Messages

Understood, I know the pitfalls of publicly exposed IPs. The devices that would be used are definitely going to be hardened.

So, where do I start? I seriously don't know where to begin here. My connection is up and running fairly well. I just want to know what specific configuration steps I need to take and where to start. For example:

Behind my OPNSense box, I use 2 switches. One is a surplus Brocade ICX-6610 that is used for any 10-gig clients and almost all of my other typical 1-gig clients. I also have a more modern QNAP switch that has 2.5 gig ports for the LAN devices capable.

When I go to implement this, would I do VLANs and use the ports on the switches, or would I be better off with a top of the rack "dumb" 10 gig switch (or disable the management) to bring the XGS-PON transceiver from ATT into and then just manually assign the statics to the devices that will have public IPs?

Thanks again! I really appreciate the assist here.

So, starting literally from scratch here, what should my first steps be? I have 5 copper ports on the firewall itself, but am I to understand I can't really use those without incurring some compromises (literally and figuratively)?

Ideally, I'd love to just assign each of the static IPs to each of the copper ports to keep the physical side of things easier and much more straightforward.

If so, how do I go about doing that? Can I literally just assign the public/static IP to one of those ports and away I go?

If not, what is the next best approach, particularly from a security perspective? The other thought I entertained would be to use a "top of rack" switch where I brought the ATT Fiber into that switch first, instead of the OPNSense box. Ideally, I would use a "dumb" switch so there is no exposed management interface to be hacked into, but...

If the third (and only) option is to use virtual IPs on the OPNSense, that is where I need the most help in configuring the firewall and NAT rules, as well as the virtual IPs, etc. That is where my experience and skills are admittedly the weakest, but I am willing to learn from someone patient enough to step me through it!

Thanks again!

Thanks! That was a good read. Would you be willing to give me a little guidance on how to set up the statics in my environment?

Greetings All!

I am in need of assistance in utilizing a /29 (5 usable) pack of static IPs from ATT on my OPNSense instance (running latest public version).

My hardware topology looks like this:

ATT Fiber into the building --> FS XGSPON Transceiver ---> Generic white-box Xeon with 2 SFP & 5 Copper) ---> 48 port switch

ix0 (WAN): SFP cage 1 contains the FS Transceiver
ix1 (LAN): SFP cage 2 contains the DAC connecting to the backplane of the 48 port switch.

Normally, this circuit would use the 320 Gateway provided by ATT. I have eliminated it completely for various reasons. Their fiber goes straight into my customized XGS-PON Transceiver, which then goes into my OPNSense firewall box.

The connection in this manner is up and running well. Very fast, very stable. With the symmetrical 2gig plan I have from ATT, I also purchased a 5-pack of public/static IPs. I want to use these IPs on other devices outside of the LAN behind the OPNSense instance in a sort of DMZ, if not completely separate configuration. Ideally, I would like to assign those statics to the 5 copper ports on the OPNSense box, but I am hearing that isn't really feasible, as that would effectively invoke bridge mode, which would bring alone some overhead and performance penalties I don't want, but this is a Xeon box with 16GB of RAM, so...

In any event, if for practical or performance purposes, using the copper ports isn't advised, exactly how would I go about making use of the static IPs?

The WAN IP is a "sticky" address delivered via DHCP.

I am gathering I would use virtual IPs assigned to the various other hardware devices I want to use the static addresses with, and then they would be connected to my 48 port switch? Not my preferred approach, but if there is no other way...

If someone could please give me a tutorial on how to do this with specific configuration examples for OPNSense, I would REALLY appreciate it.

Thanks in Advance!

I was looking to assign a static IP directly to each of the available copper ports.

Then, I would most likely use a different firewall or router device in each of those ports. At the moment, I can't think of any single, stand-alone device that I would assign a static IP to, other than the aforementioned firewall/router.

Thank you, and could you please point me to the documentation on how to achieve this?

I have several unused copper ports on my hardware, and I would just like to add each of the static IPs from my block assigned to me to each one of those copper ports.

I appreciate the pointers, and I am eager to learn more. Thanks again!

Greetings All!

I have AT&T Residential Fiber and I purchased a pack of static IPs and have those addresses as given to me.

I have OPNSense running on a generic white-box Xeon system that has several copper ports and 2 10gig SFP+ ports. Right now I have the incoming fiber directly connected to the OPNSense firewall through a custom SFP module from FS that can act as XGS-PON, so I no longer need the AT&T 320 gateway and it is completely disconnected and out of the loop here.

My question is how I leverage the static IPs I want to use. I have to set the OPNSense to DHCP on the WAN side to get a connection, and the IP address assigned via DHCP is NOT in the block of static IPs that I have.

Do I just create additional interfaces on the copper ports and assign the static IPs to each of them? If that is the case, does anyone have details on how to achieve this? If there is a write-up or a tutorial somewhere that addresses this, please point me to it.

Thanks!

Thanks to all who took the time to chime in on this. Here is an update...

On a hunch, I went and downloaded the 23.7 installer and put that on this box. Guess what? It worked instantly after running through the wizard. Both the firewall and LAN clients worked flawlessly. Therefore, I can say with confidence that this is definitely an issue with the 24.x installer currently available.

As an anecdote, I was able to then upgrade in place from a perfectly functional 23.7 environment to 24.x and that also worked.

