ISP router behind opnsense / opnsense in front of ISP router

[neerajgs]

Hello All:

I am absolutely new to OpnSense and need help.

My ISP has given an internet connection through a router (given by them) that has Fibre Optic at termination point. The internet connection type is PPPoE.
The router also has WiFi and 2 RJ45 ports and I plugged in a Cat 6 cable from one of the RJ45s in to an unmanaged network switch. IP addresses are allotted from this router to other devices over wired and WiFi and the internet works just fine.

Enters my OpnSense system, which unfortunately, does not have a Fibre optic port, but 2 RJ45s, I am forced to use the aforesaid router.

I connected a cable from one RJ45 port of router to one of the RJ45 port of the OpnSense device (it got a class 3 IP from the router and I managed to update OpnSense but that's it! Just couldn't set it up to get internet through it to other computers, let alone get the firewall working.

Can't figure out how to set it up.

Please help.

Thanks & Regards
Neeraj

[cookiemonster]

Not an easy setup for a newbie. As you have discovered ISP routers normally bridge all their ports, so essentially becomes a router and switch in one. You plug anything into it, and it will connect with everything else and they'll be NATed out to the outside world.
That is exactly what happened when OPN was plugged in. It was treated as a client device, not one that will route packets between interfaces, and it won't behave as a switch either.
Are you sure the router is accepting fiber from the ONT. Can you check if the WAN port in the ISP-provided router is using RJ45? In other words is the fiber definitively not going to an ONT before going to the router?

[neerajgs]

Hi and thank you for the response.

I am positive that the router takes in only optic fibre for internet connection. There are just 3 ports. The Fibre Optic and 2 RJ45 LANs.

Regards
Neeraj

[cookiemonster]

OK then. I suggest to investigate if their router can be put in bridge mode. If it is, then do so and all it'll do is convert the optical to electrical signal and OPN can attempt to establish the PPPoE connection.
What do you want to achieve by the way?

[audun]

Most "ISP routers" have an option in their settings to bridge the entire device, they're all different but normally this would mean that any device plugged in on any LAN port would get an "external" IP directly, and depending on the ISP you either have one external IP assigned, or multiple. If you only have one, plugging in multiple devices would then lead to either the new one "taking over" the IP, or a new IP, or the new one being unable to connect since there is a DHCP lease for the single external IP available.

The reason I'm mentioning this is that it can become really annoying to troubleshoot if you involve multiple devices behind the bridge and your ISP only allows one IP, so if possible, try not to involve any laptops or other devices when testing out the "bridge" mode of your router, as it may hog the lease and lead to much confusion when opnsense does not get an IP ("it just worked on the laptop" etc). I.e. when bridge mode has been enabled and it restarts (usually), make sure nothing, then your opnsense router, is the only thing plugged in ASAP.

Regardless, if you can bridge your "ISP router", you should be able to have a cable go from one of the LAN ports on that device to the WAN port on your opnsense router, then set it up as normal.

[neerajgs]

@cookiemonster Yes, the ISPs router can be put in bridge mode.

[cookiemonster]

All should be well then.
Let us know how it goes.

[neerajgs]

@audun thank you for the response.



I am afraid I don't know what "normal" is (since this is my first time). I watched an online video and bridged the LAN and WAN on OpnSense, but that work either.

Could explain in a bit more detail?

After bridging on th router, does the cable from the LAN port of the router goes into the WAN of OpnSense? And another cable from the other RJ45 port of OpnSense to the network switch? If so, does the OpnSense WAN get IP via DHCP of the fibre optic router or should i put a static? On the same subnet 192.168.1.2 (192.16.1.1 being the router). And is the LAN required to be put on a separate subnet?

Thanks
Neeraj

[audun]

I watched an online video and bridged the LAN and WAN on OpnSense, but that work either.

Why would you want to bridge WAN and LAN in opnsense? If you want it to be a router, you certainly do not want those interfaces to be "one interface", you want them to be separate because WAN is where "the internet" comes in, and LAN is where your local network will talk to opnsense that normally runs a DHCP server to assign them internal IP addresses.

If I don't misremember, the creation of a LAN port and a WAN port is done out of the box in opnsense, and I believe it also runs a DHCP server so you shouldn't have to do anything except connect "the internet" to the WAN port and "the local network" to LAN. If you didn't try that before making configuration changes, maybe try that first.

I have a bridge in my setup, but that's because I have more than two ethernet ports, so I bridge multiple LAN ports together so they all can be used to connect devices "behind" the router.

