A one-legged OPNsense dilemma...

Started by benyamin, November 07, 2021, 01:50:25 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 07, 2021, 01:50:25 PM
Was wondering if anyone had setup OPNsense with a single leg on LAN only. If so, any gotchas...?

I was thinking it might become necessary to spin up FreeRADIUS as a temporary PoC to get some answers for this topic.

Just wanted to know if it was possible...  :-\

TIA,
Ben
November 07, 2021, 02:40:05 PM #1
Perfectly possible. What is the supposed dilemma here? I am running that as a VPN server.

  • Bootstrap a fresh installation
  • Remove the WAN interface keeping the "allow all" rule on LAN
  • Disable the "anti lockout" NAT rule - Firewall > Settings > Advanced
  • Add the default gateway unless you set the LAN interface to DHCP
  • Probably disable Unbound and set the nameserver in System > Settings > General
  • Probably disable the DHCP server on LAN
  • Optionally disable the firewall entirely in Firewall > Settings > Advanced
Now you have an open host with a single connection.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 07, 2021, 02:45:56 PM #2
Thank you @pmhausen. That's a very helpful list.

The only dilemma is whether I should spend my time on it...

Some questions are better left unanswered - or answered by others...  ;)
November 07, 2021, 09:07:26 PM #3
I have a dev opnsense running with one leg. Not a problem.

Possibly also useful as mail gateway or reverse proxy or VPN concentrator or any number of things.
November 08, 2021, 08:50:56 AM #4 Last Edit: November 08, 2021, 08:54:51 AM by franco
Typically that is a WAN-only setup since that automatically uses DHCP to get an address and sets anti-lockout rules correctly.

It's a neat type of setup for special services to provide (mostly via VM using a plugin or some core feature) and you have a firewall for the service as well... :)


Cheers,
Franco
November 08, 2021, 10:04:52 AM #5
Quote from: franco on November 08, 2021, 08:50:56 AM
Typically that is a WAN-only setup...

Good points, Franco. Thanks for that.

So pmhausen's list becomes:

  • Bootstrap a fresh installation
  • Add the default gateway unless your WAN interface gets one via DHCP (default)
  • Disable Unbound and set the nameserver in System > Settings > General OR accept DHCP nameservers
  • Optionally disable the firewall entirely in Firewall > Settings > Advanced
Anything else to add...? Did I drop too much / too little...?

Thank you all.
Print
Go Up Pages1
User actions