Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - 4fred

Pages: [1]

General Discussion / Re: double nat design considerations?

« on: December 20, 2023, 02:20:34 pm »

"Add associated rule" - I tried with and witout it (creating rule manually), no matter - still no dice.
Is the NAT rule correctly created?
To be very clear. What I'm doing now is just a TEST. I picked port 80 and a website cuz it's simple to test.

The much much longer plan is something like this and probably is subject to change.
What I have now is a problem. Walking trough the place looking at all kinds of shit I do not trust. A chinese made vacuumcleaner. Internet connected lights I have no idea where they are made. Some tablets made god knows where runnig god knows what. And these are just a few of the things - and yes, all this shit really need to work. They cast they share links and they do what they do.. not just "them" also wife and extended family.
So to keep the "shit" running and connected while I do something like this.
Let's call shit ISP-LAN, the only LAN I have now.
Move one step back from ISP-LAN and firewall a new LAN. Place what I want to protect from ISP-LAN here and make it accessable (if needed). How I publish things between the networks I'm not certain of yet, maybe NGINX or something like that - no matter HOW, I will need to open ports, and that is the only question I have right now - and I cannot get that to work.

In the the longer term probably give opnsense more legs and capabilities. WiFi, Guest Network, multiple LANs, device isolation? VPN, Proxy, filtering? And so on. And move device after device to make sure they work as expected to keep ppl from pancaing me while I'm doing it. What then is left of ISP-LAN is just IOT shit that everyone can access but it cannot access anything but other IOT shit - if I do not isolate these in another way... if...

So. What I have is a bad situation, most ppl probably have this and dont care, sadly I do and I really have no idea how I ended up here...

General Discussion / Re: double nat design considerations?

« on: December 19, 2023, 10:20:25 pm »

Here ya go

General Discussion / Re: double nat design considerations?

« on: December 19, 2023, 09:40:47 pm »

"Yes I called it a problem" ...
In #6 in this thread I described what I had done to try to open the port just like you describe for me how to do and it does not work. I know that opnsense by default blocks everything from WAN, that is why I'm setting it up.

Step one is to protecte/remove the things -I- care about protecting from the family's stuff. Not just buy anything and walk over to the router and connect to network. Cheap trinkets made in wherever probably crap leaking god knows what... THESE are the "experimental devices".

General Discussion / Re: double nat design considerations?

« on: December 18, 2023, 03:35:18 pm »

192.168.1.10 --> 192.168.3.101 on port 80 does not work.
192.168.3.101 --> 192.168.1.10 on port 80 do work.

From my ISP I got a router. This router is mostly locked for me and I cannot do much with it. It gets a DHCP address on its WAN and it shares out DHCP addresses on its LAN. Family uses this and connects EVERYTHING to it. If I touch this network and breaks it my life is over and done, the rest of the house would turn me into pancakes dough.
Let's call this ISP-LAN and it uses 192.168.1.0/24 and all addresses is handed-out by ISP router and it sits on 192.168.1.1.

Onto opnsense.
I take a box and attach a switch to it's LAN port. I attach two PCs to it. On the box I install opnsense using yes-next-finish type installation. WAN is NOT! connected during install. I then change opnsense LAN IP to 192.168.3.1 and reboot it. Now the two connected PCs gets DHCP addresses from opnsense and they are on the 192.168.3.0/24 network. I UNCHECK the Block Private Networks on the WAN interface, all good everything works but not connection anywhere. I can from the two PCs talk to opnsense and they can talk to it, nice.
Now I connect the opnsensebox WAN port to the ISPs router on the LAN port, and opnsense now get's a WAN-IP on the 192.168.0.1/24 network and have internet access, the two connected PCs also get internet access, all good.

Now the problem:
192.168.3.101 --> 192.168.1.10 on port 80 do work.
192.168.1.10 --> 192.168.3.101 on port 80 does not work.
FROM the ISP-LAN I cannot access anything on the opnsense LAN, 192.168.3.0/24.
FROM the opnsense LAN, 192.168.3.0/24 I can access everything on the ISP-LAN, 192.168.1.0/24.

Let's say I wanna move a webserver from ISP-LAN 192.168.1.0/24 to the opnsense LAN 192.168.3.0/24 - what do I have to do?

General Discussion / Re: double nat design considerations?

« on: December 17, 2023, 11:43:05 pm »

I did the setup with wan/lan, so two nics.
One is considered WAN the other is LAN.
So how is this not considered allowing an external network when it's coming from the wan interface?

Please explain cuz I do not understand.
And could you please explain how to do it?

General Discussion / Re: double nat design considerations?

« on: December 17, 2023, 04:35:28 pm »

There is something funny.
I set up opnsense with wan/lan, did just some basic stuff and like dns/dhcp range and set lan ip to 192.168.3.1 and the dhcp network just followed automatically.
In settings changed the webport to 5858 and disabled redirection.
Behind the FW I set up two clients and everything worked as expected. Access stuff on the internetz and access to resources on the other LAN (192.168.1.0/24) worked as expected.

