Messages

1

General Discussion / Re: Possible to have an IP range using a different wan port?

« on: June 25, 2024, 05:08:10 pm »

https://docs.opnsense.org/manual/multiwan.html
https://docs.opnsense.org/manual/how-tos/multiwan.html

Hello, have you read the opnsense manual on the topic?

2

General Discussion / Re: DNS not working via LAN

« on: June 25, 2024, 05:01:51 pm »

There is minimal context to support this question. 
Is the LAN subnet 10.0.0.0/x?  Is the LAN interface 10.0.0.1? 
Unbound DNS using "Default settings" works most of the time.  So, what settings did you change? 
Is unbound DNS running (Got a green Play button on the top right)? 
Services: Unbound DNS: General > Network Interfaces set to All (recommended)?
Services: Unbound DNS: Statistics > Do you see Queries increasing?

3

General Discussion / Re: advices and suggestion on creating an company network

« on: June 19, 2024, 02:08:08 am »

Hello nirr. 

Do you have an opnsense question for this opnsense forum?  Your whole post is intended for something like Reddit or Discord. Folks are here to support the opnsense community on Opnsense-related topics.

4

General Discussion / Re: OPNSense just stops working as soon as a new interface is made

« on: June 19, 2024, 02:01:50 am »

That being said, there could just totally be on setting or something that I am missing. Any other suggestions?

After you make this change, nothing is broken.  The system you are using to configure the firewall needs to be in the same subnet as the NEW mgmt network, in this case, 192.168.2.x/24. 

For example, Is the new management interface the same physical interface you use to configure the firewall? If it's getting a new IP, you will have to request a new IP from DHCP or assign your PC to a new static address for management.

Brother, I have already mentioned this to you.  If your mgmt interface is now 192.168.2.1, then statically assign your computer to:

IP: 192.168.2.10
Subnet mask: 255.255.255.0

Now connect to your firewall again and configure DHCP on the MGMT network.  Then, set your computer back to DHCP, and you should be good to continue from there. 

domidam, please read the replies thoroughly.  Patrick was very clear in his first reply. 

Take care!

5

General Discussion / Re: OPNSense just stops working as soon as a new interface is made

« on: June 18, 2024, 07:03:13 am »

I then had the idea to make an MGMT interface and connect through that, so whenever I make changes to the WAN/LAN bridge I should still be connected. However, for whatever reason, as soon as I apply the changes that create and enable a new MGMT interface I lose access to the GUI.

Hi domidam,

As I read your post, I thought, yeah, these are growing pains of learning a new firewall.  Been through it many times in my career.   I, too, incorrectly disabled BOGON Networks by mistake once. 

Regarding your problem,  you don't mention any details about the new management interface.  Is it getting a whole new IP subnet? Are you setting DHCP? What physical interface is being configured? For example, Is the new management interface the same physical interface you use to configure the firewall? If it's getting a new IP, you will have to request a new IP from DHCP or assign your PC to a new static address for management. 

Regarding your desires, I suggest still using a transparent configuration.  First, get a solid management connection to your firewall and then set up transparent settings.

6

General Discussion / Re: How to setup OPNsense for my needs?

« on: June 18, 2024, 06:39:08 am »

How would I go about initially setting  it up? If I manually assign ETH0 as WAN and ETH1 as LAN, it says I can reach the web GUI via 192.168.1.1 (the new network I want to use for my Homeserver and NAS). Obviously, my Homeserver is connected to the ETH1 port so my PC cannot reach its web interface.

Hi Fibea,

Please ignore my last post, which was directed to meyergru.  With that aside, this issue you are raising is for sure something you will have to deal with moving forward with your diagram.  No big deal, add a rule to the WAN interface allowing HTTPS to "this firewall".  You will then use the WAN IP to manage the firewall from your PC or any system on the WAN side will be able to manage opnsense firewall. 

By default, the LAN is set to 192.168.1.1, but you have to be on the LAN side of the firewall to set the initial configuration.  My suggestion is to connect a laptop or temporarily your PC to the LAN side of the firewall to set the initial configuration.  One of those items will be the rule mentioned above.    Once the firewall is configured, cable it up to your diagram.

