OPNSense Homelab Setup Question

[Ghostwire]

Hello OPNSense Community,

first of all, I am a complete newbee regarding networking in general so please excuse me if anything of the following does not make any sense to you.

I currently have a Fritzbox Cable 6660 as my default router provided by my ISP and I am currently tinkering with some HomeLab setup stuff.

At the moment all my clients are connected via LAN or Wifi with the FritzBox to connect to the internet.

I now got a Fujitsu S920 which I upgraded with a HP NC360T Intel PRO/1000PT Dual Port Server Adapter. I just successfully installed OPNSense on it.

I also have a spare TL-SG105 | 5-Port 10/100/1000Mbit/s Desktop Switch which I want to use in the setup I am trying to achieve.

The goal is to setup everything as shown in the attached image to achieve that all traffic that comes from Clients 4-6 which are connected with the OPNSense via the TL-SG105 switch gets OpenVPN encrypted by the OPNSense firewall via policy based routing. I also would like to configure a killswitch in the OPNSense Firewall for that Interface so that no traffic from those boxes leaves the HomeLab unencrypted.



1. Question: Is something like that possible ?
2. Question: If so, would it be possible to connect a Wireless AP to the switch to also make it possible to route all traffic of clients connected via Wifi through a VPN?
3. Question: Right now I have set the onboard Ethernet port of the FujitsuS920 to WAN and configured em0 of the HP NC360T to LAN and em1 to OPT1. The OPNSense firewall successfully received an IP via DHCP from my Fritzbox Router and I was able to access the webui. Am I correct that in this network setup I can completely ignore the configured WAN port on my OPNSense firewall as it is just relevant if the OPNSense Box is directly connected to the Internet ?


Thank you all so much in advance for your time and effort.
Best regards

[Mega32]

Am I correct that in this network setup I can completely ignore the configured WAN port on my OPNSense firewall as it is just relevant if the OPNSense Box is directly connected to the Internet ?

You can't "ignore it" , as it's still being used as OPNsense "Wan" (default gateway).
But it will "auto configure it self to use the Fritz, just as any other PC  on the Fritz "Lan"

[Maurice]

1. Yes.
2. Yes.
3. Yes / no / maybe. In OPNsense, LAN / WAN / OPTx are essentially just names. But for the sake of simplicity, I'd recommend assigning WAN to the port connected to your upstream router (Fritzbox) and LAN to the port connected to the switch.

Cheers
Maurice

[Ghostwire]

Thank you guys so much for your super fast replies.

So when I first assigned WAN to my upstream port the FritzBox DHCP successfully assigned an IP address to my OPNSense box. Sadly I was not able to ping the OPNSense box nor access the WebUI via its DHCP assigned IP from any of the clients that are directly connected to the fritzbox.

After I assigned LAN to the upstream port I was able to reach the WebUI from any of my directly connected FritzBox clients.

Is there a reason for this behavior ?

Best regards

[Mega32]

Thank you guys so much for your super fast replies.

So when I first assigned WAN to my upstream port the FritzBox DHCP successfully assigned an IP address to my OPNSense box.

Wan is usually connected as close to the "Internet as possible" ... Here FB(ox)

Sadly I was not able to ping the OPNSense box nor access the WebUI via its DHCP assigned IP from any of the clients that are directly connected to the fritzbox.

That is expected - You have a firewall, that won't allow anything "inbound" without being instructed to do so.
The Opnsense sees the FB as comming from WAN (Internet) , and will (default) protect against all inbound packets.

After I assigned LAN to the upstream port I was able to reach the WebUI from any of my directly connected FritzBox clients.

Is there a reason for this behavior ?

Yes  - LAN is normally allowing "any packets in" , as it is usually where the PC's would be connected.

It would not be "Best Practice" to connect the FB Lan to OPNsense Lan.
You would effectively "bypass" the firewall function, and not set it up as on the drawing.
On the drawing WAN would be connected to the FB Lan.

[Ghostwire]

So this would mean I would have to connect a client either directly to the OPNSense Box or connect a client to the switch that is connected to the OPNSense Box in order to access the WebUI, right?

Is there a way to somehow enable access to the WebUI of OPNSense from clients that are connected directly to the FritzBox?

This should not be a security concern since the OPNSense Box is not exposed directly to the Internet since its behind the FritzBox, correct?

Best regards

[Mega32]

So this would mean I would have to connect a client either directly to the OPNSense Box or connect a client to the switch that is connected to the OPNSense Box in order to access the WebUI, right?

As it's setup right now .. Yes.

Is there a way to somehow enable access to the WebUI of OPNSense from clients that are connected directly to the FritzBox?

Yes ...

You would have to do two things.
1: Disable blocking of RFC1918 nets on the Wan interface.
2: Make a fiewall rule on the Wan interface allowing FB Lan to "This Firewall" on port TCP/443 (HTTPS/WebUI port)

This should not be a security concern since the OPNSense Box is not exposed directly to the Internet since its behind the FritzBox, correct?

Depends on if you feel your FB Lan is "safe", if yes ... Then you have answered your own question

[Ghostwire]

Thank you. I will continue on this tomorrow and will respond back regarding my progress. I think I now know which steps to take from where I am at the moment  :)

Best regards