Now to the problem.
My plan is to move some stuff from the old lan (192.168.1.0/24) to the new lan (192.168.3.0/24), like my NAS and some other things. These things are used by devices that will still be on the old lan, TV's tablets and things. So to test that this would work I setup a webserver on one of the clients on the new lan and tried to open the port between the two and that does not work. If I test the webserver from the client that are on the same network it works but if I try from the old lan that must go trough opnsense that does not work.
Firewall/NAT/Port forward.
Interface: WAN
TCP Version: IPv4
Protocol: TCP
Source: (didn't change anything so any/any)
Destination: WAN Address
Destination port range from to: HTTP/HTTP
Redirect target IP: Single host or network, IP of the webserver: 192.168.3.101
Redirect target port: HTTP
Enabled logging and let it allow the filter rule by itself, also tested to manually create FW rule but no diffarance).
Basically just save and test, no dice.

I figured that this may be a problem with HTTP so I tried to allow RDP access trought the FW but that dont work.
I went in to logging live view and entered: dst contain: 192.168.3.101 up comes the green and nice things saying opnsense allowing the traffic and nothing is blocked, still it does not work.
So... routing?

Something is "funny" and I dont really know where to beging to look for what's wrong.
Anyone?

General Discussion / Re: double nat design considerations?

« on: December 14, 2023, 12:28:45 pm »

Thanks!
I'll give it a go and let's see if/how it works.

General Discussion / Re: double nat design considerations?

« on: December 13, 2023, 12:59:41 pm »

I do not publish anything to the internet from my home. If the need comes up I can go with a cloudflare application tunnel or something creative like that.

I can somewhat change network stuff but not a lot

DHCP range and DNS server and just some very basic things.

So setting up an opnsense with wan/lan leaving wan on dhcp and setting lan to 192.168.3.0/24 would work just fine?

General Discussion / double nat design considerations?

« on: December 12, 2023, 11:21:11 pm »

So today at home I have one network running on the router supplied by my ISP. The only thing I have done is add a pi hole dns and that's it. The family runs lots of stuff on the network and I kind of do not trust it. Vacuum cleaner, phones and tablets, streaming boxes TV's and all kinds of trinkets. And if you EVER do something to make that network go down, well I guess you know what happens...
So my thought is to make another network inside this one where I run my stuff and can play how ever much I like. Maybe gradually move devices (that I trust) to my network and leave ISP's network just for streaming devices and things I do not trust. If I'm sucessful maybe also replace the pi-hole with opnsense's unbound DNS. So I would have access from the new network to the internet trough my ISP's supplied network and also maybe grant some access to some things on "my" network.

So I would run a opnsense and behind that connect my devices to the newly built network. I've read up some on double nat and from what I understand it would work as long as you do not "Block private networks". Are there any more considerations I should be aware of?

The network supplied by my isp's router is 192.168.1.0/24 and I'd prefer not to change that.
So I was thinking of attaching WAN to this network and a new LAN inside of it, maybe 192.168.3.0/24?
Is this a good or a bad idea... ?
Not a network engineer but I'm trying to learn.

Virtual private networks / Re: Wireguard client to ovpn.com

« on: November 18, 2022, 03:19:56 pm »

View post from sanshinron just before mine...

Virtual private networks / Re: Wireguard client to ovpn.com

« on: November 17, 2022, 10:03:28 pm »

Hmmm so I tried this.
Cron Enabled
Minutes */1
Hours *
Days *
Months *
Weekdays *
Command Renew DNS for WireGuard

Reboot OPNsense and Wireguard is not connected, waited a while and still not connected...?
Entered shell and ran: wg-quick up wgconfigfile and Wireguard connects and everything is fine...

Sooo, help?

Virtual private networks / Re: Wireguard client to ovpn.com

« on: November 16, 2022, 01:22:43 pm »

That was nice, thank you!
Question - just use all the defaults or do I need to set anything in the cron?

Virtual private networks / Wireguard client to ovpn.com

« on: November 16, 2022, 11:44:39 am »

Dear all, I’m trying to do Wireguard to my VPN supplier and I’m having some problems, I start with what I have and add some more background further down in the post.

My provider (ovpn.com) basically provides a file with the settings for a Wireguard client to be stored in /usr/local/etc/wireguard/wgconfigfile.conf and the tunnel to be started by wg-quick up wgconfigfile.conf and then Enable interface and do the outbound nat, that kind of works but the tunnel does not start after a reboot and there are no settings visible in the GUI. I tried to translate what I have in the .config file and do the settings in the GUI but here I’m a bit lost, anyone can help me translate settings from the file to what it’s called in the GUI (config file pasted below)?

If I can get this basic initial config working, I will venture out and do some more advanced stuff like use the alias to have just those clients use the tunnel and after that create another wg client and have a gateways group so I failover if my primary WG tunnel fails.

I may well be in over my head here but I’m willing to learn and I try to understand. I had a physical fw that finally broke, replacing it got to be a hassel. I have a physical host where I run some VM’s (Openmediavault, dockers, portainer and so on) where I had space and nics to use so I went with OPNsense and WOW it runs well! I have followed guides and done DNS setup, some aliases and port forwarding GEOIP Dynamic DNS and all this cool stuff. It's been running for about two weeks now without any issue. It have far many more features than my old FW had and I have moved off containers and what not to OPNsense and it just work

(replaced all addresses in config)

Code: [Select]

[Interface]
PrivateKey = (ReplacedPrivateKey)
Address = 172.16.12.132/32, very-long-ipv6/128
DNS = 46.47.57.67, 192.165.198.158, very-long-ipv6, very-long-ipv6

[Peer]
PublicKey = (ReplacedPublicKey)
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = server.stuff.location.ovpn.com:1234

Pages: [1]