Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Looking for help moving from Untangle to OPNSense
« previous
next »
Print
Pages: [
1
]
Author
Topic: Looking for help moving from Untangle to OPNSense (Read 2608 times)
sparticle
Full Member
Posts: 107
Karma: 1
Looking for help moving from Untangle to OPNSense
«
on:
June 13, 2020, 03:54:33 pm »
Hello OPNSensers,
I have been a client of Untangle for 10 years. I like it it works and is very intuitive. However in the modern ip6 world we are just moving to it is sadly lacking with no indication that anyone cares.
So time to find a new FW/IPS/IDS perimeter security and network services platform.
After looking around OPNSense seemed like a good bet.
Maybe we have been too many years thinking in the untangle world. We configured a basic (or what we thought was a basic) system 2 interfaces LAN & WAN our architecture is as follows.
CISCO VDSL <-> em0 WAN OPNSENSE LAN em1 <-> MANAGED SWITCH <-> DEVICES
The CISCO VDSL device gets a /29 IP4 block takes one for itself as the GW. em0 gets one as the WAN port these 2 are directly connected. Nothing else is connected to the CISCO. We configured IP Aliases for the rest of the usable ip4/29 block on the WAN interface. so it has 5 usable /29 addresses including itself.
The OPNSENSE em1 is connected to the MANAGED SWITCH on the lan and is configured to provide DHCP for the lan segment and dnsmasq services for DNS and PXE Booting. Public upstream DNS servers are configured on the WAN interface and in dnsmasq. PXE booting works fine and serves the lan from our internal PXE boot server.
We have a number of services on the lan we expose publicly (web/email etc.)
When OPNSense boots everything seems to come up fine. However the dashboard shows WANGW as down. We cannot seem to get a connection through the OPNSense platform to the CISCO or it appears that way.
We used PortForward rules as we do on the untangle box to provide tunnels through for the public services. These look a bit weird and we may have configured them wrong.
We are used to saying something like.
Connect from anywhere to WAN IP xxx.xxx.xxx.xxx on ports 143,993 using TCP forward that to LAN IP XXX.XXX.XXX.XXX on ports 143.993
When we configure the PF as above we get that in the PF dialog but a rule in the FW on the WAN seems to show the internal IP's and Ports and not the external destination address. Anyway after bringing the network down for 30 mins by unlugging the connections into untangle and replugging into the OPNsense box. We had also spoofed the MAC addresses to match the UT box to avoid any issues.
We could not get anything in or out of the OPNSense box. We could get DHCP served internally and PXE Boot worked perfectly. No DNS resolution. So we know the LAN side is working the default allow all inside to outside should have got us out. But maybe not the return. Surely if we established from inside the OPNSense would nat that outside and we would get a return through but nothing.
We could not see the CISCO it seems. It thought all was well and the interface was up in the CISCO.In OPNSense the WANGW was still showing as down.
At that point best laid plans gone to s**t we had to replug the untangle and life was restored in a few seconds.
What are we missing. Is this not configured OOTB to allow lan out and block outside in. When we poked holes we expected to get traffic immed through to the mail cloud and web servers but nothing from outside via 4G network. We certainly expected to be able to browse a website from the LAN.
We did a lot of reading before we took this leap.
Any help and guidance appreciated as we really want to get off the old platform and move into the new IP6 world. Please forgive any typos this is a dump of what we found.
Cheers
Spart
Logged
marjohn56
Hero Member
Posts: 1701
Karma: 179
Re: Looking for help moving from Untangle to OPNSense
«
Reply #1 on:
June 13, 2020, 06:52:57 pm »
Similar to my /28.
OK, not an alias but Interfaces->Virtual IP for your extra addresses.
Is the Cisco handing out the WAN addresses? If so and Opnsense is getting an address then just check you have enabled the gateway monitor, it's disabled by default. Other than that it should just work out of the box.
Add your VIPs after you have got the basics working.
Logged
OPNsense 24.7
-
Qotom Q355G4
- ISP -
Squirrel 1Gbps
.
Team Rebellion Member
- If we've helped you remember to applaud
sparticle
Full Member
Posts: 107
Karma: 1
Re: Looking for help moving from Untangle to OPNSense
«
Reply #2 on:
June 13, 2020, 07:05:16 pm »
@marjohn56
Many thanks for the reply.
The Cisco has a static IP config /29 network. It takes the upper address as its GW address. Its not really handing out the addresses as much as it part of and is configured as the GW for this /29 network.
The em0 OPNSense WAN interface is on the same /29 subnet and is also taking one of the addresses and uses the cisco as its GW address.
All lights indicate all is well. The WANGW in the gateway monitor is showing down and we could not get the monitor to start. Its as if the /29 network is down. But all indications show it up at the cisco etc.
Will have another attempt but we have maybe been confused by the way the rules etc. work here.
We did think about reclaiming one of the used /29 addresses and bridging the em0 WAN interface to the cisco. BUt tht looked like we would lose all the functionality on the WAN interface and have to do that in the cisco (hard work)!
Cheers
Spart
«
Last Edit: June 13, 2020, 07:07:33 pm by sparticle
»
Logged
firewall
Jr. Member
Posts: 98
Karma: 7
Re: Looking for help moving from Untangle to OPNSense
«
Reply #3 on:
June 17, 2020, 05:46:08 am »
sparticle, welcome to the OPNsense community. As someone who clearly knows his networking I can imagine this to be a frustrating experience for you thus far but I hope you're able to move past it.
You have a somewhat complex setup...do I assume correctly that you're working with enterprise infrastructure; if even SMB? If so this may present the first opportunity I've had to shill the business support services from Deciso (
https://www.deciso.com/business-support/
). The €299 may be money well spent for 2 hours of support just to move past your initial hurdle. If this ends up being a possibility might I suggest you transact with them via email during initial correspondence so you can gather suggestions to try on your own & save the remote support to wrap everything up.
I'm a home user so I can't vouch for their support from experience. Just want to make sure you're aware of the option should it be appropriate!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.1 Legacy Series
»
Looking for help moving from Untangle to OPNSense