Can I test OpnSense behind an existing router / modem?

[NetGobbler]

Hello,

I suspect this might be a dumb question, sorry!

I have an existing, standard VDSL modem / router / switch / ap combo, as a normal home internet user.
Since I'm extremely new to OpnSense, is it possible, for me to run my intended OpnSense machine 'behind' this modem / router and configure it beforehand?   

I could assign it a fixed IP address on my current router then configure the WAN port on that address right?

This would allow me to set up DHCP, time zones, get fluent with the user interface, and god knows what else I need to learn.
Would this work? I don't want to be 'fiddling' with my internet connection too much, lest my wife kill me.

(When it's in 'production' I at least need Netflix working ASAP!)

[Greelan]

Yes, this will work.

The alternative is to directly connect a computer on the LAN port so that the computer NIC gets a LAN IP assigned by OPNsense and you can connect directly to 192.168.1.1. Essentially an offline setup (you won’t be able to connect to the internet in this setup). I set my box up this way (VLANs, FW rules etc) and then just switched it into my network.

[NetGobbler]

Hi,

Thanks, that was my intention, router in front a PC behind it (that can still use the internet)
Let's say my existing modem / router is
192.168.0.254
The new OpnSense box is
192.168.0.1

Can the PC behind OpnSense, be 192.168.0.2 and still capable of seeing the  web interface for the modem?  Or is it blocked off from that network?

[Greelan]

You won’t get an IP from the router on the PC NIC that is connected to the OPNsense LAN port. That NIC will get an IP in the OPNsense LAN subnet (192.168.1.1/24). You can probably switch to wifi on the PC to access the router subnet as needed. Or you might be able to get direct access if the routing allows it

Note that by default the WAN interface blocks private IPs so in this interim setup you may not get an IP from the router until you disable that (re-enable it after OPNsense is deployed)

[NetGobbler]

I've hit a stumbling block unfortunately

I did some testing, with the unit not connected to my network, it is successfully handing out 192.168.1.x IPs on the LAN port for me.  (I've actually hooked up the LAN port, to a wireless AP so I can remotely administer it and put it elsewhere in the house)


This appeared to work at first, can access the web interface, configure OpnSense remotely, great.
At this point NOTHING was connected to WAN port (set to DHCP)



I then moved the unit, to the desired testing location and plugged in a cable, from my router (handing out DHCP addresses) into the WAN port of the OpnSense box (again, set to DHCP)


I can access the internet fine, I have the desired 192.168.1.X ip address, but I can no longer see the OpnSense administration web page on 192.168.1.1 despite me being able to ping it?

Is there some kind of firewall or management LAN rule, where clients will be unable to see the WebUI once the internet is up?

[Greelan]

Actually by default there is an anti-lockout rule on LAN which will continue to allow access to the webgui. Also by default the webgui listens on all interfaces.

To clarify - your WAN gets an IP in 192.168.0.0/24, your LAN gets 192.168.1.1, and the PC you are using to configure gets an IP in 192.168.1.0/24?

[NetGobbler]

Actually by default there is an anti-lockout rule on LAN which will continue to allow access to the webgui. Also by default the webgui listens on all interfaces.

To clarify - your WAN gets an IP in 192.168.0.0/24, your LAN gets 192.168.1.1, and the PC you are using to configure gets an IP in 192.168.1.0/24?

Yes, you're correct.


WAN port is set to DHCP, collect from my modem / router.
I can even confirm the WAN port was allocated 192.168.0.135 on the 'real' side of my network.


My laptop, connecting to OpnSense AP has got 192.168.1.7 (as per the scope on OpnSense)

I can ping the internet.
I can ping my devices on the other side of OpnSense (I find this surprising!)  like my 'real' router on 192.168.0.254
I can ping OpnSense on 192.168.1.1

I just can't see a WebUI, on either 192.168.1.1 (behind OpnSense) nor can I see it on 192.168.0.135 on the 'other side' of the network.

ERR_SSL_PROTOCOL_ERROR

[NetGobbler]

Well, I don't know what to say, I'm a bit confused.


I unplugged it, 3'rd time today.
Moved it back here.

Enabled SSH because I assumed I broke the web cert somehow.
(Second post here)

https://forum.opnsense.org/index.php?topic=21189.0


Shut it back down, moved it back and plugged it in, great I'll SSH in, fix this cert and start testing!
Web UI worked straight away anyhow?

Baffled but happy.

[Greelan]

Great you got it sorted. Certificate errors would be expected given the cert is self-signed and as a result of the redirect from http to https, but you should still be able to click through on most browsers.

[NetGobbler]

Hello,

I'm back!
So it's been working for a few days, only a handful of machines using it, while the rest of the network is untouched.


The WAN port is still    192.168.0.142 (my own 'normal' network)
The LAN port is handing out 192.168.1.x

I would like to start creating DHCP reservations on it, for when it's my main router / DHCP server.
Can I still create 192.168.0.x reservations?  It seems kind of extremely unlikely I can have 192.168.0.x 'twice' so to speak.

Obviously no devices, will be attached to both networks as it's impossible.  Once I take a device off wifi (normal modem) and add it to the new wifi network (Different device)  the first network shouldn't be able to see it, I'm ok with that during testing.