OPNsense newbie, is this possible?

[bnorris]

Hi all,

I'm building a server rack and thinking about using OPNsense as firewall in front of the servers (looking at a DEC2750)

I've attached a simplified diagram of the setup (there's more servers and a LAN but that's not important for what I'm asking).

What I want to achieve:
- firewall (filtering) functionality for all traffic
- public IP's on the servers for Internet access (no NAT)
- a private subnet for the servers' iDRAC/iLO interfaces and access them via a Wireguard endpoint on the OPNsense machine. NAT for access to firmware updates and stuff

I have a /27 from the ISP.

Can this be done? Thank you in advance for any replies.

[Maurice]

Yes, that's possible. You could e. g. configure igc0 (WAN) with x.x.x.130/30 and igc1 (LAN_public) with x.x.x.145/28 (or x.x.x.131/27 if you need more than 13 public server IPs).
You may have to configure proxy ARP for the public server IPs, depending on how your ISP routes the /27.

Private iDRAC subnet with NAT and WireGuard access are no-brainers.

Cheers
Maurice

[bnorris]

Thanks, I'll try it this way. NATing the iDRAC subnet is straightforward, yes. I wasn't sure it's possible to have NAT on igc2 without having it on igc1, too.

Note: I can't use 130 and 131, the ISP uses those for gateway VRRP.

[Maurice]

Yes, you can set outbound NAT to manual mode and then only create rules for the subnets / interfaces you actually want to NAT.

I see, but splitting the /27 into two subnets for WAN and LAN_public still works.

[Monviech (Cedrik)]

Maybe still be cautious with wireguard and rather favor ipsec or openvpn for some more time:

https://forum.opnsense.org/index.php?topic=35513.0

[bnorris]

Thank you for the warning. I've been using Wireguard on Linux for about 2 years with zero issues (several endpoints and lots of peers). I did read online about the.. problematic background of its FreeBSD implementation, but I wasn't aware of the crashes. I see you mention it also causes HA/CARP issues, which makes it worse because the plan was to eventually have an OPNsense HA pair.

[bnorris]

Yes, you can set outbound NAT to manual mode and then only create rules for the subnets / interfaces you actually want to NAT.

I see, but splitting the /27 into two subnets for WAN and LAN_public still works.

Gotcha, thanks for the clarification!

[Patrick M. Hausen]

[...] splitting the /27 into two subnets for WAN and LAN_public still works.

Or ask your ISP for an additional /30 for the uplink. It's not unreasonable.

[bnorris]

Good idea, thanks!

[Monviech (Cedrik)]

You mitigate "most" HA problems if you configure both master and backup opnsense to be only a responder for wireguard, and not initiator. Theres also community scripts to track vhid status and stop the wireguard service on the backup firewall. The developers also work to add this functionality to the next big release of the community edition. Since the business edition lags behind for being more stable, the official carp vhid tracking support might still take a while to come. If you want true HA VPN with state sync and seamless failover, IPsec is the way with its very well made strongswan and swanctl implementation.
https://opnsense.org/about/road-map/