Quote from: Forceflow on December 21, 2024, 01:04:06 PMHey quordleIt sounds like you've diagnosed the NAT issue correctly. Using static port mapping in OPNSense is a valid approach to replicate the Edgerouter's behavior without UPNP. While there is a potential risk of port collisions, if you've managed fine for years without issues, it should be okay. Just keep an eye on your network performance.
I'm trying to replace my old trusty Edgemax Edgerouter ERP-5 (because Unifi does not care about these Edgerouters any more, it seems) with a new shiny OPNSense device from Protectli. It's going well, but I've got one thing that puzzles me. First, my network topology:
(internet) -> ISP modem/router (192.168.0.1) -> OPNsense with static WAN IP (192.168.0.220) -> My LAN and all my devices (192.168.1.x)
- I'm stuck with that ISP modem/router that I cannot put into bridge mode. The only thing I can do is DMZ to a fixed IP (192.168.0.220). I've made my peace with this double NAT, it's the way it is - this is not the issue at hand. Don't worry, I've disabled the standard blocking of traffic from RFC1918 networks, otherwise the setup wouldn't work :)
- I've managed to replicate almost all functionality from the Edgerouter I want: static leases, port forwards, DNS redirect to Pihole, et cetera. Devices can contact the internet and eachother.
There is just one thing that's bugging me: I'm an avid gamer, and when I use my Edgerouter, all my consoles / PC games report NAT type 2 (moderate). When I use my new OPNSense box, that reverts to NAT type 3 (strict).
The initial reaction would be: just start configuring UPNP, but here's the thing: on my Edgerouter I could get to NAT Type 2 without having to resort to UPNP (simply not configured), and I'd like to replicate that exact behavior. I want a baseline to start from that is identical to what i had :).
I figured out it probably has something to do with outbound NAT rules, and the port selection. OPNSense, by default, randomizes the outbound port during the translation, for security reasons, if I am correct. I think my Edgerouter, by default, uses static ports mapping for outbound NAT (no randomization) for EVERY LAN CLIENT, and that makes everything "just work" to get to NAT Type 2.
In order to replicate this behavior in OPNSense, I've set Outbound NAT to Hybrid mode, copied the default auto-generated outbound rule to this section and just enabled the static port setting. For all traffic and clients, because most of the clients on my network use some online game functionality (laptops, consoles, ...). This change does indeed result in all consoles and game PC's reporting NAT Type 2 / Moderate behavior. Hurray.
Here's my questions:
- Do you think I've diagnosed the problem correctly and that is indeed the default Edgerouter behavior, and that I replicated this correctly? I know UPNP is the "correct" way of solving this, but I don't want to get into more configuration hell, and I was fine with the way the Edgerouter did it.
- Is there any downside to doing this? I know theoretically I can have issues when ports collide, let's say two XBOXes on my network try to connect to the same game server using the exact same port, and it is unclear for who the returning packet is meant. I've got to stress that I did not encounter any of those issues in doing it like this for 5 years on that Edgerouter, so this might be a non-issue.
Thank you for reading this, and happy holidays to you all.
Quote from: bloodyNetworker on April 14, 2026, 09:58:53 PMI'm guessing you mean the NIC on my homeserver?I am talking about your OPNsense Router :
QuoteI only have one NIC and I'd like it to stay that way: This is the reason why I'm proposing that every packet has to arrive as tagged so that the firewall rules triggers as intended. It's what I've been wrapping my head around all the time whether OpnSense can react to tagged packets (and whether it does so automatically if an assigned VLAN tag in OpnSense matches with the incoming tagged packet).OPNsense can handle Tagged traffic : That's not the issue here.
QuoteIf you meant something else, please let me know.See above : You can't do everything with just one NIC !!
QuoteI have no idea what you are talking about to be honest, but I just posted how you can keep your future Advanced Accesspoint in the IoT VLAN with it's Managment Interface : That's all!Quote from: nero355 on April 14, 2026, 07:26:11 PMBy using Untagged/Tagged settings of the Switchport correctly :As far as I understand it you want IOT devices to be untagged. That way they can only communicate if another untagged device within the "internal" VLAN of the switch is also connected to the same switch. Because this isn't happening on my household any untagged devices will be left alone, is that right?
- The VLAN that carries the Network you want the Accesspoint to get/use the IP Address from = Untagged.
- Everything else = Tagged.
QuoteI know I'm constantly changing my mind, but I've now come to the conclusion that the IOT interface, as I've intended it, is a terrible idea:Why do you think you need Mesh at all ?!
Simply because I fear that way I'll break the Mesh functionality.
QuoteHence, I'll let them have complete LAN access and only let them contact their vendor cloud servers for firmware updates.Your Printer can be connected to a Untagged Switchport or via WiFi and the Printer won't know how the rest of the network works like any other Client ;)
Let's not forget that I also have different IOT devices - like my printer - which requires a WLAN connection and its packets need be mapped to IOT VLAN tag as well.
QuoteI have no idea why you quoted that, but all in all I think you are overthinking everything : Just get some hardware you can afford and think looks reasonably good and start building and learning about your future network! :)Quote from: nero355 on April 14, 2026, 07:26:11 PM[You'd] have to configure the switch-software in a way that the specific trunk port [untags] packages with IOTIf I got your idea wrong, please let me know!
Quote from: nero355 on April 14, 2026, 07:26:11 PMI'm guessing you mean the NIC on my homeserver? If thats the case: I only have one NIC and I'd like it to stay that way: This is the reason why I'm proposing that every packet has to arrive as tagged so that the firewall rules triggers as intended. It's what I've been wrapping my head around all the time whether OpnSense can react to tagged packets (and whether it does so automatically if an assigned VLAN tag in OpnSense matches with the incoming tagged packet).QuoteI'm assuming that in my case I'd be only working with tagged ports as everything is supposed to run through by Opnsense, which controls through the firewall rules the VLAN-access, am I right?It depends how you like to setup things :
Let's say you use the Default LAN NIC Port as it is.
This would be considered as an Untagged/Access Mode Port.
But then you need to add more networks and have the following options :
- Use another LAN NIC Port without configuring any IP Address and Assign VLAN Interfaces to it.
This would be considered as a Tagged/Trunk Mode Port.
- Use all other LAN NIC Ports with their own IP Address configured for each network.
These would all be considered as Untagged/Access Mode Ports.
Quote from: nero355 on April 14, 2026, 07:26:11 PMBy using Untagged/Tagged settings of the Switchport correctly :As far as I understand it you want IOT devices to be untagged. That way they can only communicate if another untagged device within the "internal" VLAN of the switch is also connected to the same switch. Because this isn't happening on my household any untagged devices will be left alone, is that right?
- The VLAN that carries the Network you want the Accesspoint to get/use the IP Address from = Untagged.
- Everything else = Tagged.
Quote from: nero355 on April 14, 2026, 07:26:11 PM[You'd] have to configure the switch-software in a way that the specific trunk port [untags] packages with IOTIf I got your idea wrong, please let me know!