OPNsense via Fritzbox not allowing access to WAN/LAN

[OPNonsense]

Hi there,


I have been trying to get OPNsense to work for a number of months now, with long breaks in-between.

The main thing I struggle with is to connect to the internet.

NOOB ALERT: I am relatively new to it all and whilst I understand some basic concepts of networking, there are some aspects that seem to elude me and leave me quite confused.


Here's what my set-up, what I am trying to do, and what goes wrong:

*MY SETUP*
- Current router is Fritz!Box 7530, which lives on 192.168.178.1/24 and acts as my gateway;
- OPNsense version is:
OPNsense 23.7-amd64
FreeBSD 13.2-RELEASE-p1
OpenSSL 1.1.1u 30 May 2023
- OPNsense is on a dedicated bare metal host with two NICs, and lives at 192.168.178.12
- Switch is at 192.168.178.11
- My pihole instance (bare metal) is at 192.168.178.101 and also acts as my DHCP server (at time of writing, I have turned this off)

*WHAT I AM TRYING TO DO*
- I am running a cable from LAN1 on the Fritz!Box to the NIC I have selected as my WAN interface in OPNsense when I installed it
- I am running a cable from the LAN port on my OPNsense box to my switch
- I put Fritz!Box in bridging mode, essentially demoting it to an IP device
- Despite restarting everything, I am unable to get access to the wider internet at all and cannot even ping the Fritz!Box at all -- ping to 192.168.178.1 returns nothing, and when I arp on my main machine running Fedora 38, I can see a device at 192.168.178.1 but without a MAC address, and no other new devices

*There are a couple of things I am confused by*

1. When I put my Fritz!Box in bridging mode, it asks me what the new gateway would be. What do I set there?
2. Should I configure separate static IPs for WAN and LAN interfaces on the OPNsense box? I have done this, assigning 192.168.178.12 for LAN and 192.168.178.13 for WAN and even 192.168.178.14 for Fritz!Box, but nothing. (Also at various points made sure DNS and DHCP was handled by the OPNsense box, and briefly opened up what I could on the firewall to eliminate that as a trouble source
3. Regarding subnets: the million dollar question for me is whether WAN and LAN devices should be on the same subnet? Initial subnet when configuring says to go to 192.168.1.1, which does not load up for me. With OPNsense installed, can I just set a new independent subnet?

I would be insanely grateful to anyone who can help me resolve this as I think I am just not getting it and slowly losing the will to do the same things over and over again that don't work... I have other stuff to be getting on with, haha...

PLEASE help or point me to documentation that's better than the "now draw the rest of the owl"-style official documentation.

Thank you!

[meyergru]

Alas, your post shows that you do not have an understanding of basic networking concepts.

Obviously, you want to use OpnSense as it was intended, namely as a firewall. However, a firewall is a router in the first place which connects separate networks. Therefore, you cannot have the same network on both sides of the router (that would make a bridge). Despite that, you tried to set the same network segment (192.168.178.0/24) on both WAN and LAN. That will not work, you have to choose a different network for the LAN, like 192.168.1.0/24.

Also, if another router (like your fritzbox) is involved, it usually is configured to only route its own LAN network (192.168.178.0/24) to the internet via NAT. So, even if you have 192.168.1.0/24 for the "real" LAN behind your OpnSense, the Fritzbox would not route those IPs. Thus, you would have to configure a 2nd NAT layer on your OpnSense such that it "hides" all the 192.168.1.0/24 addresses behind its WAN address (192.168.178.x). This is known as double NAT. In order to have this working, you will usually have the OpnSense WAN IP as "exposed host" on the Fritzbox.

This all is a bit easier when OpnSense itself is the only router, although there is quite some debate around this.

I think there are three ways to get around this:

1. You can learn some basic networking skills (starting with subnetting and routing) and go from there. I can recommend NetworkChuck's youtube videos for this (https://www.youtube.com/watch?v=S7MNX_UD7vY&list=PLIhvC56v63IJVXv0GJcl9vO5Z6znCVb1P&index=1).
2. You could follow existing guides (there are plenty) for combining Fritzbox and Opnsense (beware of the two separate ways you can do this, e.g. "exposed host" or "Fritzbox as a modem" - these are very much different concepts and if you find any guides, you cannot combine both concepts).
3. Since you said you have other things to do, you can skip all of this and use a typical end-user appliance, which the Fritzbox already is, saving you the hassle to go through this.

Both 1 and 2 will take time and after you have managed to get internet access from your LAN, you will only find yourself on the beginning of a journey (like exposing services, setting up a VPN or just getting VoIP to work). To learn these things can both be quite satisfactory and challenging. It is not the right thing to do if you do not have the time for it.

[OPNonsense]

Tough, but accurate. Thanks for taking the time to read all that and write such a detailed reply.

