Messages

[Control Agent]

Once you enable it by enabling both the Control Agent and the Kea DHCPv4 services and you apply / save etc. When you reboot the firewall, does the service not start on reboot? Also, make sure that the ISC DHCP service is NOT enabled since you cannot have two DHCP servers running on the same network, if the old DHCP server is not disabled, Kea would see it running and intentionally not start because it would be a conflict.

Have you checked with your VPN provider to see if they have any setup instructions for their service in an OPNsense environment?

This document from NordVPN - I've used before and it works well. If your VPN provider doesn't have a setup doc for OPNsense, you might be able to utilize this one, replacing the Nord specific info with the info from your VPN provider:

https://support.nordvpn.com/hc/en-us/articles/20397569418129-OPNsense-21-setup-with-NordVPN

switching from isc to kea worked fine for me.
- as reported I could not continue using isc and kea in combination (I have different vlans)

In ISC DHCP it was possible to activate "Deny unknow Clients"

I'd imported all my subnets, settings and reservations, was about to make the switch when I noticed that this option was missing. Are there any plans to add it in the near future?

-the easiest way for me to solve: leave subnet / pools empty

I didn't know this was an option ... I assumed that subnets were mandatory for Kea so that it knows which IP pools to draw from when an inbound request for an address happens where it gets a request for an IP address, looks at the subnet that it came from, matches that subnet to one that is defined in Kea, then pulls an IP address from one of those pools.  Are you saying that it will still do that correctly for multiple subnets without defining the subnet specifically within Kea?

[Get some Info from the Xbox and select an Alternate port]

This is how I set mine up, and I have OPEN NAT status on my Xbox all the time, including Call of Duty

I highly recommend that you use wired networking with an Xbox and NOT WiFi.

Get some Info from the Xbox and select an Alternate port

• On your Xbox go into Settings / Network Settings / Advanced Settings
• Write down the MAC address - Use wired if possible, otherwise write down the wireless address
• Alternate port selection
• Select an Alternate port and write that number down

Go into OPNsense

Create static IP address for Xbox

• Services / DHCP
• Create a new static IP address

      The only relevant thing you need to make sure of is that you use the
      MAC address that you wrote down earlier and that you type in an IP
      address that works on that subnet that is not part of your DHCP pool.

• Save
• Apply

Create Aliases - This is optional but it does make things a bit easier

• Firewall / Aliases
• Hit the plus to add an Alias
• Give the alias a name like Xbox_One
• Type: host(s)
• Content: The IP address you just created for the Xbox
• Save
• Hit the plus to create a new alias
• Name: Xbox_Live_Port
• Type: Port(s)
• Content: Alternate port you selected in step 3 at the top
• Save

Create Inbound NAT Mapping

• Firewall / NAT / Port forward
• Hit the Plus to create a new port map
• Interface: WAN
• Protocol: TCP / UDP
• Destination: WAN Address
• Destination Port Range

    from: Xbox_Live_Port(number)
        to: Xbox_Live_Port(number)

• Redirected Target: Xbox_One
• Redirected Target Port: Xbox_Live_Port(number)
• Save

The reason why the port range is labeled as a "Destination" - is because you have to think about the packet entering in from the Internet and arriving at the WAN port on the firewall... so its destination is the WAN interface where from that point, it will end up being Redirected to the redirected Target.

Reboot your xbox (A warm reboot will be fine) so that it picks up the static IP address.

When you go back into Networking, it should show your NAT status as OPEN. If not, give it some time like 5 minutes and check it again.

Updated this tool so that you no longer have to edit any text files. It takes your backup config, and simply inserts the Kea mappings in the correct spot and saves it to a new file that you just re-import into OPNsense and done!

https://github.com/EasyG0ing1/Migration

I was about to make the switch in my home lab when I found you cannot even serve the domain name to clients. Sorry, that is not going to fly.

You assign the domain name to the subnet in the Kea service, though you are correct you cannot assign a domain name that is different for each static mapping. Though I'm not sure why anyone would want different domain names for IP addys that are on the same subnet...?

Also, check this out for migrating your statics

https://github.com/EasyG0ing1/Migration

There were no plans for migrating the existing DHCP data to Kea as far as I now.

This certainly is a deal breaker. I do have more than 50 DHCP Static Mappings on about 20 VLANs. I am not really inclined to recreate all of them manually.

https://github.com/EasyG0ing1/Migration

Hi and thanks for clarifications. If I use, let's say, MAC-reserved IPs for different IPs and not much more, what will the process of transition to KEA look like?

Install the new KEA plugin (?) and move (manually? automagically?) my current DHCP config to the new plugin?

Many thanks in advance.

I wrote a utility to make that migration painless.

https://github.com/EasyG0ing1/Migration

Mike

I created a tool that migrates your DHCP static reservations from the ISC DHCP server to the new Kea DHCP server. If you have a lot of static assignments, this tool can save you a lot of time.

