don't understand why it takes so much time for compiling a package with a few kB.

Please advise the correct procedure for installation of package inxi.

THX

Hello,

I have configured multiple interfaces:
WAN, LAN, DMZ, PROXY

Each interface is configured with a dedicated network (network segmentation), means
LAN: 172.16.1.0/24
PROXY: 172.30.1.0/24

Then I added a virtual IP from PROXY network: 172.30.1.9

After this I installed a service that is listening on this virtual IP.

Code Select Expand

root@clancy:~ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
root     AdGuardHom 97269 11 tcp4   172.30.1.9:80         *:*
root     AdGuardHom 97269 13 udp4   172.30.1.9:53         *:*
root     AdGuardHom 97269 20 tcp4   172.30.1.9:53         *:*


Question:
How can I access this service listening on 172.30.1.9:80 from LAN

THX

Hi,
I completed setup of Web Filtering following the documentation.

However, after clicking "Download ACLs" there are no categories to select in the relevant field for any of the configured lists, in my case UT1 web filter (ftp://ftp.ut-capitole.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz) and shallalist.de web filter (http://shallalist.de/Downloads/shallalist.tar.gz).

Can you please advise how to troubleshoot this issue?

THX

Actually I could setup a transparent firewall with a bridge on interfaces DMZ and WAN.

Hello,

can you please advise how to create an anti-lockout rule for MGMT interface, means a duplicate of the automatically generated anti-lockout rule for LAN?

THX

Hello,

my ISP offers me 1 static public IP (not more).
I want to use this static public IP with multiple services, e.g. private cloud, mail-server, etc.

In a traditional setup I would configure a DMZ for these service. In addition there's a forward proxy in this DMZ to "route" traffic for cloud.mydomain.com, mail.mydomain.com, etc. to the relevant server.

Question:
Is the setup of a Transparent Firewall working for these conditions / restrictions?

THX

Thanks for your reply.

With regards to VLAN1...
The issue is that Fritzbox cannot VLAN, this function is not implemented.

Considering this, is it still reasonable to define a VLAN for the Fritzbox LAN network?
If yes, what is the setting for the relevant port of the managed switch?
Access tagged VLAN<ID> or
Access untagged VLAN<ID> or
Access admit all or
anything else?

Thanks for your reply.

Is my understanding correct that the Managed Switch port connected with OPNsense LAN interface must be defined as 802.1Q VLAN mode trunk?

I reviewed my VLAN settings and decided to go with VLAN1 for Fritzbox LAN; hereby I should reduce risk of complications.

But then I need to define a VLAN ID for OPNsense LAN interface to avoid collision with Fritzbox LAN (e.g. VLAN20).

If this is correct, how should I proceed with OPNsense interface configuration?
Would this means that I create interface LAN w/o enabling it and adding all VLANs to this interface including VLAN20?

THX

Hello,

I assumed that the OPNsense LAN port is a switch as there are multiple VLANs assigned to the same port.
And the difference of VLAN10 and VLAN179 is that there are 2 different connections to the Fritzbox router proving the relevant networks (Fritzbox LAN and Fritzbox Guest LAN). I have defined DHCP for both VLANs because Fritzbox is offering DHCP service.

THX

Hello,

my ISP (Vodafone cable) provides two internet access points:
- standard (like any ISP offers)
- static IP

The router (here: AVM Fritz!Box 6490 cable) basically works like any other Fritz!Box with only one exception:
1 port is configured for using the static IP.
I guess one could call this passthrough.

Anyway, this means that I have the following port configuration with this Fritz!Box:
Port 1 - LAN
Port 2 - LAN
Port 3 - static IP passthrough
Port 4 - Guest LAN

The other network device is a managed switch (here: D-Link DGS-1100).

The use case for OPNsense is this.
On a Proxmox VE I setup a VM with OPNsense as a router and firewall.
Having 5 ethernet ports on the Proxmox VE host, OPNsense VM will use 2 ports with PCI passthrough; eth0 for WAN (= static IP) and eth1 for LAN.

In addition I want to setup different VLANs, e.g. a for Smarthome network, DMZ and PVE Guest network.
I also consider a VLAN for Fritzbox LAN and Fritzbox Guest LAN.

As a result the following interface configuration is available in OPNsense:
screenshot interfaces
1 - Default
2 - Management network
10 - Fritzbox LAN
179 - Fritzbox Guest LAN
161 - DMZ
162 - Smarthome network
100 - PVE Guest network
110 - PVE Migration network
120 - PVE Corosync network

In my understanding the OPNsense LAN interface is untagged, because I don't know how to tag it when creating the interface.
All other interfaces are VLANs and this means they are tagged.
Should the OPNsense LAN interface be tagged, too?
In order to avoid collisions with the Fritzbox LAN?
Or it is recommended to have any LAN be untagged?

And how to configure the VLAN on the managed switch?
Means, what VLAN should be used?
My current understanding is that 802.1Q is the preferred mode when using multiple VLANs on a single port.
And with 802.1Q there are different VLAN modes: Access Port, Trunk Port and Hybrid Port.

In my understanding the OPNsense LAN interface is logically a switch.
If this is true, the VLAN mode of the connected managed switch port must be trunk.
But then the untagged LAN won't work, right?

Can you please advise what is the recommended configuration on the managed switch, in particular the recommended VLAN mode?
What should be tagged? What should be untagged?

THX

Option 2 ist nicht möglich, weil die FB keinen Bridge-Modus erlaubt.

Somit würde das WAN der OPNsense auf die Static IP des ISP gehen, und WAN2 der OPNsense auf das LAN der FB, also 192.168.1.0/24.

Alle PCs, Mobil-Geräte (oder Smartphones) befinden sich ebenfalls im LAN der FB (192.168.1.0/24).

Wie müsste man dann vorgehen, wenn für das LAN der FB Firewall-Regeln definiert werden, die auf OPNsense eingerichtet werden?

Eigentlich wäre es sinnvoll, wenn das LAN von OPNsense gleich dem LAN der FB ist, also 192.168.1.0/24.
Dann gibt es natürlich kein WAN2, aber darauf könnte ich verzichten.
Es stellt sich aber die Frage:
Kann ich für LAN der OPNsense das gleiche verwenden wie für LAN der FB?

Alles wichtige findest du dazu im Punkt "MultiWAN" in der Dokumentation
[/quote]

Mir ist bekannt, wo ich Informationen finde, ich habe den Artikel ja selbst verlinkt.
Mir ist aber nicht bekannt, ob das so auch mit der FritzBox funktionieren kann.

Nachdem geklärt ist, dass der Switch die Kommunikation mit VLANs übernimmt, stellt sich eine neue Frage.
Diese Frage steht im Zusammenhang mit den 2 getrennten Internetzugängen.
Man könnte auch sagen, es gibt 2 ISPs.

OPNsense bietet die Funktionalität Gateway groups / Multi WAN.
Nach meinen Verständnis könnte ich dann ein Failover einrichten, der wie folgt funktioniert:
- Im Normalbetrieb wird die statische IP für den Internetzugang verwendet
- Bei Ausfall dieses Zugangs für der Internetzugang über FritzBox verwendet

Wenn diese Annahme korrekt ist, wie muss dann die Konfiguration in OPNsense aussehen?

THX