Can't Update OPNSense after successful "transparent bridge" set up.

Started by TheFNGee, August 25, 2024, 05:18:55 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 25, 2024, 05:18:55 AM
Hi folks - I'm not the most competent networking guy, never have been.  I've been in IAM since before it was called IAM. Way back then, it was called and still is Active Directory.

I liked the idea of a "transparent bridge" between the cable modem and edger-outer a lot. I literally use an Ubiquiti Edgerouter-6P to get me more outputs from my single output cable modem.

I first bought the Protectli v1210 2-port device an set it up, and then realized I couldn't access the GUI by any means I knew enough about to try.  (I truly wanted to see the protection going on before I turned off the Security software blades on my Checkpoint 750, soon going EOL,) returned the v1210, and was treated very graciously by Protectli and purchased a v1410 4-port.

After many fits and starts, five hours ago, I finally figured out how to make a Management Port work properly. I can see all the going's on within the UI and also the HDMI interface on a separate monitor.

After getting of this working, I just realized that I cannot UPDATE OPNsense, or the ClamAV sigs, or IPS/IDS items, or it seems like I can't.  On the dashboard, I click "check for updates" and the text in the GUI says effectively ""host does not resolve", and I see the URLs for Opnsense with messages tailing the URL saying "No address found."

After thinking on it for quite a bit, I began to think that since the WAN interface doesn't really have an IP address of its own, and Software update servers (like Protectli's) need an IP address to connect to and receive updates.  I'm stuck.  When I disabled the security blades on the old checkpoint, the throughput absolutely doubled, and I was getting near 950 Mbps on speedtest, so I really have to fix this, but frankly don't know how to proceed.

Modem DHCPs class B DHCP right thru the Protectli to the eth0 interface on the 6P @ its 192.168.1.1.  One of those outputs goes to the Checkpoint, and it NATs to a 10.0.0.0/24 internal network.
I had to change the default IP on the OPNsense to 192.168.10.1 just to get it set up.  I finally figured out how to enable a MGMT port (igc2) and gave it an IP of 192.168.20.1.

I'm shocked but all this works seemingly.  I just can't get updated to the OPNsense itself.  Am I making sense?

Any ideas from more experienced users?

Thanks,
TheFNGee (Steve)
August 25, 2024, 09:50:22 PM #1
The OPNsense management side needs to have access to Interent to receive updates. Your IP configuration doesn't look right.

If you configure OPNsense as a transparent firewall, you should have only one subnet on it. That subnet should be on your internal network and have access to Internet. The OPNsense management side should be treated just like any other endpoint device on that network. The OPNsense management interfaces should have an IP address on the subnet and the OPNsense gateway should be set to the IP address of the gateway in the subnet.
August 26, 2024, 04:20:19 PM #2
Hi Strator - Thanks for the response. The first exposure I got to this idea was on "Daves's Garage" on YouTube.  Though his instructions were explicit, he only mentioned the IN/OUT or WAN/LAN ports as a pair and never mentioned configuring the Management port.

The first area of config that I have included is the Edgerouter 6P.  This device has ports eth0-eth5, with eth0 being the Internet coming in from the cable modem. This is with the "transparent bridge" in line, showing that the DHCP request from the 6P's eth0 is indeed going through, unhindered, to the cable modem.

Eth2 is HVAC,
Eth3 is the Security Camera system,
Eth5 is going to the Checkpoint 750 for distribution separately to the wired devices and then to the Mesh wireless, an Orbi RBR850 router with three additional satellites.

This what the configs look like:
August 26, 2024, 05:35:07 PM #3
I'm not sure why you've provided this information. I was writing about subnets, not physical interfaces. The only thing I can add to my previous message is that you need to use the OPNsense LAN for your management interfaces. If you bridged the OPNsense WAN with LAN and used some OPT for the management interfaces, you need to change it. Bridge WAN with OPT and, again, use LAN for the management interface. Good luck.

