double nat design considerations?

Started by 4fred, December 12, 2023, 11:21:11 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
December 20, 2023, 12:14:31 AM #15
Thank you. I take it that "Add associated rule" is on at the bottom, out of shot.

However, before continuing with any tracing, I am sorry that I am still puzzled by this statement which, however well understood by you, remains a little ambiguous for me.
Quote from: 4fred on December 19, 2023, 09:40:47 PM
Step one is to protecte/remove the things -I- care about protecting from the family's stuff. Not just buy anything and walk over to the router and connect to network. Cheap trinkets made in wherever probably crap leaking god knows what... THESE are the "experimental devices".

Is it your primary aim that experimental devices have no access to family devices, in case of buggy, dangerous or malicious code on experimental devices in the lab?

Our present route is the opposite, that family devices are unprotected internally, while family devices are to be given limited access to a web server among the experimental. Is this the correct route?
Deciso DEC697
+crowdsec +wireguard
December 20, 2023, 02:20:34 PM #16
"Add associated rule" - I tried with and witout it (creating rule manually), no matter - still no dice.
Is the NAT rule correctly created?
To be very clear. What I'm doing now is just a TEST. I picked port 80 and a website cuz it's simple to test.

The much much longer plan is something like this and probably is subject to change.
What I have now is a problem. Walking trough the place looking at all kinds of shit I do not trust. A chinese made vacuumcleaner. Internet connected lights I have no idea where they are made. Some tablets made god knows where runnig god knows what. And these are just a few of the things - and yes, all this shit really need to work. They cast they share links and they do what they do.. not just "them" also wife and extended family.
So to keep the "shit" running and connected while I do something like this.
Let's call shit ISP-LAN, the only LAN I have now.
Move one step back from ISP-LAN and firewall a new LAN. Place what I want to protect from ISP-LAN here and make it accessable (if needed). How I publish things between the networks I'm not certain of yet, maybe NGINX or something like that - no matter HOW, I will need to open ports, and that is the only question I have right now - and I cannot get that to work.

In the the longer term probably give opnsense more legs and capabilities. WiFi, Guest Network, multiple LANs, device isolation? VPN, Proxy, filtering? And so on. And move device after device to make sure they work as expected to keep ppl from pancaing me while I'm doing it. What then is left of ISP-LAN is just IOT shit that everyone can access but it cannot access anything but other IOT shit - if I do not isolate these in another way... if...

So. What I have is a bad situation, most ppl probably have this and dont care, sadly I do and I really have no idea how I ended up here...


December 20, 2023, 11:47:01 PM #17
Thanks, I did not see an error in the NAT rule so we need to test it. In 'Firewall->NAT->Port Forward' it should look like this:
Code Select
<-->   WAN   TCP   *   *   WAN adress   80 (HTTP)   192.168.1.10   80 (HTTP)

Regarding your aim, we are on the correct route. I see what you are setting out to do. My own network is configured into multiple zones including one for an internet-facing server and one for a completely locked down NVR (I call that zone Prison) accessible only from a management zone directly or by VPN. The NVR runs off an internal router with NAT for access from the Management zone, a separate function from NAT on the perimeter to the server. So, while I have edge NAT and internal NAT, I do not have double NAT; nor do you at present.

Your need is not complex (despite our hitting two pages). This is something I have done without difficulty despite not being a network expert, so let us continue and I will call out to actual experts if I hit a wall. I read that the Opnsense WAN address, by DHCP from your ISP router, is 192.168.1.10 (if it is not, we are doing the wrong tests).

Depending on what tools you have to hand, please run from an ISP-zone PC either one of the following commands?
Code Select
nc -vz 192.168.1.10 80 or
Code Select
nmap -Pn -p80 192.168.1.10
We are simply testing whether the port is open at the Opnsense address. Ping does not cut it here.

For surety, please also verify that all sub-nets are set to /24, or 255.55.255.0. This is to exclude one potential routing error.
Deciso DEC697
+crowdsec +wireguard
Print
Go Up Pages 1 2
User actions