Show Posts
1
Tutorials and FAQs / New to opnsense, questions regarding double NAT
« on: August 09, 2024, 06:19:13 pm »
We are behind a 5G modem at home. It's CGNAT, so I get a private IP (usually 10.* or 100.*) from the modem (which is set to bridge mode).
Directly behind the modem I'm now setting up opnsense. Not just for the firewalling, but for many of the other options, like ntopng (for which I have a license from work), unbound, adguard, ntp, and I'd like to run dhcp and dns all from this box, which will of course be our gateway to the internet.
My home network is old and pretty settled, so I have no intentions changing subnet or address space because there are too many services and devices using the same addressing. They all expect and use 192.168.1.1 for DHCP, DNS and gateway. So we're actually double NAT, since we want 192.168.1.0/24 behind opnsense.
Since it should be CGNAT+NAT, is there a way to at first allow all physical LAN-ports on this box to pass through firewalling, to have the gateway box function merely as a switch with NAT for internet? Thus far I have not found a way to have the LAN-ports see each other, even though I followed the manuals for it. There's a bridge0, which has all ports as members and I have given the bridge0 the static ipv4 gateway address.
Also seems that there are by default blocking rules active. Is there a way to set them all to pass/allow at first and then start building up fw rules where needed?
To be honest, we had this double NAT setup for 5 years with a mikrotik box, and thus far not one port-scan or intrusion attempt has taken place on the outer/WAN end of that mikrotik. I'm replacing the mikrotik with this new opnsense box (just to illustrate why I'm not very worried opening it all up at first..).
I must certainly not be the only one using opnsense behind a CGNAT with dual NAT, so can any of you point me to a basic setup tutorial with allowance for all bridged LAN-interfaces/ports to see each other *and* be online, so I can slowly find my way into using plugins and locking it down step by step locally, creating VLANs for IoT etc. I was trying already, but my homeys started complaining about the downtime, so I have to find a way to test and set it up better without using the WAN.
Thanks in advance!
Directly behind the modem I'm now setting up opnsense. Not just for the firewalling, but for many of the other options, like ntopng (for which I have a license from work), unbound, adguard, ntp, and I'd like to run dhcp and dns all from this box, which will of course be our gateway to the internet.
My home network is old and pretty settled, so I have no intentions changing subnet or address space because there are too many services and devices using the same addressing. They all expect and use 192.168.1.1 for DHCP, DNS and gateway. So we're actually double NAT, since we want 192.168.1.0/24 behind opnsense.
Since it should be CGNAT+NAT, is there a way to at first allow all physical LAN-ports on this box to pass through firewalling, to have the gateway box function merely as a switch with NAT for internet? Thus far I have not found a way to have the LAN-ports see each other, even though I followed the manuals for it. There's a bridge0, which has all ports as members and I have given the bridge0 the static ipv4 gateway address.
Also seems that there are by default blocking rules active. Is there a way to set them all to pass/allow at first and then start building up fw rules where needed?
To be honest, we had this double NAT setup for 5 years with a mikrotik box, and thus far not one port-scan or intrusion attempt has taken place on the outer/WAN end of that mikrotik. I'm replacing the mikrotik with this new opnsense box (just to illustrate why I'm not very worried opening it all up at first..).
I must certainly not be the only one using opnsense behind a CGNAT with dual NAT, so can any of you point me to a basic setup tutorial with allowance for all bridged LAN-interfaces/ports to see each other *and* be online, so I can slowly find my way into using plugins and locking it down step by step locally, creating VLANs for IoT etc. I was trying already, but my homeys started complaining about the downtime, so I have to find a way to test and set it up better without using the WAN.
Thanks in advance!