If you want both your NAS and Homeserver in the same subnet and connect them to different ports on the opnsense firewall, you will have to go with a bridge configuration.  I sent a link for this already.  Here is a video, https://youtu.be/q1Rv4gB8fkI?si=VgPnQgBHdGYG0q_Z&t=160, the guy is a bit chatty. 

Before setting up the end-state bridge, I would either configure the WAN rule above, allowing you to manage opnsense from the WAN, or use two different ports than ETH1.  So Eth0 (WAN), Eth1 (LAN), and Eth2 and 3 could be the new bridge.  So if the bridge doesn't work after the initial configuration, you don't lose admin access to opnsense. 

7

General Discussion / Re: How to setup OPNsense for my needs?

« on: June 18, 2024, 06:17:18 am »

You might consider setting up a transparent firewall with opnsense.   This allows your home server and NAS to be on the same network as everything else and ensures their protection behind the opnsense firewall. 

Considering the diagram above: protection against what?

I always ask myself what people try to achieve with these kinds of setups. For starters, the PC in that diagram is logically connected to the WAN side of the "protected" network, so it must be configured on the firewall.

Usually, you would use OpnSense as a central instance to be able to filter traffic in any direction. For that, you would have a WAN which connects solely to the ISP modem or router and multiple internal (V)LANs.

Sorry, meyergru, I disagree with your assertions.  I’m taking the original post into consideration when I replied.  If there were a comment about “how I should do it better” or “how it should be done”,  I would completely suggest something similar to what you just mentioned.  I would not suggest using VLANs right off the bat.  That opens a whole new can of worms to discuss.  I took the information, his request, and the diagram and gave the options to look at.

He took the time to make this diagram where the PC is on the WAN side of opnsense.  Why would I assume he wants to protect that with opnsense as well?  You also stated using vlans,  but yet he doesn't have a switch that can do vlans it's unmanaged.   

I gave him three use cases that match very similar to what he was requesting in the original post. Putting assumptions and assertions is something I don't do, but you are welcome to. 

And there you have it: Your (trustworthy) PC is on the wrong side of the setup. It must be trustworthy if you want to configure your firewall from it.

That is what I meant: You are about to design a non-standard setup and now the problems turn up one by one...

Brother, He's asking questions about initially setting up opnsense, nothing about end-state configuration. 

8

General Discussion / Re: How to setup OPNsense for my needs?

« on: June 17, 2024, 07:31:29 am »

Suppose you don't mind your home server and NAS being on different IP networks. In that case, there isn't anything extraordinary here other than installing the Firewall and connecting your home server and NAS to the firewall.  You must create three networks, including the existing IP (opnsense WAN) that's live off FRITZ!Box router, one for your home server, and one for your NAS.

If you want your home server and NAS to be in the same network but connected to different interfaces on opnsense then you may want to look at configuring a bridge.  In this case, it is just two networks, the existing network and the new network behind opnsense for the home server/NAS.

https://docs.opnsense.org/manual/how-tos/lan_bridge.html

You might consider setting up a transparent firewall with opnsense.   This allows your home server and NAS to be on the same network as everything else and ensures their protection behind the opnsense firewall. 

https://docs.opnsense.org/manual/how-tos/transparent_bridge.html
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

9

General Discussion / Re: Difference Between Virtual IP and 1:1 NAT and Best Practices

« on: June 17, 2024, 07:04:42 am »

Sorry, man, your issue is a bit unclear to me.  At any rate, I would suggest using 1:1 BINAT for your OpenVPN server.  This will make the NAT bidirectional.  Port forwarding translations aren't bidirectional by nature, as traffic only flows in one direction (from source to destination or from Client to Server).  This means the server will never "initiate" traffic over the port forward nat.  If you want Server to client traffic to use the VIP, use 1:1 BINAT.

