Configuration & Use of Static IPs (ATT Fiber)

[StarsAndBars]

Greetings All!

I am in need of assistance in utilizing a /29 (5 usable) pack of static IPs from ATT on my OPNSense instance (running latest public version).

My hardware topology looks like this:

ATT Fiber into the building --> FS XGSPON Transceiver ---> Generic white-box Xeon with 2 SFP & 5 Copper) ---> 48 port switch

ix0 (WAN): SFP cage 1 contains the FS Transceiver
ix1 (LAN): SFP cage 2 contains the DAC connecting to the backplane of the 48 port switch.

Normally, this circuit would use the 320 Gateway provided by ATT. I have eliminated it completely for various reasons. Their fiber goes straight into my customized XGS-PON Transceiver, which then goes into my OPNSense firewall box.

The connection in this manner is up and running well. Very fast, very stable. With the symmetrical 2gig plan I have from ATT, I also purchased a 5-pack of public/static IPs. I want to use these IPs on other devices outside of the LAN behind the OPNSense instance in a sort of DMZ, if not completely separate configuration. Ideally, I would like to assign those statics to the 5 copper ports on the OPNSense box, but I am hearing that isn't really feasible, as that would effectively invoke bridge mode, which would bring alone some overhead and performance penalties I don't want, but this is a Xeon box with 16GB of RAM, so...

In any event, if for practical or performance purposes, using the copper ports isn't advised, exactly how would I go about making use of the static IPs?

The WAN IP is a "sticky" address delivered via DHCP.

I am gathering I would use virtual IPs assigned to the various other hardware devices I want to use the static addresses with, and then they would be connected to my 48 port switch? Not my preferred approach, but if there is no other way...

If someone could please give me a tutorial on how to do this with specific configuration examples for OPNSense, I would REALLY appreciate it.

Thanks in Advance!

[Patrick M. Hausen]

Normally you assign public IPs as virtual IPs to your WAN and then use NAT port forwarding (inbound) and outbound NAT rules to use them with whatever ports/services on internal devices you want. Internal meaning one of as many as you lime non-WAN interfaces with private addresses.

[pfry]

Personally, I don't NAT my statics. One of my posts on this:

Adventures in bridging: US consumer Internet with static IPs

That WAN DHCP assignment is a bit odd. Having your WAN bridge IP vanish when the link drops could be inconvenient. (I wonder who designed that? Probably New Jersey. Heh.)

Note that my workstation (NAT'd) and and a new server (not) are sitting behind my test firewall with my old Fortigate still firewalling my old servers. I've only speed tested the thing on the Internet thus far (as I have only the one 10Gb machine live at the moment, and it's got a bare OS), but speed does not seem to be an issue... for me.

[StarsAndBars]

Thanks! That was a good read. Would you be willing to give me a little guidance on how to set up the statics in my environment?

[pfry]

Thanks! That was a good read. Would you be willing to give me a little guidance on how to set up the statics in my environment?

Sure. I'd recommend testing the config a bit if you have the opportunity, to see if it works at all for you. Frontier and Verizon FiOS and the old TWC cable are/were all straight bridged (at least after the ONT or modem), so a DHCP client was unnecessary - which is why I'm able to attach a bunch of devices directly to the Internet link. You'll be tied behind your one DHCP client, which means it has to work (unless I'm mistaken about the behavior of the GigaPow... er, Fiber link). At least you shouldn't have to worry about an ARP proxy on your link.

You have... some interesting choices on the inside. You may want to start with one bridge, ix0 and ix1 as members, no NAT, and work up from there. (Me, I just go straight to my final design and fight it out, but I hate life in general.)

[StarsAndBars]

Thanks again! I really appreciate the assist here.

So, starting literally from scratch here, what should my first steps be? I have 5 copper ports on the firewall itself, but am I to understand I can't really use those without incurring some compromises (literally and figuratively)?

Ideally, I'd love to just assign each of the static IPs to each of the copper ports to keep the physical side of things easier and much more straightforward.

If so, how do I go about doing that? Can I literally just assign the public/static IP to one of those ports and away I go?

If not, what is the next best approach, particularly from a security perspective? The other thought I entertained would be to use a "top of rack" switch where I brought the ATT Fiber into that switch first, instead of the OPNSense box. Ideally, I would use a "dumb" switch so there is no exposed management interface to be hacked into, but...