So I understand that what I am doing wrong is linking the Fritz!Box to the switch at 192.168.178.12 while also having the LAN on the same subnet. So just set something random for LAN? And configure the WAN part statically, perhaps to remain on 192.168.178.x?

Yeah, I obviously need to learn about routing as there are a tonne of things that I find extremely confusing here. Might read up on the basics first and foremost.

Option 3 does not work for me as I am not going to abandon this (again) without actually having learnt this.

Thanks!

[bluescreen154]

Hi,

- I am running a cable from LAN1 on the Fritz!Box to the NIC I have selected as my WAN interface in OPNsense when I installed it

no. put the fritzbox lan1 on your switch. it can be in the same subnet as the opnsense. that way u can still use wlan or telephony from your FB

- I put Fritz!Box in bridging mode, essentially demoting it to an IP device

after you set your FB in bridging mode, make sure you use the Port you choosed for bridging to connect to the wan nic of your opnsense device. set the wan interface to dhcp, dhcpv6. you will get an own public ip on your wan interface then. see attached screenshot. in that case lan 4 goes to your wan nic on your opnsense.

set the opnsense lan port to the same network as your fb, pihole and so on and connect it to your switch.

Voila, your done

[skyeci2018]

What ISP are you using. Fritz box needs to be in bridge mode with the correct wan settings in opnsense..

Are you a zen user?

[OPNonsense]

Hey, I am a Zen user indeed. And I put it in bridge mode.

I have been thinking about the 'you don't understand routing' comment above and watched some stuff on it as advised, but I guess the thing that I didn't truly understand was why the WAN and LAN have to be on different subnets.

Why?

Because whilst I understand that a router forwards packets between different network or network segments, a conventional commercial router would also only have one WAN and one LAN interface -- namely, the public IP that gets translated to the local IP. In this case, there is a public IP that gets translated to a WAN IP, which in turn gets translated to a LAN IP. Is this to aid segmentation and security?

[Patrick M. Hausen]

This is to make routing possible in the first place. A router needs to know which device is connected to which interface. It does this by looking at the IP address. So if WAN is e.g. - to match the Fritzbox default - 192.168.178.100/24 and LAN is e.g. 192.168.1.1/24, the router knows that all devices with 192.168.178.x addresses are on the WAN interface and all devices with 192.168.1.x addresses are on the LAN interface.

This is what routing is.

[OPNonsense]

Thank you for getting back. I guess I am just confused by the fact that consumer-grade routers don't seem to have this split, i.e. my Fritzbox will just turn the public IP into 192.168.178.x. Is this for security? And shouldn't by extension the "WAN interface" just be a public IP on the OPNsense side?

[meyergru]

Thank you for getting back. I guess I am just confused by the fact that consumer-grade routers don't seem to have this split, i.e. my Fritzbox will just turn the public IP into 192.168.178.x. Is this for security?

Partly. Yes, because RFC1918 IPs are not routed on the Internet, this will keep your LAN separated from the Internet, effectively giving you access to the outside, but not letting the outside in (unless you have port forwarding). But also because of routing, in order that the router can decide which side the packets should go to.

And shouldn't by extension the "WAN interface" just be a public IP on the OPNsense side?

It could, but then the Fritzbox must be a "real" bridge, i.e. a modem or NT. The so-called "bridging mode" of modern Fritzboxen is not a real bridge, but a kind of router. This is used in order to have one of its clients (the OpnSense) as an "exposed host", to which all ports are forwarded. That is to give the OpnSense the possibility to have port-forwarding to certain clients behind itself.

There used to be a "bridge-only" mode for Fritzboxen which has been abandoned because it rendered all but the modem functions useless.

[OPNonsense]

Right, i see what you mean. That makes a bit more sense. Thank you.

[OPNonsense]

Right.

Gave this another go.

Set LAN interface IP to 192.168.1.1 and changed switch's IP and computer's IP accordingly. This works and I am now on a different subnet.

Set up the WAN interface at 192.168.178.15 as an exposed host on the Fritzbox (at 192.168.178.1).

Ensured I set DNS to Unbound to avoid conflicting with my Pihole.

Despite this, no internet. Multiple reboots.

Tried to set up a bunch of firewall rules to allow everything just to eliminate that as a bottleneck.

Any ideas? I have also 'lost' my modem and switch as I cannot reach my switch despite it being active. And as a result cannot reach the router. I will keep on working on this, but any advice appreciated.

EDIT: I did 'find' my Fritz!Box again, but I seem to really have lost the GUI for the Netgear Switch despite my best efforts. My main problem is that whatever I did, I could not get a link to the WAN. I am not feeling well today (and the perennial disappointment in myself from failing to set this up isn't helping), so will take a bit of a break from it for now and may be back at some point. Thanks.