OPNSense Router behind ISP Router?

[Taunt9930]

Hi All,

I currently have an FTTP Setup in the UK that uses PPPoE (Unfortunately) with only 1 IPv4 Public IP Address available to me, and also IPv6 (Zen UK).

For some time I have been running as OPNSense <-----> ONT setup with my OPNSense appliance establishing/terminating the PPPoE connection directly on the WAN interface.

Due to niggles with BSD not being amazing at PPPoE on some devices (need some grunt) once you start doing packet inspection etc, I started to investigate the option of putting something in front of my OPNSense router to handle/terminate the PPPoE connection and present it to the OPNSense device - effectively 'offloading' PPPoE to the more efficient device. I concluded the only way this would be possible, is to have a device able to 'half-bridge' - e.g terminate the PPPoE and present the WAN IP to the secondary device transparently. Sadly this does not seem possible on any equipment I have access to, as far as I can tell.

Question - is there another way of doing it using a DMZ on the ISP Router, and some kind of static route, or something? Would this mess with NAT rules I have got set-up to allow 2 xboxes on the network to work? I also have multiple VLANs on the internal network, so presumably this also needs to be considered. I always thought the WAN IP had to be presented to the OPNSense box but now I am not so sure!

I would appreciate if there is a sensible way, if someone could describe how to convert my Single OPNSense device setup to one sat behind an ISP router doing the PPPoE encapsulation. Be gentle, I am mostly clueless..

If it's not possible, then happy to be told that as well!

Thanks.

[Patrick M. Hausen]

What's your uplink speed? I can easily serve 1 Gbit/s fiber with PPPoE and a Deciso 600 line appliance.

[Taunt9930]

I guess this isn't possible, then!?

[Patrick M. Hausen]

The device that does PPPoE also gets the IP connection and the external address(es). There is no way around that.

[9axqe]

If you can find something that support PPPoE and can be put in "bridge mode" as it is often referred to, it could work.

But bridge mode would mean the box handling the PPPoE is not reachable over IP anymore for troubleshooting, it behaves like dumb pipe, so it really has to be rock solid or you will be pulling your hairs out. If you're super lucky you find something that support Bridge Mode and has an additional interface for admin access.

I know such boxes exist for DOCSIS, but for PPPoE over fiber, I don't know.

[Patrick M. Hausen]

How would PPPoE and bridge mode work? IPCP is part of PPP. I don't know any piece of equipment that "slices PPP" in two halves. And how would the device behind that bridge do only the IPCP part?

I guess the bridge would need to do some crazy conversion from PPP to routed Ethernet similar to proxy ARP, but then on the PPP link frequently both endpoints are /32 and not even in the same subnet.

[Taunt9930]

If you can find something that support PPPoE and can be put in "bridge mode" as it is often referred to, it could work.

But bridge mode would mean the box handling the PPPoE is not reachable over IP anymore for troubleshooting, it behaves like dumb pipe, so it really has to be rock solid or you will be pulling your hairs out. If you're super lucky you find something that support Bridge Mode and has an additional interface for admin access.

I know such boxes exist for DOCSIS, but for PPPoE over fiber, I don't know.

Thanks, Yeah this is what I'd seen - 'half-bridge' or 'transparent bridge' referred to a number of times that effectively passes the WAN address straight through, but I cannot find a device that can actually do it. Sadly Openwrt isn't capable of doing it on PPPoE (can do PPPoA), but many data sources on the web suggest there are devices that can. I'm not worried about admin access to the 'modem', with FTTP I feel I will have little need for it.

I guess I'll just put up with the current setup.

[phoenix]

I don't know why you're considering this as OPNsense works fine directly connected to the ONT, I use it myself as I'm also a customer of ZEN. I only have a 500Mb connection but it should have no problem with the higher speeds available assuming your OPNsense hardware can cope.

You can actually do that with a FritzBox, you bridge the connection and configure and use an "exposed host" which would be your OPNsense router. There are instructions on the internet that will give you details of how to bridge the FritzBox connection and configure the firewall to accept the connection.