August 26, 2024, 06:28:43 PM #4
Again, thanks for the input.  Please forgive my ignorance, but the instructions, guides - whatever, say to "Bridge" the LAN/WAN and make it a "Transparent Bridge", run all incoming traffic through it and have it protect with IPS/IDS, Antivirus, etc.  So truthfully, I would have no idea how to accomplish keeping the TB and using the LAN interface for MGMT.  However, using the LAN interface WAS how I initially configured the device, just to get the first round of updates, the Suricata config and downloading ClamAV/signatures.

Thanks anyway,
TheFNGee (Steve)
August 27, 2024, 12:30:10 AM #5
August 27, 2024, 04:24:56 PM #6
Thanks again, Strator.  However, I spent a lot of time on this page as well making my UI match this set of instructions as close as possible.  However, in a key area of the LANWANBridge setup and talking about a "gateway", the UI represented in Figures 14 and 15 do not match OPNsense 24.7.2 at all, so I'm having trouble finding how it's actually configured.

Thanks Again,

TheFNGee (Steve)
August 27, 2024, 05:37:26 PM #7
As I said in my first message, you need to treat the OPNsense management interface like any other client device on your internal network. The management interface cannot access Internet through the bridge directly. It can access Internet only through the internal network which, of course, itself needs to have access to Internet.

I have modified one of the diagrams from that article hoping that it will help you. Take a look at the attachment.

August 27, 2024, 06:23:21 PM #8
You're going all out and I greatly appreciate it.

My internal network is already double-nat'd to 10.x.x.0/24 subnets, so I took another approach which I thought would be easier (famous last words).

I have an extra NIC on my desktop MB that I'm using for OutOfBand access to the MGMT interface on the OPNsense/Protectli 4-port device. In its config in Windows, the only box that's checked is an IP of 192.168.10.5/24 for me to directly access the MGMT interface sitting @ 192.168.10.1/24 (the Edgerouter 6P already occupies the 192.168.1.0 /24 network.)

Is this where I've screwed-the-pooch so-to speak?

Thanks,
Steve

August 27, 2024, 06:33:36 PM #9
Yes. The OPNsense management interface needs to be part of a network with Internet access, not isolated/OOB. Updates require Internet.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 27, 2024, 07:02:58 PM #10
I have an OOB network, too, but I don't really use it since I have only 3 devices that can be connected to it. Instead, I use a protected VLAN for the management tasks and that's where my OPNsense management interface is connected to.

OOP means routing disabled and no connection to any other network so, if you connected your OPNsense management interface to it, you would not be able to access Internet from it.
August 27, 2024, 11:19:53 PM #11
OK. I got it working, in a convoluted manner, but it's working. Thanks to all.  Now I just need to figure out how to get my home CA Authority's root cert key onto the OPNsense device, and I'm set.  :)

Thanks,
TheFNGee (Steve)
August 28, 2024, 12:14:41 AM #12
August 28, 2024, 12:18:30 AM #13
Quote from: TrafficChaos on August 28, 2024, 12:14:41 AM
seems very odd thing to do.

It's a pretty normal use case... even has official documentation - https://docs.opnsense.org/manual/how-tos/transparent_bridge.html
August 28, 2024, 11:08:07 PM #14
I have a Checkpoint 750 NGFW that's nearing End-of-Life.  In its time, it had all the latest features such as IDS/IPS, AV, Anti-Malware, Anti-Spam, blah, blah.  While it served me and my household very well over the years, all of its protection features came a significant cost in available bandwidth from my 1Gbit pipe coming in.

After finally getting this "Transparent Bridge" with Protectli/OPNSense set up effectively, the throughput has gotten much better. on the order of TWICE as high.

The cost of this combination of hardware/software cost me less than the renewal of the support contract on the Checkpoint. I've even turned off the Palo Alto PA-440 that I've left almost totally unconfigured because of its complexity.  This TB was far easier for a IAM guy pretending to be a network guy like myself.

Thanks,
TheFNGee
Print
Go Up Pages1
User actions