Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - m8mu25

Pages1
#1
23.7 Legacy Series / Help: Can't connect to ISP router
January 19, 2024, 08:59:50 PM

Synopsis: I can't connect my OPNsense box to my ISP's router.  I need my ISP's router for TV services.

Equipment:
1. VZN (ISP's router)
  - Hardware: Verizon CR1000A
  - Ports: 4; WAN, 10Gb LAN, LAN 1, LAN 2
  - Firmware: 3.2.0.14 (latest)
2. OPN (OPNsense box)
  - Hardware: Protectli Vault FW2B
  - Ports: 2, WAN and LAN
  - OS: OPNsense 23.7 commit b35678139 (no minor updates, yet)
3. Switch (Managed switch)
4. WAP (Wireless access point)
5. RPi (Raspberry Pi for management)
Note that WAP is mentioned for completeness but is irrelevant.

Topology: ONT/Modem --- VZN --- OPN (and RPi) --- Switch --- WAP (and RPi)

OPNsense interfaces:
- [WAN] assigned to OPN's WAN port
- [LAN] assigned to OPN's LAN port
  - [LAN] is the parent of all VLANs and is not used directly.
- [VLAN30] for management
- [VLAN40] for users to connect to the Internet over Wi-Fi (irrelevant)

Networks:
10. 10.10.10.0/24 (Verizon)
  - VZN: 10.10.10.1
  - OPN [WAN]: 10.10.10.2
  - RPi: 10.10.10.10
  - Set-top boxes
20. 10.10.20.0/24 (Not used directly)
  - OPN [LAN]: 10.10.20.1
30. 10.10.30.0/24 (Management)
  - OPN [VLAN30]: 10.10.30.1
  - Switch: 10.10.30.2
  - WAP: 10.10.30.3
  - RPi: 10.10.30.10
40. 10.10.40.0/24 (Wi-Fi)
  - OPN [VLAN40]: 10.10.40.1
  - Future user devices

Bad behaviors:
1. I CANNOT access Verizon's web GUI (https://10.10.10.1) from RPi (10.10.30.10) connected to Switch.
2. Verizon's web GUI does NOT show OPN (10.10.10.2) under Devices.

Good behaviors:
3. I can connect RPi (10.10.30.10) to Switch and access the OPNsense web GUI (https://10.10.30.1).
4. I can connect RPi directly to OPN LAN port and access the OPNsense web GUI (when System > Settings > Administration > Web GUI > Listening Interfaces includes [LAN]).
5. I can connect RPi (10.10.10.10) directly to a VZN LAN port and access Verizon's web GUI (https://10.10.10.1).
6. Verizon's web GUI shows RPi under Devices.
7. Verizon web GUI shows that the VZN LAN ports used for OPN and RPi are connected.
8. The LEDs on the back of VZN, OPN, and RPi all seem to indicate connections:
  - LAN ports (to both OPN and RPi) on VZN are solid white on the right for a few minutes and then turn off.
  - WAN (to VZN) and LAN (to Switch) ports on OPN are solid green on the left and blinking orange on the right.
  - RPi port (to VZN or Switch) is solid green on left and blinking orange on right.

OPNsense settings of note?:
- All 4 interfaces (LAN, WAN, VLAN30, and VLAN40) are enabled.
- `Block private networks` and `Block bogon networks` are unchecked for all interfaces.
- `IPv4 Configuration Type` is set to `Static IPv4` for all interfaces.
- IP addresses and masks:
  - [WAN]: 10.10.10.2/24
  - [LAN]: 10.10.20.1/24
  - [VLAN30]: 10.10.30.1/24
  - [VLAN40]: 10.10.40.1/24
- Services > DHCPv4 is only enabled for [VLAN40].
- DNS servers are only given in Services > UnboundDNS > DNS over TLS.
- System > Settings > General > Networking > Allow DNS server list to be overridden by DHCP/PPP on WAN is unchecked.
(My goal is to redirect all traffic on port 53 to the local UnboundDNS service and resolve DNS requests with the given external servers.)

OPNsense firewall rules:
- No NAT rules are manually set.
- No firewall rules are manually set under Floating, [Loopback], [LAN], nor [WAN].
- [VLAN40] has rules analogous to [VLAN30] minus the rules to allow RPi to access the web GUIs (rules 3, 4 and 5).
- [VLAN30] rules, where PrivateNetworks is an alias for private networks (e.g. 10.0.0.0/8), loopback (i.e. 127.0.0.0/8), bogons, etc.:
1. UDP, VLAN30 net -> VLAN30 address:DNS
2. UDP, VLAN30 net:NTP -> VLAN30 address:NTP
3. TCP, 10.10.30.10 -> VLAN30 address:HTTPS
4. TCP, 10.10.30.10 -> VLAN30 address:HTTP
5. TCP, 10.10.30.10 -> 10.10.10.1:HTTPS
6. Block, IPv4+IPv6, VLAN30 net -> PrivateNetworks
7. TCP, VLAN30 net -> !PrivateNetworks:HTTPS
8. TCP, VLAN30 net -> !PrivateNetworks:HTTP

References:
1. https://homenetworkguy.com/how-to/set-up-a-fully-functioning-home-network-using-opnsense/
2. https://homenetworkguy.com/how-to/use-opnsense-router-behind-another-router/
#2
23.7 Legacy Series / Can't reach web GUI after changing LAN interface settings
December 01, 2023, 11:11:07 PM
Topology and systems:

- Protectli Vault FW2B (router) to Raspberry Pi 4 (management) over Ethernet
- OPNsense 23.7; vga; no minor updates
- Raspberry Pi OS 64-bit (latest)

I am setting up my first OPNsense network.  I successfully installed OPNsense, logged into the web GUI (via LAN), and logged into the console.  I found that after changing certain settings under Interfaces > [LAN] and clicking [Apply changes]...

1. I can no longer reach the web GUI (Firefox and Chromium time out).
2. I can no longer log in as my admins user via console ("This account is currently not available.").

Settings include...

- Prevent interface removal > True
- Block bogon networks > True
- MAC Address > {randomly generated}

I initially tried these settings in combination with others.  I have since reinstalled OPNsense multiple times, minimizing changes to try each of these settings independently.  (I also rolled back any related settings in RPi OS, such as rules in /etc/nftables.conf.)  Sometimes, the browser hangs immediately after applying one; other times, I must reboot my Vault to find I can't reach the web GUI.

To fix this, I have tried...

- Closing each browser and deleting their user settings.
- Reconnecting the Ethernet cable between my RPi and Vault.
- Running `dhclient -rv`.
- Reconnecting and creating new connections via `nmcli` and the NetworkManager GUI.
- Rebooting my RPi and Vault.
- Logging into the console as root and resetting the LAN interface via option 2.
- Speaking with the (excellent) tech support at Protectli.

My only thought left is to avoid changing the LAN interface settings.  Any new ideas are greatly appereciated.
Pages1