Messages

What's unorthodox about a router on a stick?

Nothing, but I don't think that's about a router-on-a-stick. My understanding is that the OP wants to use just a single NIC for both WAN and LAN.

You are trying to implement a very unorthodox solution so no wonder you haven't received any reply so far.

I think it can be done, but that's really a dead-ened solution to me and, if I ever try to do that, it would be for a learning experience only.

So, the LAN side would be a pretty standard. It is the WAN side that needs to be treated uniquely. That's because you want to feed it through a switch and on a single link.

I think you can make it work by making that link a trunk, but it is the "WAN" VLAN that I would make tagged on that link. But, that tag should be dropped in the link between your switch and the modem.

Well again, try to get it set up in a more orthodox way.

Good luck!

You need a default gateway. It needs to be for your WAN interface. WAN is the OPNsense upstream interface, not LAN.

You need a gateway for your LAN interface. Its IP address needs to be the SVI address of the corresponding subnet. Do not mark it as an upstream interface. It is not an upstream interface as far as OPNsense is concerned. I also mark it as down and disable its monitoring to avoid any surprises. OPNsense is this kind of product that wants to be everything on your network and some of its default setting or wording of it are difficult to digest if you want to use it differently.

You need those static routes to your LAN subnets. All of them! Actually to interface my routing switch with OPNsense, I use a subnet that is in a different IP range that my LAN network. This makes it possible to use just one summary static route with /16 instead of multiple /24.

Of course, you need to have adequate firewall rules. Start with allow ANY to ANY and, once you make it work, set them up according to your requirements.

I have recently done a POC where I put OPNsense in front of my routing switch and I can confirm what already was said. Outbound NAT rules need to be created manually for VLAN subnets to enable Internet access. I have also made a couple of other changes, because I did not like how OPNsense sets up the default route with its default settings. First I made sure only WAN is mark as upstream and then I marked the LAN gateway as down. I think it is unfortunate that OPNsense uses the word "down" when the gateway is actually active, but it just cannot be selected as a default one.

@Tibor

That looks like an out-of-the-box idea to me. You have NAT on WAN, right? I don't think the mDNS repeater can work with it. Also, mDNS was designed for local networks and, although it uses multicast, it does not work the same as IGMP.

Yes I have NAT on it. Do you mean without NAT it could perhaps working?

Well, there is also a firewall there. mDNS creates a lot of traffic. The repeater makes it even worse. mDNS traffic can be easily taken as a DoS attack by the firewall. Some other unexpected rules may not like it, either. If I were you, I would forget about this idea.

@Tibor

That looks like an out-of-the-box idea to me. You have NAT on WAN, right? I don't think the mDNS repeater can work with it. Also, mDNS was designed for local networks and, although it uses multicast, it does not work the same as IGMP.

@glen4cindy

OPNsense does work as a transparent firewall. That's how I use it.

The only IP address you should have there is on LAN for management. Set a static IP address for it. You can connect OPNsense LAN directly to some management PC or your switch. The latter is a more flexible setup.

You can put that transparent firewall between your modem and router or between your router and switch.

Forget the instructions found on Dave's Garage. They are inconsistent. Follow instructions from Zenarmor. Just notice that "LAN" (uppercase) means there a local network. They use lowercase for OPNsense interfaces (wan, lan and opt1).

https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

After everything was configured and working, I moved LAN and WAN so it was between my modem and router. .

Which subnet is this?
How is your router accessing the internet?

You said, you assigned an IP to the bridge interface, which? Which subnet?
Which IP has OPT1?

Do not bridge WAN with LAN. LAN is configured for management. Keep it that way. Instead, bridge WAN with OPT1.

I have an OOB network, too, but I don't really use it since I have only 3 devices that can be connected to it. Instead, I use a protected VLAN for the management tasks and that's where my OPNsense management interface is connected to.

OOP means routing disabled and no connection to any other network so, if you connected your OPNsense management interface to it, you would not be able to access Internet from it.

As I said in my first message, you need to treat the OPNsense management interface like any other client device on your internal network. The management interface cannot access Internet through the bridge directly. It can access Internet only through the internal network which, of course, itself needs to have access to Internet.

I have modified one of the diagrams from that article hoping that it will help you. Take a look at the attachment.

https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

I'm not sure why you've provided this information. I was writing about subnets, not physical interfaces. The only thing I can add to my previous message is that you need to use the OPNsense LAN for your management interfaces. If you bridged the OPNsense WAN with LAN and used some OPT for the management interfaces, you need to change it. Bridge WAN with OPT and, again, use LAN for the management interface. Good luck.

The OPNsense management side needs to have access to Interent to receive updates. Your IP configuration doesn't look right.

If you configure OPNsense as a transparent firewall, you should have only one subnet on it. That subnet should be on your internal network and have access to Internet. The OPNsense management side should be treated just like any other endpoint device on that network. The OPNsense management interfaces should have an IP address on the subnet and the OPNsense gateway should be set to the IP address of the gateway in the subnet.

The OPNsense parent interface is your untagged VLAN on the switch, i.e. the native VLAN of the trunk. Child interfaces will be your tagged VLANs.

Trying to access OPNsense web GUI. in transparent bridge mode. Connections are as follows.
WAN connection from Modem to WAN connection on OPNSense 1x1.  the  LAN connection 1x0 on OPNSense to the WAN in on the router. LAN out from router to a switch. My computer connected to the switch.  Access to internet works at this point indicating bridge is working.
I connected third  NIC  on OPNSense 1x2  to the switch and configured the connection in OPNsense via serial CLI to be configured via DHCP.
OPNSense got an address of 192.168.1.168 from the router. My computer has an address of 192.168.1.166.  Ping to internet is successful. Ping to 1x2 address 192.168.1.168 failed and I cannot access web GUI.

So what am I doing wrong or is there another configuration I should try.

Thanks

LArry

Use the OPNsense LAN as the management interface, i.e. connect it to the switch. Connect the extra third NIC to the router WAN. Bridge the OPNsense WAN and the third NIC (OPT1). Do it exactly as described here.

https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-transparent-filtering-bridge-on-opnsense

It works.