Tutorial 2023-11 Bridge Modem access - using VIPs

[cottec]

First try to ping the device from OpnSense CLI itself.

Gotcha, of course it doesnt work :D no route to host

If that works - without the possibility to add a back route from the modem - you need a working NAT rule. How that must be done depends largely on your WAN setup (i.e. DHCP / VLAN / PPPoE), but essentially has to be done via a manual NAT rule that is prioritized higher than automatic rules from the LAN network on the interface that the modem is connected to and with exactly the VIP address.

I use PPPoE and the Vigor 167 modem is in bridge mode.
Does that mean I cant use the hybrid rules and instead have to setup the automatic rules manually but then order them under the new one for that modem access?
Anything that could be setup in the modem to make my life easier?

This rule potentially does not use the WAN link, but its underlying interface, e.g. in the case of PPPoE.

Is that an automatic thing or do I need to create like MODEM Interface on igc1 and use that instead?

[meyergru]

Gotcha, of course it doesnt work :D no route to host

So, there is no route (as expected), but no correct NAT, either.

I use PPPoE and the Vigor 167 modem is in bridge mode.
Does that mean I cant use the hybrid rules and instead have to setup the automatic rules manually but then order them under the new one for that modem access?
Anything that could be setup in the modem to make my life easier?

Is that an automatic thing or do I need to create like MODEM Interface on igc1 and use that instead?

You need a MODEM interface. You can even give that an IP directly, because normally, it does not have one - no need for a VIP. In fact, remove it, wherever you have put that. Do not forget to disable "block RFC1918 IPs" on the MODEM interface.

After having created this, you should be able to ping the modem IP from OpnSense CLI.

Afterwarrd, you need a NAT rule from your LAN. Use hybrid rules, with "manual rules before automatic rules" and create one rule for the MODEM interface.

[cottec]

argh sorry, made a really dumb mistake here...
My wireguard was configured to x.x.10.x as well ...


I now put the modem into another one and it just worked.... :)

should I switch back to VIP configuration or doesnt it matter at all?

[meyergru]

You only need a VIP if the interface itself needs other IP ranges for WAN connectivity. With PPPoE, the underlying physical interface normally needs no IP, so you can just configure it directly on the interface. With a pure static or DHCP connection on WAN without any VLAN, you must use a VIP, because in that case, the WAN IP plus the modem access IP will be needed.

[cottec]

Understood, thanks!
Is it advisable to disable the Interface and only activate it if there's something to check on the modem?

[meyergru]

No.

[fastboot]

I have a strange behavior what makes me really wonder....


So..... I tried to use the physical interface and gave it a mgmt ip. Like meyergru mentioned.

1. VIP removed
2. physical interface = UP. BLOCK bogon & private networks = enabled.
3. set IP x.x.x.2/30
4. have the NAT rule outbound. Limited to tcp 443 and only the .1 from my Workstation
5. Disabled the floating rule out of curiousity
=> I still can reach the Modem from my Workstation. My assumption is, as LAN can go everywhere, I do not need the floating rule at all.

Note: The Workstation is in my LAN. LAN is trusted zone and everything outgoing is allowed.


Ideas?

@meyergru

[meyergru]

2. physical interface = UP. BLOCK bogon & private networks = enabled.

???

As for your question: Was a connection running when you disabled the rule? Then the states may still be cached to allow it. And yes, there normally is a default "allow any" rule for the first LAN.

[fastboot]

Hi,


I just verified it. In my case the floating rule is not needed. As the LAN rule will cover it. Tbh I was wondering why the floating rule is recommended, due to the flow from the origin is allowed on the GW itself, it will pass through the FW.

Q: Why is the floating rule in this case recommended?