After bridging on th router, does the cable from the LAN port of the router goes into the WAN of OpnSense?

Yes.

And another cable from the other RJ45 port of OpnSense to the network switch?

Yes.

If so, does the OpnSense WAN get IP via DHCP of the fibre optic router or should i put a static?

Impossible to answer because it depends on your ISP, but almost all ISPs give out IP via DHCP, not static.

And is the LAN required to be put on a separate subnet?

The IP you get from your ISP will very likely be an external IP address, or if you're unlucky a CGNAT address. Regardless of which it is, your LAN should have it's own subnet (like 192.168.1.1/24) that opnsense will give out IP addresses in to your local devices via its built in DHCP server.

[cookiemonster]

The CGNAT point is a very valid one but putting it aside for now.
You put your ISP's router in bridge mode. What that does is disables the router services required to create an internal network like dns recursion, dhcp server, and more., and more like a modem but in your case you're using it also to terminate a fiber connection and convert it into an ethernet one.
You MUST find out from your isp or their forums or tech support what are the required credentials to use for establishing the PPPoE connection. That means once the equipment is able to talk to each other, the ISP needs to authenticate and authorise the connection. Each customer will have different credentials.

Then in OPN is a matter of plugging the ethernet cable that is coming out of your ISP router in bridge mode, to the WAN port of OPN.
Then the LAN port of the OPN device is where you connect your clients and is your LAN interface by default. You might need to reinitialise the interface assignments. You normally put a switch there however. This is a LAN interface, meant to connect all your clients into.

Once you have the WAN connection established, then just follow the docs.

[neerajgs]

@audun @cookiemonster. Thank you so much for all the time you are putting in.

@audun I followed your instructions. Just a bit of clarification required here. The fibre optic router gets it's external IP from the ISP as you rightly said. It's DHCP services allocates IP addresses on the 192.168.1.x series. In the OpnSense hardware, should the LAN and WAN both get their IPs from the router in the 192.168.1.x series. And what should their gateways & DNS be?

I figure on the OpnSense, the WAN's IP should be on the 192.168.1.x series  (static) but (should have it's gateway and DNS as the router's LAN IP 192.168.1.1) and  LAN's IP should be on the WAN's IP and it's gateway and DNS as the WAN's IP.

Do I get that right? Please advise / correct me.

Thank you
Neeraj

[Patrick M. Hausen]

@audun I followed your instructions. Just a bit of clarification required here. The fibre optic router gets it's external IP from the ISP as you rightly said. It's DHCP services allocates IP addresses on the 192.168.1.x series.

If you put the router in bridge mode, it does not do that any more. That's the point of bridge mode.

You connect OPNsense WAN to one of the LAN ports of that router (in bridge mode) and OPNsense gets its external IP address via DHCP from your ISP and serves private IP addresses like 192.168.1.x to your clients connected to the LAN port of OPNsense.

I - as probably the other people who offered advice here - assume that is the end result you want to achieve. Replacing the router with OPNsense for all routing, NATing and firewalling services.

[audun]

I figure on the OpnSense, the WAN's IP should be on the 192.168.1.x series

No. The WAN port is facing your ISP. It should not be using a local IP. Since you mentioned in your first post that this is a PPPoE connection, the "IPv4 Configuration type" for WAN should probably be set to PPPoE.

The WAN port is where you should expect to see an external "internet" IP in your opnsense GUI. You should not have to set up gateway, IP or anything else manually, but since this is PPPoE you probably need some assistance from your ISP regarding authentication, so ask them.

LAN's IP should be on the WAN's IP

I have no idea what this means, but if you mean that they should have the same range then the answer is no, and they should certainly not be bridged.


                       
    192.168.1.1/24     
        ▲             
        │             
      LAN port         
        ▲ DHCP service 
   ┌────┼────┐         
   │opnsense │         
   └────┬────┘         
        ▼             
      WAN port (example: 93.184.215.14)         
        │ PPPoE - DHCP IP from your ISP (probably)       
        ▼             
    ┌─────────┐         
    │ISProuter| (BRIDGED / PASS-THROUGH)
    └───┬─────┘         
        ▼             
      Internet         
                       


First make sure you succeed in getting an external IP on a non-bridged WAN-interface. At that point, I believe with default configs you should be able to access the internet from your LAN net, but if not troubleshoot from there.

No local IP -> Is DHCP service running?
No Internet access -> Does the firewall allow it?

etc.