1 LAN. 1 Router. 1 FW. 1 Switch. 1 AP. Easiest possible setup. Full stop.

[cookiemonster]

If yuo're determined to keep the "other router", it looks like you don't need OPN. As others have said in your case of not being a large enterprise with loads of public ips, ports, protocols to protect, there is no purpose a second would realistically have. Each will only get in the other's way and overcomplicate your setup, which by the way, since it sounds like you not be clear what router and firewalls do and how, I imagine there will be loads of follow up questions and "it's not working" sort of scenarios.

[lilsense]

I will need PoE. Which is on the Router. So I am keeping the Router. I also have a network inventory via Ubiquiti UNMS that I use on the Router,  with the Switch, not sure that can be done in OPNSense.

Just so that everyone here understands, Aircube from Ui comes with a Power Supply. And even if it's placed on a location where a plug is unavailable, you clearly stated your switch is a Layer3 which does routing anyway.

As Patrick has stated, what's the purpose of the router in the middle?

The only thing I would use the EdgeMax for is OSPF/BGP combo for various Routing scenarios with Edgeswitch, but Then again the EdgeMax would sit on the side and a Trunk between OPNsense and Edgeswitch would be established. Even still, you can install FRR on the OPNsense to do the same unless you are in to MPLS/ISP class stuff that OPNsense is having some issues with...

[Patrick M. Hausen]

Also, there is a Unifi Controller plugin for OPNsense in the community repository.

Of course you can keep the EdgeMax for UNMS and PoE but the just

- connect OPNsense directly to switch
- connect one port of the router to switch
- configure router to "switch mode" - my EdgeRouter X can do that, your's too, probably
- run DHCP server on OPNsense or router as you see fit
- consider that DHCP and DNS are integrated on OPNsense so you might want to run either both on the router or both on the firewall

But please forget this "firewall in fron of router" nonsense. Which it is.

[DragD]

I'm a newbie with OPNsense and I don't have enough experience with networking. This is what I've got working:

- the ISP provides an WAN UTP cable into the apartment, i.e. no DSL modem or other device
- DEC750:
  - the default WAN interface assigned to the default port 2, get IP from the ISP DHCP. The WAN UTP cable into port 2 
  - the default LAN interface assigned to the default port 1, leases IPs through DHCP
- D-LINK DGS-1100-08V2 switch:
  - factory defaults, only set to get dynamic from DHCP
  - UTP connected to DEC750 port 1, gets IP from LAN
- Asus RT-AC87U Router
  - set to Access Point mode
  - set to get dynamic from DHCP
  - UTP connected to the D-LINK switch, gets IP from LAN
- Wireless devices connect to the Asus RT-AC87U AP and get IPs from LAN
- Wired devices connect to the D-LINK switch and get IPs from LAN

@pmhausen Please, let me know if the above setup is wrong, why and how to set it up right. Thank you!

But please forget this "firewall in fron of router" nonsense. Which it is.

[Patrick M. Hausen]

@DragD please start a new thread. This one is kind of burned ... anyone starting to read from the top will probably not even make it to your post.

[SecCon]

Turned out to be a more tricky than I thought.

As in the previously posted image, of course, but when you are actually holding the cables and trying to figure out what goes where it is a bit of a challenge for me as a newbie when it comes to actual network configuration with firewall.

The ISP WAN cable goes into igb0 on the OPNSense machine. Then after that I have at least two options. Either I connect the LAN igb1 to the Routers WAN port, or, as Herr Pmhausen might suggest I connect it to the switch port1. Or even to the Routers eth1 port. Since the Router has POE ports and I need those, I am, for the n'th time, keeping it.

What happens when reconfiguring the OPNSense interfaces I am questioned about LAGG ( https://docs.opnsense.org/manual/other-interfaces.html?highlight=lagg#lagg ) and that is a very good question. I have no clue. I manage to give the OPNSense WAN and external IP, but after that it seems I am not able to connect it to the LAN.

There must be a default order to do this. And a default working configuration. I refuse to believe no one has done it.

As it is now I just feel I need to talk this through with someone since posting here with people that are not solution-oriented answering, is not very constructive.

[Patrick M. Hausen]

The ISP WAN cable goes into igb0 on the OPNSense machine. Then after that I have at least two options. Either I connect the LAN igb1 to the Routers WAN port, or, as Herr Pmhausen might suggest I connect it to the switch port1.

Not quite.

igb0 is LAN and goes into your router or your switch. igb1 is WAN and goes into your ISP connection. At least that's the factory configuration of a freshly installed OPNsense firewall.

HTH,
Patrick

[SecCon]

You are right. I forgot about that. I think I changed that in the firewall, since its a running configuration I also tried a few things on. Maybe I just have to do  a reset for that to get that right.

Yeah, interface igb0 is on Lan.

[SecCon]

Coming to think of it, I could demote the Router, removing dhcp from it and use it only as switch leaving the routing and DHCP to OPNSense.

That would be going a bit off my original plan, but would allow me to keep the PoE and have the EdgeMax6P as a backup router should the OPNSense machine fail somehow.

[warhawk8080]

If you leave NAT enabled on the ISP router, you will have to have a different subnet between the ISP and OPNsense, then more or less port forward thru both routers (referred to double NATing)

Code: [Select]

        ISP ROUTER                           |                         OPNsense                    |                        NETWORK
WAN       ->    |NAT|        LAN            ->            WAN       ->  |NAT|        LAN           ->            SWITCH   ->   COMPUTERS
75.32.53.67     |NAT|     192.168.0.1        |       192.168.0.2        |NAT|     192.168.1.1       ->                   DHCP
https://helpdeskgeek.com/networking/what-is-double-nat-and-how-to-fix-it-on-a-network/

[SecCon]

Not sure what you are saying here cause I can't access the configuration of the ISP box. It's handled by the ISP company only. If you by that are referring to the Router that is currently connected to the ISP box, well that's a different thing.