[solved] Reconfiguring WAN Interface (and staying secure)

[schnipp]

In the past my Opnsense was connected to the Internet over DSL using PPPoE. Now, time has gone and my ISP has changed. From now on, my Internet connection uses a cable router (CGNAT for IPv4 and native IPv6). So, I have to reconfigure the WAN interface by switching from a virtual PPPoE interface to a native ethernet interface (IPv4 over CGNAT and native IPv6). Double/triple NAT doesn't matter here and will be adjusted in the future.

I am not really sure how Opnsense identifies the WAN interface. In the past I used the console, but configuring the WAN interface this way drops the whole network configuration.

I guess that generally all network interfaces are equal, regardless of whether they are used as WAN or LAN. So, I did the following steps for reconfiguration and like to get your comments whether I did everything right from practical Opnsense behaviour regarding to stay secure with my adjusted firewall setup.

• Disabling the PPPoE interface
• Configuring the native ethernet interface (formerly the parent of the PPPoE interface) to DHCP
• Reconfiguring the default gateway (System -> Gateways -> Single) to the new public interface
• Adjusting inbound and outbound NAT to the new public interface
• Moving firewall rules from the PPPoE to the new WAN interface

[schnipp]

Can any of the developers make a statement on this. The documentation is not really clear in this aspect.

Thanks.

[Monviech (Cedrik)]

If you are not limited by the amount of ethernet interfaces your opnsense hardware or vm has, you can easily create an interface called "WAN2" and prepare it with all the configuration, firewall and nat rules that you need. Once you want to switch over, you can change the priority of its gateway from 255 to 245 and all devices on your network will then start to use the WAN2.

[schnipp]

If you are not limited...

Thanks. But this does not answer my question. I wanted to know whether all interfaces (LAN, WAN, ...) a treated equal from technical perspective of the implementation and my approach does not introduce any security issues.

[Patrick M. Hausen]

If you switch the connectivity type of WAN, e.g. from PPPoE to DHCP, nothing will change regarding your inbound firewall policy, because the rules use the symbolic names, not the underlying interface.

If you never created any special "allow" rules for your WAN, then after switching the policy will be "deny all" just as it is now. If you did, you need to inspect these rules and possibly adjust.

[schnipp]

Thanks for the information. Then I wasn't entirely wrong with my guess

[franco]

If you switch the connectivity type of WAN, e.g. from PPPoE to DHCP, nothing will change regarding your inbound firewall policy, because the rules use the symbolic names, not the underlying interface.

I'd recommend this as it retains all changes to the WAN interface. Some rules may have to be manually fixed, but normally on PPPoE and DHCP you don't set explicit static ranges anyway.


Cheers,
Franco

[schnipp]

Thanks, reconfiguration went fine  :)

[iMx]

Well, I guess this thread answers my question as to whether or not you were still seeing PPPoE instability - as you were back in 18.x/19.x, I came across the loop bug report - but you're not using PPPoE any more :)

... although I assume you weren't, up until the migration to DHCP WAN?