If the third (and only) option is to use virtual IPs on the OPNSense, that is where I need the most help in configuring the firewall and NAT rules, as well as the virtual IPs, etc. That is where my experience and skills are admittedly the weakest, but I am willing to learn from someone patient enough to step me through it!

Thanks again!

[pfry]

So, starting literally from scratch here, what should my first steps be? I have 5 copper ports on the firewall itself, but am I to understand I can't really use those without incurring some compromises (literally and figuratively)?

Hm. For paranoia's sake, I'd verify the functionality of the link if you have not done so already. Specifically, plug two computers (one could be the firewall, they could be VMs if you have two ports... whatever) into a switch, one set up as a DHCP client and one with a static IP. Connect the switch to your Internet link, and verify connectivity on both machines (I'm assuming you'll have to configure a static gateway on the static machine, which you may have to look up on the DHCP client). That just verifies that you have a bridged service. Assuming that works, I'd kill the DHCP client and see if the static machine still works... just as a data point. (If you can't conveniently do this, just go to the next step.)

Once verified, set up a bridge: LAN Bridge. The guide works. You may wish to alter some of the steps to suit your desired interface assignments.

5 ports? Excellent. Before you set up a bridge, set up a routed interface (IPv4 Configuration Type of Static IPv4) with private addresses and configure pass rules (like the default on LAN) so you have a back door to the firewall (and verify it). You may wish to set up DHCP service on it as well. After setting up the bridge, you can also add zero or more (other) interfaces to it.

Ideally, I'd love to just assign each of the static IPs to each of the copper ports to keep the physical side of things easier and much more straightforward.

Nope! The bridge will have (assuming I understand your AT&T service) your DHCP client (IPv4 configuration Type of DHCP), and member interfaces should have IPv4/6 Configuration Type of None. You assign those expensive static IPs to your devices and plug them into the bridge member interfaces, just like you'd plug them into a switch (i.e. an ASIC-based bridge). As always, I'd start simple and set up two member interfaces, one for your WAN link and one for a test computer. (Depending on your test computer you may not wish to plug it into the bridge until you set up a ruleset.) I don't know if you have a static gateway, so I'd just use the firewall as a gateway, as it should get one from DHCP. Uh, you probably shouldn't plug another DHCP server into the bridge... ever.

Caveat to the WAN bridge: You kinda throw out the concept of "inside" and "outside", as both are plugged into the same bridge. As with any OPNsense ruleset, you want input rules only, and you use source address to differentiate between your equipment and the Internet. I set up an explicit alias with only my 5 statics (not a /29*) and use it. Note that your firewall will be one of those - I always have a specific block rule for it, following my general pass rules (e.g. ping).

*Actually, my 5 statics do not lie within a /29, believe it or not. Sigh.

The other thought I entertained would be to use a "top of rack" switch where I brought the ATT Fiber into that switch first[...]

Actually, that should kinda work... you'd still (probably) need a DHCP client to establish the link, and use it as the gateway. But that places equipment outside of the firewall - useful, if you address the risks. Probably not what you're looking for...

As far as ports, you have a lot of choices with port setup. You could go flat - just plug a switch into a bridge member port on the firewall and you have more ports. I prefer to filter each port, so I use VLANs to isolate switch ports and connect them individually to VLAN interfaces on the firewall. You can get as detailed as you want (and your equipment will support).

You'll probably also want to run Outbound NAT, or have it available for devices that do not require a static IP. Plenty of choices with that setup, too...

[pfry]

By the way, in case you haven't looked at a firewall on the Internet before: You'll be probed immediately, and 5x+ as hard as a single IP. The firewall itself is pretty safe, but I prefer to change the administration ports, then filter them against the Internet. Any machine you assign statically should be hardened, especially if you expose it prior to setting up an effective ruleset.

On a WAN bridge, a basic client-only ruleset would be "pass any protocol from [static IP alias] to any" followed by "block any from any to any". I would not consider this good enough for a default Windows machine (where I'd recommend blocking all Windows services) or most appliances (that I do not trust) but should be tolerable for Linux, FreeBSD, etc.