Messages

I was able to get this working by changing the LAN to use 10.0.0.1/24. Thanks! I realize I was making some stupid newbie mistakes. I'm learning.

As for why I would want to use a VPN on the OPN device, I don't like having to run individual VPN applications on my devices at home. I like to use a home firewall to put all my home network behind VPN for privacy reasons. I also plan to eventually self-host services and run a VPN that I can use to connect into my home network.

Thank you for the guidance.

Your IP assignments as described are incorrect or else they are not as described.

Am I not reading this correctly?

```
LAN (igc1) -> v4: 192.168.1.144/24
OPT1 (igc2) ->
OPT2 (igc3) ->
WAN (igc0) -> v4/DHCP4: 192.168.1.169/24
              v6/DHCP6: [elided]
```


```
Model   WAN   LAN   OPT1   OPT2   OPT3   OPT4
FW4C   igc0   igc1   igc2   igc3   N/A   N/A
```

Respond to the rest of comments:

Yes, sounds like I do need to define an IP range for the OPNsense firewall to use. Unfortunately it doesn't seem I can easily go to bridge mode on the ISP router since this would mean I have to disable their Wi-Fi (and thus incur the wrath of my household co-inhabitants). So I think I am okay with going to a double NAT solution, which I know is not ideal. Performance is not that important for my use case.

My plan is to have [ISP router] -> [OPNsense firewall] -> [openWRT access point]. I plan to then connect my personal devices to the openWRT AP wi-fi. My overall goal is to be able to put a VPN on the OPNsense firewall so I can protect anything that connects to the openWRT AP.

Would this be possible if I just set the OPNsense firewall LAN to use 10.0.0.0/24 for example? Then there would be no overlap with the ISP router's range? If I understand correctly, then that would mean that for example, a device connected to the OPNsense firewall's LAN would receive some 10.0.0.X address. Since this does not fall under 192.168.0.0/24 range, the firewall would allow it to go out to public internet? Or would I need some specific outbound NAT to make that work?

Thank you very much for your time and attention.

There's no way OPN is getting an RFC1918 IP via DHCP for WAN from an ISP, especially something as common as 192.168.10/24, unless OPN was deployed behind an existing router, which is probably what's happening here.
As is, a separate range should definitely be used on the LAN. Other settings should be changed as well (disable block private/bogons on WAN).

An alternative is to remove the edge router or switch it into bridge mode.

Google claims their router cannot run the default wireless network and operate in bridge mode at the same time, so I don't think that will work for my use case. My intention here is to have this network live behind my ISP's router, not to replace the ISP equipment. I had the same setup work in a previous location with a different ISP and I don't remember ever having to mess around with the ISP's equipment to get it to work.

Would setting the LAN range to something that doesn't overlap with 192.168.1.0/24 work? Or will this have the same problem?

Your IP ranges are not distinguished. They are in the same range, 192.168.1.0/24

Did you choose specifically during configuration to set up WAN on igc0, LAN on igc1? By default they are the other way around.

I suggest you leave everything else, such as NAT, as defaults until you resolve the above.

According to Protectli, the interface ending in zero is the WAN. I'm also able to connect to the web GUI through a connection on the LAN port so I think the assignments are correct.

Hello,
I have installed and am setting up a new OPNsense router on Protectli FW4C hardware. My upstream ISP is Google Fiber.
Overall I can get through setup and installation and get to a point where I am on the GUI. However, here is where I am stuck. I cannot get the firewall to let me pass through no matter what I do. I have outbound NAT set to auto and disabled DNSSEC. I am connecting via ethernet cable to a desktop and can load the GUI portal just fine on 192.168.1.1.
Now if I boot into console and go to shell, I can ping 1.1.1.1 just fine. But from the LAN I cannot. Only 192.168.1.1 is pingable. The WAN blocks all outbound traffic from LAN.
Here is what the interfaces say from console:

```
LAN (igc1) -> v4: 192.168.1.144/24
OPT1 (igc2) ->
OPT2 (igc3) ->
WAN (igc0) -> v4/DHCP4: 192.168.1.169/24
              v6/DHCP6: [elided]
```

I know there must be an issue with the WAN outbound NAT but I am lost about how to debug this. I just have the auto setting for outbound NAT. I saw some posts on forums suggesting I should configure manual rules but I have no idea how to go about that or what they should point to. Any advice?