Messages

Thanks a bunch!

TheFNGee

I got my OPNSense/Protectli combination functioning as a transparent bridge. Since a doc from Zenarmor was very helpful in getting this going, I decided I'd check out Zenarmor Free. It's been running for a week or so, and I checked out the Zenarmor dashboard. It told me that out of over 400 detected possibly harmful activities, it blocked none of them. I was surprised and wondered if I'd misconfigured Zenarmor. I went to check out policies, and being the "Free" version, I could not add a policy beyond the default. 

I then subscribed to the "Home" version. It's cheap enough, and the more protection, the better. I went to the "Settings" page and saw that it was operating in Layer 3 mode.  With my limited networking knowhow, I wondered if I shouldn't be running in "Layer 2" mode since the whole thing is a bridge.  When I tried to set it to "Layer 2" mode, it kept popping up an error.

Sorry, I'm not sure how to resolve this issue, if it even IS an issue. 

The whole page looks like this

Thanks,
TheFNGee

I have a Checkpoint 750 NGFW that's nearing End-of-Life.  In its time, it had all the latest features such as IDS/IPS, AV, Anti-Malware, Anti-Spam, blah, blah.  While it served me and my household very well over the years, all of its protection features came a significant cost in available bandwidth from my 1Gbit pipe coming in.

After finally getting this "Transparent Bridge" with Protectli/OPNSense set up effectively, the throughput has gotten much better. on the order of TWICE as high.

The cost of this combination of hardware/software cost me less than the renewal of the support contract on the Checkpoint. I've even turned off the Palo Alto PA-440 that I've left almost totally unconfigured because of its complexity.  This TB was far easier for a IAM guy pretending to be a network guy like myself.

Thanks,
TheFNGee

OK. I got it working, in a convoluted manner, but it's working. Thanks to all.  Now I just need to figure out how to get my home CA Authority's root cert key onto the OPNsense device, and I'm set.  :)

Thanks,
TheFNGee (Steve)

You're going all out and I greatly appreciate it.

My internal network is already double-nat'd to 10.x.x.0/24 subnets, so I took another approach which I thought would be easier (famous last words).

I have an extra NIC on my desktop MB that I'm using for OutOfBand access to the MGMT interface on the OPNsense/Protectli 4-port device. In its config in Windows, the only box that's checked is an IP of 192.168.10.5/24 for me to directly access the MGMT interface sitting @ 192.168.10.1/24 (the Edgerouter 6P already occupies the 192.168.1.0 /24 network.)

Is this where I've screwed-the-pooch so-to speak?

Thanks,
Steve

Thanks again, Strator.  However, I spent a lot of time on this page as well making my UI match this set of instructions as close as possible.  However, in a key area of the LANWANBridge setup and talking about a "gateway", the UI represented in Figures 14 and 15 do not match OPNsense 24.7.2 at all, so I'm having trouble finding how it's actually configured.

Thanks Again,

TheFNGee (Steve)

Again, thanks for the input.  Please forgive my ignorance, but the instructions, guides - whatever, say to "Bridge" the LAN/WAN and make it a "Transparent Bridge", run all incoming traffic through it and have it protect with IPS/IDS, Antivirus, etc.  So truthfully, I would have no idea how to accomplish keeping the TB and using the LAN interface for MGMT.  However, using the LAN interface WAS how I initially configured the device, just to get the first round of updates, the Suricata config and downloading ClamAV/signatures.

Thanks anyway,
TheFNGee (Steve)

Hi Strator - Thanks for the response. The first exposure I got to this idea was on "Daves's Garage" on YouTube.  Though his instructions were explicit, he only mentioned the IN/OUT or WAN/LAN ports as a pair and never mentioned configuring the Management port.

The first area of config that I have included is the Edgerouter 6P.  This device has ports eth0-eth5, with eth0 being the Internet coming in from the cable modem. This is with the "transparent bridge" in line, showing that the DHCP request from the 6P's eth0 is indeed going through, unhindered, to the cable modem.

Eth2 is HVAC,
Eth3 is the Security Camera system,
Eth5 is going to the Checkpoint 750 for distribution separately to the wired devices and then to the Mesh wireless, an Orbi RBR850 router with three additional satellites.

This what the configs look like:

Hi folks - I'm not the most competent networking guy, never have been.  I've been in IAM since before it was called IAM. Way back then, it was called and still is Active Directory.

I liked the idea of a "transparent bridge" between the cable modem and edger-outer a lot. I literally use an Ubiquiti Edgerouter-6P to get me more outputs from my single output cable modem.

I first bought the Protectli v1210 2-port device an set it up, and then realized I couldn't access the GUI by any means I knew enough about to try.  (I truly wanted to see the protection going on before I turned off the Security software blades on my Checkpoint 750, soon going EOL,) returned the v1210, and was treated very graciously by Protectli and purchased a v1410 4-port.

After many fits and starts, five hours ago, I finally figured out how to make a Management Port work properly. I can see all the going's on within the UI and also the HDMI interface on a separate monitor.

After getting of this working, I just realized that I cannot UPDATE OPNsense, or the ClamAV sigs, or IPS/IDS items, or it seems like I can't.  On the dashboard, I click "check for updates" and the text in the GUI says effectively ""host does not resolve", and I see the URLs for Opnsense with messages tailing the URL saying "No address found."

After thinking on it for quite a bit, I began to think that since the WAN interface doesn't really have an IP address of its own, and Software update servers (like Protectli's) need an IP address to connect to and receive updates.  I'm stuck.  When I disabled the security blades on the old checkpoint, the throughput absolutely doubled, and I was getting near 950 Mbps on speedtest, so I really have to fix this, but frankly don't know how to proceed.

Modem DHCPs class B DHCP right thru the Protectli to the eth0 interface on the 6P @ its 192.168.1.1.  One of those outputs goes to the Checkpoint, and it NATs to a 10.0.0.0/24 internal network.
I had to change the default IP on the OPNsense to 192.168.10.1 just to get it set up.  I finally figured out how to enable a MGMT port (igc2) and gave it an IP of 192.168.20.1.

I'm shocked but all this works seemingly.  I just can't get updated to the OPNsense itself.  Am I making sense?

Any ideas from more experienced users?

Thanks,
TheFNGee (Steve)