Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - mw88

Pages1
#1
General Discussion / asking for feedback on existing setup with NAT outbound
January 29, 2024, 03:54:51 PM
Hi everyone, I have a working existing setup, which I would like to get your feedback on, in terms of security and "best-practice".

In my home network, I am running a FritzBox (German router) in IP-Client mode behind my opnsense in VLAN30.
This way, the FB becomes just a regular network device, with the function of being the SIP gateway of my network.

Code Select

[ opnsense ]====VLAN Trunk:30====[ managed L2 switch ]----UNTAGGED:30----[ SIP client ]
10.0.30.1/24                                                            10.0.30.2/32 (dhcp, static)


In order for ringing and voice communication to commence, I had (found by trial and error and a lot of snippets here and there) to create two NAT outbound rules:
Code Select

Interface: VLAN30
TCP/IP Version: IPv4
Source address: Server_VOIP   (alias for 10.0.30.2)
Source port: any
Destination address: any
Destination port: any
Translation/target: Interface address
Static Port: yes

A second rule is in place for IPv6.

So far, this setup is working, but I do not understand it very well.

In particular, my questions are:

  • Is NAT Outbound the right thing to do here?
    I'm asking, because in other places, I do NAT outbound when routing between different VLANs and their subnets, because some stupid service requires the clients to live in the same /24 network, and I require the clients live in a different network from the service. So why (if at all) is it necessary that my SIP provider perceives all the connections coming from one common client with the interface address?
  • I feel this is not the ideal solution, and instead, port forwarding should be used. Is my feeling correct? And if so, why?
Any other comments and suggestions are also welcome.
#2
Virtual private networks / Problem with Wireguard RoadWarrior Setup
January 06, 2024, 11:25:22 PM
Hi. I'm quite new to networking with opnsense and I'm trying to setup wireguard to access my home network remortely while working abroad.

As far as I'm concerned, this seems to be the official guide to follow.

However, after going through all the steps in the way detailed below, I cannot ping any of the services in my home network.

Can you help me debug this setup or point me to what is going wrong here?

Setup
Home location
opnsense 23.7.11-amd64 is running in a VM on proxmox with interfaces into different VLANs, e.g.
VLAN2: home, 10.0.2.0/24
VLAN9: WAN (I have to run everything on one physical NIC, so my cable modem is just on a tagged port of the main switch, while the opnsense VM is on a trunk port)
The WAN interface is assigned the public ipv4 a.b.c.d and and ipv6 aa:bb:cc::dd from my /60 subnet.
A Firewall rule is in place (temporarily), such that I can ping my opnsense router from the remote location.

Remote location
Sadly, only ipv4 in remote location: 192.168.10.0/24.
I have little influence about this.

Wireguard
Following the guide, I have the following settings:

Step 1
os-wireguard 2.6

Step 2 - Instance
Code Select

Name             : HomeWireGuard
Public key       : public-key-server=
Private key      : private-key-server=
Listen port      : 51820
Tunnel address   : 10.10.10.1/24
Peers            : mw88Test

* later I want to work with ipv6 as well, after ipv4 works

Step 3 - peer
Code Select

Name        : mw88Test
Public key  : public-key-client=
Allowed IPs : 10.10.10.3/32

* no DNS server for now, I want to get it working based on IPs first

Code Select
Step 4 - restart
done, is self-explanatory

Step 5 - interface
(a)I assigned interface opt4 to device wg2 as [HomeWireGuard], no IP assignment is possible.
(b) I didn't create an outbound NAT rule.

Step 6 - firewall rules
I created the rules as secribed, as well as temporary floating  ICMP rules from any source to any destination for protocol icmp (I verified these rules work).
(a) I created one normalization rule for ipv4+ipv6.

Step 7 - Client
I'm on Windows 11, using the official WG app on version 0.5.3.
My config looks like this:
Code Select

Name: mw88Test
Public key: public-key-client=

[Interface]
PrivateKey = private-key-client=
Address = 10.10.10.3/24

[Peer]
PublicKey = public-key-server=
AllowedIPs = 10.10.10.1/32, 10.0.2.1/24
Endpoint = a.b.c.d:51820


Problem

  • I can activate the tunnel on the client, and when starting a ping, I see Bytes sent, but do not receive any. How do I verify, that the connection was successful?
  • Ping to the VLAN2 interface of opnsense, 10.0.2.1, just times out.

I'd be glad to receive any pointers.
Pages1