So, for anyone else having this issue, revert back to a 23.7 installer and verify it works (it did for me) and then upgrade to 24.x after you are first up and running in 23.7

I really wish the OPNSense team would do more testing and validation.

Thanks for the reply. The physical layout is really simple, which is why I am so confused and frustrated. I agree, it "should just work" as other installations of OPNSense have worked just fine for me on other hardware. Just a few minutes ago, I wiped this box and re-installed PFSense and boom, it "just works" without further setting changes.

Therefore, it MUST be something that OPNSense is doing differently on this box. Nothing different but the change in OS installed results in a working internet connection for the client on igb1.

As far as the complete picture, here it is...

The hardware in question is a generic, "white box" intel i3 unit with a total of 6 copper ports. No SFP or other networking ports. There is nothing else involved in the equation here. No other DNS servers, nothing. The first copper port from left to right is igb0 and that is what the WAN address (statically assigned) is connected to (ISP modem). The second copper port from the left is igb1 and it is LAN. Again, the OPNSense instance itself has internet access, because I can go to 'firmware' and run an update and it will go out and grab available update packages without issue when I perform an update check.

When I say no internet access, what I mean is that any client connected to the LAN interface when the box is running OPNSense does not have an internet connection, despite getting a DHCP assignment correctly from the OPNSense instance. As I mentioned above, this only applies to the LAN connection. The WAN connection definitely has a working connection because OPNSense itself can go out and download updates without issue. I don't think it is a DNS issue on the LAN side either, because when I manually assign public DNS servers to the client connected to the LAN, it still cannot reach the internet.

Again, if I leave the identical physical connections and WAN IP address settings the same, and wipe OPNSense and install pfSense, not only does the pfSense OS have internet access, but the client connected to LAN (igb1) has internet access as well.

I do only have two of the 6 available copper ports assigned. Bare metal install of 24.1 so there is no virtualization here. igb0 is assigned to WAN, and igb1 is assigned to LAN. That corresponds to the physical connections made. I am not even using a separate switch right now. igb0 is connected to the ISP device and is definitely the WAN connection as I have one of my available static IPs assigned to it. As I mentioned earlier, this installation of 24.1 has internet access as I am able to update the packages directly from that WAN connection. The only device connected to igb1 is a computer I am using a browser with to access the web interface of this 24.1 instance. This computer is properly assigned an IP address when using DHCP, and I tested it also using a manually assigned address. This instance of 24.1 is running unbound for DNS and I have even tried manually assigned public DNS servers to the client, such as 8.8.8.8 and 1.1.1.1 and still do not have internet access. I am really confused and stumped right now. As a sanity check, I wiped this hardware and installed PFSense, and it just works using the same two physical connections, so this is definitely some sort of configuration issue specific to OPNSense and I just don't understand what I am obviously missing here. Thanks for your responses and I look forward to further assistance on what to do next.

Greetings All!

I have an issue where 24.1 itself has internet access and can download updates, new repositiories, etc. However, clients connected to this instance on the LAN interface do not have internet access. I have double and triple checked the settings on the clients, and neither DHCP nor compatible manual settings for the LAN will restore internet access for the clients. This has me thinking I need to check Firewall Rules and/or NAT settings, but I am relatively new to OPNSense and I am not quite sure where to start in diagnosing this. It was a fresh install of 24.1 and I just used the wizard to try and get up and running quicky. What and where should I be looking? I would have thought by default all LAN clients would have internet access, and I certainly have not tinkered with any settings in that regard. Any/all assistance here would really be appreciated! THANKS IN ADVANCE!

Good Day All!

I am making the switch from pfSense to Opnsense, but I am off to a rocky start with 24.1

I have a business-class cable modem connection with static IPs assigned to me. It is a /29, so I have 5 usable IPs. I know the connection between my location and the ISP is good, as I have another router assigned to one of the other static addresses in my block and it is working perfectly, as was this white box hardware (SuperMicro Xeon) when it was running pfSense. This SuperMicro board has 6 copper ports (Intel) and 2 SFP slots (ix0 and ix1).

At this moment, I can successfully reach the web interface of OpnSense on the LAN interface (ix0 with a copper transceiver). So the LAN side is configured correctly and working, allowing me to make changes, etc. The OPNSense unit itself can reach the internet for updates, etc., so I am thinking this is a NAT/Rules issue. I used the Wizard to set it up, so I thought it would automatically create the necessary configuration, but apparently it does not?

However, the WAN side is a completely different story. I have tried assigning the desired static IP address (68.188.10.xx) to both ix1 and igb1, as well as providing the correct gateway (68.188.10.xx) and cannot get out to the internet. I have physical connectivity as I see activity lights and I made sure I didn't have a bad cable, etc. This leads me to believe I obviously am missing something with my configuration. I provided valid public DNS servers to the wizard during setup, so I am fairly confident I have all my values correct.

Therefore, I can only conclude I have some sort of NAT or rule configuration I am missing or overlooking. I have installed other instances of opnsense with dynamic connections on other circuits and it worked just fine with no additional config necessary, so I have a feeling I am missing an additional setup setting for this particular setup with a static IP.

Could someone please offer some assistance as to what I might be missing or need to look further into? I'm stumped right now. THANKS IN ADVANCE!