3rd party routers with respective sub-networks behind opnsense.

[guest31649]

Hi,

First off sorry if in wrong section.

I am trying to work out how best to integrate an Opnsense firewall into a 'weird' network (at least I think it is).

The network is a self contained system with a single static WAN IP to the outside world (the WAN IP is provided from a much bigger network, ie a network port on the wall - for for all intents and purposes its a static publically accessible WAN connection).

The network contains several 'managed devices' that are operated by 3rd party companies that offer services needed by us. These devices have their OWN router type device that is used by them to dial back to their respective homes and initiate connections into their devices. EDIT: clarification - their devices are servers with multiple eth interfaces, so one interface connects to their network and router to facilitate the service, the other eth is connected to our LAN to then allow data to move from the server to our LAN devices - the 3rd party stuff is to facilitate digital delivery of large files.

Still with me?

I need to work out the best way to connect all these systems together.... double NAT is a real risk and I want to make it such that should a 'future' 3rd party device be needed adding it in is simple, and not a bit of a mess that is currently would be.

The issue I have is these 3rd party routers (one is a Draytek Vigor, the other and edgerouter X) all want to use the default OpenVPN port and I've been trying to find a way to connect everything via our single WAN such that they work together....

It is possible I could get more static WANs assigned but knowing how to use Opnsens to route these is also hard for me to understand (I'm lacking the knowledge of the right terminology to use to find the right documentation).


So far I have connected things using a 'basic DMZ' principle following this tutorial: https://homenetworkguy.com/how-to/create-basic-dmz-network-opnsense/ using the logical network approach (ie VLANs).

                                                                                              /-> edgerouter X
              /-> vlan-tagged-dmz-network-with-dhcp -> netgear gsm7352sv2 -> draytek
WAN -> Opnsense -> non-vlan-tagged-lan -> netgear gsm7352sv2 switch -> lan VLANS


Sorry if thats formatted badly I'll try and work out a better way to draw it. Tl;DR there is a tagged vlan and an untagged lan on the switch. There is a single 10G sfp+ between opnsense and switch. From the switch the tagged vlan has the WAN connections of the draytek and edgerouter X connected (these are assigned IPs via DHCP inside the opnsense), and on the untagged side the rest of our LAN equipment.

I suppose what I'm asking is a rough idea of what approach I need to take to allow this to work... do I need to go down the route of multiple WAN IPs and virtual IPs? is there a way to deal with double NAT? I'm trying to understand the 'right' terminology to use to allow me to then ask the 'right' questions...

I would add that the 3rd party devices do need the ability for WAN access (the draytek device has multiple port forwarding rules internal to its configuration to allow for remote web gui etc..

If I can understand the path I need to take and the questions/terminology I should be asking and using, I can then better understand what documentation I need to read etc..

Hope that makes sense??

Owen.

[guest31649]

Just a self answer I suppose.


Even then its still likely wrong but without anyone telling me otherwise its hard to know...

I have at least 2x WAN public IPs so one is set for the opnsense firewall device, and I set the other as static WAN within one 3rd party router - ie they did. I then configured a vlan interface, and a Bridge between WAN and the vlan network.

This does seem to work, although I am aware that bridges create a cpu overhead, but it doesnt seem to have caused an issue yet (day 2 of this setup).

I'm not sure if that actually IS the way to do thing properly, and I have an issue with getting the 3rd party devices properly setup with static IPs as they need access to set the IP, but cannot get access because without the static IP there is none...... I was hoping for a way that made this sort of configuration easier.


I'm still interested in peoples opinions as to the best way to do this as I'm not sure if a bridge is the best way, albeit the only way I have found via experimentation.

Owen.