The part I don't understand for you is the OpenVPN server behind the firewall.  you say it's working, and you can ping some hosts, but then you say you can't ping other hosts.  Either your masquerading isn't configured correctly, or something else is happening.  Your "client VPN" traffic should exit the OpenVPN server towards the LAN hosts and return traffic to the OpenVPN when the LAN replies. From there, it should be tunneled back to your VPN client (or site2site), and the opnsense firewall should never see this traffic (LAN replies) as it should be tunneled. 

You know opnsense can be the OpenVPN server for the network, right?   

Another possible issue is outbound NAT (aka PAT).  For IPSec VPNs, PATs have to be considered.  It's really not the case for OpenVPN deployments, but honestly, having used OpenVPN for years.

10

General Discussion / Re: Please Make a Donation to OPNsense

« on: June 17, 2024, 06:30:38 am »

opnsense was Discord now!?!?!?  Are there any firewall projects or vendors out there that have an active discord?!?!?  Killer.  I had to donate my $50... 

What I need/want to do is get back to updating online documentation.  I started updating the install doc but got jacked up with GIT again. 

Thanks to the opnsense family/community!! 

11

General Discussion / Re: Port Forward NAT Weird Behavior when using WAN Address

« on: June 17, 2024, 04:39:38 am »

We can ignore this post.    I just informed via Discord that the WAN address alias/object refers to all addresses associated with the WAN interface including Virtual IPs (VIPs).

That answers the question!  +1 for discord.

12

General Discussion / Port Forward NAT Weird Behavior when using WAN Address

« on: June 17, 2024, 12:41:34 am »

Hello all,

I'm not sure if this is a bug, or why opnSense is behaving this way.  But if I have this Port Forward NAT rule that uses the "WAN Address" object and Port Forwards SSH higher in the list.  All other Vitral IP SSH NATs will go to the "Dell_Host".  Regardless of the Virtual IP I'm trying to use, like popos_NAT (192.168.169.7) or pmox_nat (192.168.169.210).  I will also get a new SSH fingerprint message.  The WAN address is 192.168.169.20.




If I move this WAN Address rule to the bottom of the list, it works.  I can also change the forwarding port to something like TCP 2222 and 2223 for both of these rules, which will work. 




Why am I having this issue with the WAN Address object? 

Thank you

13

General Discussion / Re: Difference Between Virtual IP and 1:1 NAT and Best Practices

« on: June 16, 2024, 07:00:23 am »

Hello Prez,

 1:1 NAT and virtual IP are not distinct entities, but rather, they work in tandem. To utilize a 1:1 NAT (or any NAT type) for an IP address not assigned to the WAN interface, it's crucial to use virtual IPs for all those addresses. 

E.g.
192.168.0.0/29

Say your ISP gateway is 192.168.0.1
Your WAN address is 192.168.0.2
Then you will need to create Virtual IPs for 192.168.0.3, 192.168.0.4, and so on to .6

Once you have those Virtual IPs configured, you can create 1:1 NATs, port forwarding NATs, etc. This is because of a concept called Proxy ARP, which is why virtual IPs exist.

 
Thanks,
Nick

14

General Discussion / Re: Opnsense inside Proxmox

« on: June 16, 2024, 06:33:36 am »

Your first question makes me think you're new to IP addressing. But you're good you're using two different subnets, 192.168.0.0/24 (WAN) and 192.168.1.0/24 (LAN).  As long as they're different, you're good to go.  Yes, 100% of your ISP’s router is also a DHCP server.  192.168.x.x is a very common subnet used on SOHO hardware.

Regarding your concern about the dashboard showing 10G versus 2.5G, you should be fine as long as it works.  You'll have to remember you're using virtualization, and opnsense is not seeing the hardware.  It’s seeing a virtualized version of it.  I, too, have opnsense on Proxmox; mine shows “Ethernet autoselect” in the dashboard.

15

General Discussion / Re: Double NAT, gateways and internet access

« on: June 16, 2024, 06:19:13 am »

Sorry mogster, I'm not 100% sure if I'm tracking exactly what you're trying to do. But I would suggest looking at NAT reflections. 

The other suggestion is Disabling reply-to on WAN rules (Firewall > Settings > Advanced).