IP Fixed for the WAN

[ipcancel]

Hi there,

First I apologize if I am mistaking few concepts I am very new into the networking game, lacking of knowledge obviously but I will try to fix it with time and also a ton of patience ...
So I recently bought a proctectli where I installed OPNsense on and as you may already guess I am facing a tiny problem, from my point of view it doesn't look like a big thing to solve but still I am walking in the fog here so I need your help guys.
What I want to do is to configure the WAN interface with a fixed address.
This is how I configured the fixed IP: Interfaces -> WAN ->  IPv4 Configuration Type -> Static IPv4
The problem with a fixed IP PC_1 doesn't have access to internet and I can't find what I am missing, I looked over few options in the OPNsense GUI but I don't want to brick every thing ... and I already played enough with plug/unplugged the monitor/keyboard into protectli during various installations ^_^


As a draw is always better than a long speech this is the topology (everything is wired, no wifi):
_ ISP_Modem has dhcp enable for a range 20-100 on subnet 192.168.1.0.
_ Laptop_1 gets its IP through ISP_Modem dhcp.
_ PC_1 uses an IP fixed


=============================
ISP_Modem ----------------------------------------  Protectli_FW  ---------------------- switch_(dumb one) ------------- PC_1
192.168.1.1(dhcp_enable)         WAN:192.168.1.50(dhcp)   LAN:192.168.1.254                               192.168.1.200(fixed)       
     |
     |
     --------------------------- Laptop_1 
                                192.168.1.30(dhcp) 
=============================
This works, this the default installation.
Laptop_1, nmap finds both protectli_FW and PC_1.
ISP_Modem shows Protectli_FW and Laptop_1.



=============================
ISP_Modem ----------------------------------------  Protectli_FW  ---------------------- switch_(dumb one) ------------- PC_1
192.168.1.1(dhcp_enable)          WAN:192.168.1.253(fixed)  LAN:192.168.1.254                              192.168.1.200(fixed)       
     |
     |
     --------------------------- Laptop 
                               192.168.1.30(dhcp) 
=============================
This doesn't work.
Attempt with WAN using an IP fixed doesn't work.
ISP_Modem shows Laptop_1 but not Protecli_FW.
Laptop_1, nmap still finds both protectcli_FW and PC_1.


If you need other info please ask me.
I hope someone can help me with this, thank you in advance

[marjohn56]

First thing, you cannot have both the LAN and WAN of the Opnsense instance using the same range. Set the LAN to 192.168.2.*, then try it.

[ipcancel]

Hi,

Thank you for your reply.
Well to be honest that's what I tried to do when installing OPNsense at first because from I saw before it was the right thing to do, but for some reason every times I tried the install went wrong and it ended not as intended so I gave up on this idea thinking I was doing it the wrong way and may be OPNsense was different, and finally the install succeed only when both WAN and LAN were on the same subnet, don't ask me why because I don't know >_<

So I follow your advice and from the webGUI it's okay ... well sort of ^^
I still can't reach internet, it looks like DNS are not available because after ping to google.com I get a response "Temporary failure in name resolution".

In case I mistype the manual configuration with a fixed IP on my OS(Ubuntu21.10 using netplan) I decided to turned on the OPNsense's DHCP service for the LAN only like this:
Service --> DHCPv4 --> LAN
range ................ 192.168.2.100---192.168.2.200
DNS servers ..... 9.9.9.9
                            8.8.8.8
Gateway  .......... 192.168.2.254


I also remove the blocked private IP:
Interfaces --> WAN/LAN --> 'Block private/bogon networks' --> not enable

ISP_Modem ----------------------------  Protecli_FW  ---------------------- switch_(dumb one) ------------- PC_1
192.168.1.1(dhcp_enable)     WAN:192.168.1.254(fixed)                    |                                          192.168.2.101(dhcp)
                                               LAN:192.168.2.254(fixed)                     |             
                                                                                                             | -----------------------------------  Laptop_1 
                                                                                                                                                        192.168.2.100(dhcp)
 
PC_1 ........ can ping ..... Laptop_1
PC_1 ........ can ping ..... Protectli_FW LAN interface
PC_1 ........ can ping ..... Protectli_FW WAN interface
PC_1 ........ can not ping ..... ISP_Modem
PC_1 ........ can not ping ..... google.com
PC_1 ........ can not ping ..... 8.8.8.8


Laptop_1 ........ can ping ..... PC_1
Laptop_1 ........ can ping ..... Protectli_FW LAN interface
Laptop_1 ........ can ping ..... Protectli_FW WAN interface
Laptop_1 ........ can not ping ..... ISP_Modem
Laptop_1 ........ can not ping ..... google.com
Laptop_1 ........ can not ping ..... 8.8.8.8
                                                                                       
Just in case I added a rule to the LAN interface to allow the traffic from the DNS into the LAN (took the idea on the blog homenetworkguy.com)
Action ................... Pass
protocol ................ TCP/UDP
Source .................. any
Source port ........... any
Destination ............ LAN address
Destination port ..... 53


From PC_1
~ : sudo ip route
default via 192.168.2.254 dev enp5s0 proto dhcp src 192.168.2.101 metric 100
192.168.2.0/24 dev enp5s0 proto kernel scope link src 192.168.2.101
192.168.2.254 dev enp5s0 proto dhcp scope link src 192.168.2.101 metric 100


~ : route -ne
Kernel IP routing table
Destination     Gateway              Genmask             Flags   MSS    Window   irtt Iface
0.0.0.0              192.168.2.254   0.0.0.0                   UG      0 0          0           enp5s0
192.168.2.0      0.0.0.0               255.255.255.0       U         0 0          0           enp5s0
192.168.2.254  0.0.0.0              255.255.255.255    UH       0 0         0           enp5s0

Now I am running out of idea, but I hope you see what I am doing wrong.
Thank you.

[marjohn56]

Reset opnsense to factory defaults, connect your configuring PC/laptop to the LAN of Opnsense, leave that PC on dhcp. On Opnsense, Leave WAN as DHCP, disable the block private Networks on the WAN inteface. Set your LAN to a 10.1.1.254. Set the dhcp server to a range 10.1.1.100 to 10.1.1.199. You should be good to go.

[ipcancel]

Leave WAN as DHCP

I do not understand this part, why a dhcp (client I guess ?) should be used here, sorry it may be me not thinking right or the lack of knowledge.
Does it mean that everybody do that, is it the recommended method to use OPNsense behind a Modem ? So having a IP fixed is not possible for the WAN ?

[marjohn56]

No, but in the first instance connect via dhcp, then you can see what Opnsense is doing and have a working system; you can then replicate gateways etc in static form. There is no benefit really in using statics anyway where you are double natting anyway, unless you wish to run servers inside the Opnsense LAN, even then you'll have issues because of the double NAT.

[ipcancel]

Humm I think I get what you meant I can now see the logic behind it.
I will probably need some help anyway to analyse "what Opnsense is doing", but why not, it is a way to get through it I will try that this week end hopefully and will give you some feedback after.
Thank you for your help.