Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - giuliopaci

Pages1
#1
General Discussion / Re: Multihomed bridge
August 29, 2025, 10:19:03 AM
After contacting my ISP, I found that the multi-homed flat setup is their default setup on the modem they provided, but that I am allowed to bypass the modem completely with my router using point-point link, so I am following that route now.

However I would like to share what I found during my experiments: most of the issues I was experiencing came from interaction between NAT and the bridge I created.

- For port forwarded services on X that where not reachable from Y devices, the issue is that DNAT happens too early (i.e., before reaching Y gateway, which has no route to the real destination). In order to make this to work I should leave the packet untouched when the packet is going to Y gateway and then NAT it only when it comes back from Y gateway. However I was not able to convince the router to apply this configuration;
- For LEGACY devices not being able to reach Y devices, I am still not sure about what was the real issue. However I was able to bypass the issue by applying a 1:1 NAT having Y network as both destination and target (i.e., nating the network to itself). I am unsure why this worked, but the result was effective. BTW, if you have an explanation why this worked, I would be happy to learn. :-)
#2
General Discussion / Multihomed bridge
August 22, 2025, 06:11:56 PM
Hi all,
  I am new to opnsense and I am trying to configure a small network with it.

The ISP CPE modem is multihomed (public network X, with X gateway, public network Y, with Y gateway, private network Z, with Z gateway).

I have a opnsense router that I phisically connected to the ISP CPE modem using an interface and to an internal switch using another interface. The ISP CPE modem is connected to internet and X and Y network are configured to be accessible from outside.

I would like to allow devices on VLAN 1000, attached to the switch, to be able to use addresses from Y network and be accessible from outside and use an address from X network for the router. I also want to use port-forwarding on X router address.

I decided to create a bridge between VLAN 1000 and ISP CPE modem, and assign WAN to it.

So:
  • I created PUBLIC (VLAN 1000, vlan0.1000) and MODEM (ISP CPE modem, igc0) interfaces
  • I created bridge0 bridge on top of PUBLIC and MODEM (I also disabled pfil_member and enabled pfil_bridge and set outbound NAT mode to hybrid)
  • I created WLAN (bridge0), I assigned IP from X and defined X gateway
  • I assigned some devices attached to VLAN 1000 IPs from Y and defined Y gateway as default
  • I created LEGACY (VLAN 100, vlan0.100) and assigned private network to it, with the opnsense router acting as a gateway
  • I defined some port-forwarding rules (with reflection), mapping some services from LEGACY network

Current situation is:
- I can access port-forwarded services and Y devices from internet;
- I can access port-forwarded services from LEGACY;
- I can access Y devices from the router itself;
- I cannot access Y devices from LEGACY: packets get SNATed to the X router address, but they do not reach the device;
- I cannot access port-forwarded services from Y devices: packes get DNATed to the internal address of the services, but they do not reach the service.

I spent several hours trying to understand/solve the issue, but I was not able to find any solution yet.

What can be the issue?
Pages1