How to configure a home router behind OPNsense without NAT?

Started by Josh, November 03, 2019, 04:52:09 PM

Previous topic - Next topic
I have an ASUS BRT-AC828 as my home router, and I and have segmented my LAN to a few VLANs (e.g. IOT devices / Guests / Home network).

I'm currently trying to add an OPNsense firewall between my ASUS router and the internet, and I'd like to get visibility to my LAN nodes from the OPNsense. For example, I have an alarm clock that has WiFi capability, but I'd like to allow only NTP protocol for that device to pass to internet and block everything else.

It seems to me that I'm lacking some basic knowledge on how to configure the OPNsense correctly. Obviously I will want to disable NAT in my ASUS router, but what are the correct steps to configure OPNsense so that I can reach the internet from behind the ASUS router?

The network configuration is as follows:

Internet <--> OPNSense <---> ASUS BRT-AC828 <--> VLAN1: 10.11.1.1 <--> PC 10.11.1.2
                             10.1.1.1     10.1.1.2                        VLAN2: 10.12.1.1 <--> alarm clock 10.12.1.2

Any help would be greatly appreciated!


No, but now I have read it. Thank you for your suggestion!

Well, at first glance it would seem to me that that would make my OPNsense a transparent bridge, but that's not what I want (I guess...).

I want the OPNsense to do NAT between my LAN and the internet, and I'd rather like my ASUS router to be kind of "transparent" - in the sense that I would be able to control the network traffic individually for my PCs and other HW behind the ASUS router.

So, I would like to be able to create separate firewall rules in OPNsense for e.g. to my home PC and to my WiFi capable alarm clock that are both behind the ASUS router.

And the ASUS router must operate in the router mode (i.e. not as an access point) since that's the only way to keep the VLANs in ASUS working.

I tried switching off NAT in my ASUS, but then I was not able to reach internet from my LAN.

Quote from: Josh on November 03, 2019, 08:32:08 PM
I tried switching off NAT in my ASUS, but then I was not able to reach internet from my LAN.

Hi Josh, your packets likely made it out to the internet, but the return packets didn't get beyond OPNsense because it likely didn't have a  route back for them via the ASUS.

You can move your NAT to OPNsense but you need to set static routes for the internal subnets of your VLAN's. Start with adding the ASUS as a router. System -> Gateways -> Single, click Add. Do not make it an upstream gateway.

Then add your routes to System -> Routes -> Configuration, click +

Ping 8.8.8.8 and google.com. to test connectivity and DNS. Packet trace on OPNsense if things don't work out the way you think they should.

Good luck!

Bart...

Thank you for your reply again, Bart!

I should have realized that I was missing the route definitions in OPNsense, but unfortunately there seems to remain some other (also likely obvious) impediment that still prevents my network traffic...

I decided to forget my VLANs for now and first get the physical LAN to work. The physical LAN network behind my ASUS is 10.1.2.0/24, the ASUS itself being 10.1.2.1. So I created a new Single Gateway "LAN2_GW" in OPNsense as 10.1.1.2 and configured a route to network 10.1.2.0/24 via "LAN2_GW".

Now I can ping both WAN and LAN interfaces of my ASUS from OPNsense and vise versa, but I can neither ping 8.8.8.8 from ASUS nor any PC in my LAN2 network from OPNsense.  :-\

I think it must be something very simple and obvious that I'm still missing...

(BTW how does one do packet tracing in OPNsense?)

Routing is but one potential issue, the other usual suspects are firewall rules and DNS.

Interfaces -> Diagnostics -> Packet capture

You can download the capture file and open it in Wireshark although you may not need to drill down to the last byte.

Bart...