Messages

Why bridging? How are you going to filter now? Your ISP needs to route so the traffic passes through the firewall.

i try use route its not working, the ISP cannot route other /28 to /30 because its different subnet i dont understand about this, and also i try create route /28 routed via /30 in opnsense also notworking any idea for this

for bridge i can still filter from firewall rules on interface br0, its really hard dealing with multiple public ip using opnsense, maybe i will buy mikrotik for managing ip and opnsense only for firewall, couple days just configuring this make me headache.

Exactly. E.g.

LAN: 1.2.3.1/28
Server: 1.2.3.2/28

Set .1 as default gateway and disable NAT.

Assuming WAN is 4.5.6.1/30 (ISP) and 4.5.6.2/30 (OPNsense) the ISP must route 1.2.3.0/28 to 4.5.6.2.

hi patrick,

thanks for your help, i create bridge port and put wan and lan in it and its working perfectly

Configure first IP address of that /28 statically on OPNsense LAN. Have the server use that as the default gateway. Have the ISP route the /28 to your WAN address. Disable outbound NAT. Create firewall rules as necessary.

so just create static ip on lan interface then use the static ip from lan interface as gateway to my server..?

Can your ISP route the purchased addresses (how many exactly? a subnet? /29?) to your firewall?

hi patrick we have /30 for WAN interface and lan interface connected to server directly, so i purchased another /28 for my server until now i cannot assign this /28 directly to my server i am so confused please really need help here. how to assign this /28 to lan interface so my virtual server can use the ip.

103.x.x.x/30 ehter1 opnsense and ether2 connected directly to kvm server, iam also get another static ip 103.x.x.x/28

Your setup is not really clear to me.
OpenVPN runs on top of KVM and both NICs are connected to it?

Is the 103.x.x.x/28 subnet routed to the primary IP by the ISP?

my goal is how to put this public ip address 103.x.x.x/28 directly to cloud kvm server without one on one nat or port forward

Why don't you want to nat the traffic?

sorry for not clear information, my goal is to deliver public ip purchased from our ISP, directly to our virtual server without virtual ip or 1:1 nat
so how to achieve this goal and what is the best configuration for this.

iam using virtual ip and create vlan attached to wan its working but, i cannot protect its like public ip attached directlyu to vm i event cannot block icmp

how i supposed to do need advice and help

hi guys i am really facing issue with my configuration i need advice what is best solution for this. here my topology
ISP----> opnsense ehternet1 static ip .....> cloud server kvm based

103.x.x.x/30 ehter1 opnsense and ether2 connected directly to kvm server, iam also get another static ip 103.x.x.x/28
my goal is how to put this public ip address 103.x.x.x/28 directly to cloud kvm server without one on one nat or port forward.

i try everything still not working until now please need advice for my situation.

thanks

i will try using vlan then.
btw thanks guys for feedback and advice

Create VLAN on OPNsense and on the connected host. No switch needed. Now how to do that on the host depends on the product you are using.

ohh i see so i create each vlan for each vm its make sense but more difficult if have a lot vm.
but still not secure enough.

Then create one VLAN per VM ...

create vlan without switch..? still confusing to me need advice

Or you can check out things like private VLANs or port isolation.

Which again needs a more than "dumb" switch supporting these features. But valid point, of course.

BTW: @monkeydelufy if it's wireless devices you are thinking of many APs support something called "client isolation". So possibly you would not even need a new device.

my network right now like this:
2 ether,
1 WAN port
1 LAN port, all device directly connected to ehter2 LAN and this LAN to not connected to switch it connect directly to server which is containing virtualization
my goal just to isolated each VM for protection. huft..

so there is no solution for this..? all my device connected through opnsese also get ip from opnsese still no clue for this..?

hi guys,

newbie here trying to figure it out regarding is that possible if we block in same network for example,
ip 192.168.1.10 cannot reach ip 192.168.1.11 i try to isolated each other is that possible?

Thanks

On the client side put only the remote network in "Allowed IPs". Done.

thanks a lot for the reply, its working now, but i have one server cannot access it i dont know why this happen, only this server can access and ping any idea why this happen..?

hi guys newbie here,

already search regarding this issue but still have no clue about this, my question is, how to we split connection only client to access local network, now its working fine, but my goal is client still use his own internet access, but i don't know how to do it, my client already connect to to local network and work perfect, but cannot use his own internet access, how to do it guys need help