It can be found here https://github.com/EasyG0ing1/Migration and it is fully documented.

Hello,

Given a setup where OPNSense is running in a virtual machine on an ESXi box, I want to create a VM for off-lan use that I would want to be segregated into its own DMZ.

I've read discussions about this; some have recommended using two firewalls while others think one is fine, etc. And given the flexibility of having OPNSense in a VM, where adding NICs is not an issue or even installing another OPNSense VM, what would be the best implementation for a DMZ setup?

My thinking on it is that if I use an additional virtual NIC on a new subnet, then punch the port through to the device on that network, while establishing rules that would prevent that device from accessing any ports on the firewall that could be used to compromise it, then make sure that the only destination it can reach is the Internet ... it should be safe enough.

I'm looking for thoughts about that or any experience anyone has had with DMZs and OPNSense.

I realize it would be safer to set up a VPN endpoint in the firewall, but for this use case, that isn't a desired option, so I'm exploring the DMZ scenario.

Thank you,

Mike

As soon as any DHCP server in opnsense is enabled, no matter which interface, DHCP relay won't work. Maybe this (s|c)ould be fixed sometimes.

But in which way does ip-helper make any difference to dhcp server? The result is the same. DHCP server provides ip and options, ip-helper just relays request to DHCP server that provides ip and options.

The only difference is that if your DHCP server is not connected directly via interface to your subnets/VLANs, an ip-helper on a layer 3 routing devices relays/forwards the requests between clients and server.

In your case, OPNsense is the DHCP server and connected to every layer 3 network directly.

ip-helper is essential when you have a DHCP server and you have VLANs because the ip-helper component in the DHCP relay server tags the DHCP requests with VLAN Ids so that the DHCP server knows which IP pool to assign an address from. IP-Helper is an option in a DHCP relay service but is not always necessary.

Hello, thanks for reading this post.

I have OPNSense setup with four NICs but two are in a bridge.

0 - WAN
1 - LAN - 10.10.11.0/24
3 - BRIDGE - 10.10.10.0/24

I had the Bridge and the LAN talking just fine then I set up a Nord VPN interface by following the instructions on their site. And the VPN tunnel is working fine. I even added a rule to the firewall so that my laptop goes out the WAN DHCP gateway and not the tunnel (this is how I want it configured).

But now when I try to ping between the LAN and the BRIDGE, packets won't cross over.

Here are screenshots of the firewall rule summary for each of the interfaces. At this point I'm at a loss ... I'm fairly new to OPNSense and don't quite have the feel of it yet.




Thank you,

Mike

There is no such thing as a free lunch  :) Maybe your project is a bit too ambitious.

One can hope ... thought it was the perfect solution ... got the hardware that has 4 2.5G NICS, with the N5105 Intel processor, then I added a 1TB NVMe drive and 32 gigs of ram ... all that at my door for just under $300. THAT would have been ambitious even two years ago.

In theory I had the right idea ... just didn't have a clue as to how I was going to bridge those three NICs ... just assumed it would somehow be possible.

You could try to switch from VMXNET3 to E1000 if you have not done that already.

I have not tried that yet and I definitely will. But failing that, a different hypervisor might work, though I'm getting a bit burned out on this setup for the time being.

☺

A passed through NIC is exclusive to that VM. The hardware ends up "inside" the VM. You cannot connect a vSwitch.

But why do you need three interfaces for LAN in a virtualised context? For your VMs it's all vSwitches, anyway.

Well, the idea was to essentially have a SOHO router that also hosted VMs and have three of the four NICs just get lumped together under one LAN side of the "router" with VMs being able to also use that LAN interface.

That would kind of ... mimic a traditional SOHO firewall with the added bonus of hosting virtual machines.

The bridge works of course with passthru ... but that begs the question of why can't OPNSense build bridges with virtual NICs? That doesn't make a lot of sense to me ... though now that I think about it, I THINK bridging happens at layer 2 and layer 2 would get managed within each NIC ... so if that is the case, then it does make sense.

So then it looks like my only option is to buy an external 2.5G switch (more than I wanted to spend on this setup) or just use those ports under vSwitches and assign a different subnet to each port ... which isn't all that bad but just not ideal.

You can assign one PCIe device to exactly one VM with passthrough. That's the point. The VM gets full access to the hardware. That's recommended for a firewall, anyway.

You can designate a single interface and e.g. use VLANs for other VMs.

Can those other VMs share those NICs that are passed thru? I guess my only issue would be if I passthru three out of four NICs and that 4th one is dedicated to my Internet connection, then I'll lose the ability to have other VMs using the LAN interface of the firewall... the idea was to have one NIC dedicated to WAN and the other three dedicated to LAN with VMs also accessing LAN.