Gotchas nobody mentions

Started by coffeecup25, March 11, 2025, 02:39:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 11, 2025, 02:39:44 PM Last Edit: March 12, 2025, 12:10:26 PM by coffeecup25
I just ordered more ram and a larger m.2 ssd for my laptop so I can build a Hyper-V VM with OPNsense. I want to build a functional router with the intention of saving off the configuration. Then Installing OPNsense and the saved config on my current 2.5g 4 port router / pc. I'll probably plug in the laptop for a little while just to see how my experiment works overall. The laptop has 1 RJ45 port.

I'm sure there are a few gotchas in there so I am asking in advance what they might be. I plan to set up a few static addresses, an adblocker (either the adguard home add-on or whatever is built into OPNsense that can use blocklists), a VPN, and whatever else looks useful.

There are enough guides on the internet to show me how to do these things in the VM. Plus, figuring it all out is most of the fun.

I have no doubt there will be a few problems to deal with that aren't normally described. Can anyone provide a few pointers so I don't get to a place where I think I'm done but it doesn't work in the router / PC because of that thing nobody ever mentions.

Thank You.
March 12, 2025, 08:08:41 PM #1
Hyper-V does not appear to be the easiest host OS for OPN based on threads I've seen.

1 NIC setups are not the easiest way to learn either.
I hope you have a managed switch to handle the VLAN management aspect of it.

I've done a little write-up when I tried for myself a little while back:
https://forum.opnsense.org/index.php?topic=45437.msg227451#msg227451
You might find interesting bits of info there.

Before transferring the config over (or importing it during install), you'll have to find/replace interface names.
To facilitate this, you might want to do the VLAN management on the host so it's transparent on the guest (as it will be in your final config).

March 12, 2025, 08:56:17 PM #2 Last Edit: March 12, 2025, 09:00:33 PM by coffeecup25
@EricPerl,

Thanks for the caution about Hyper-V. I'm most familiar with it but also VirtualBox somewhat. Not so much the others.  I've seen tutorials for OPNSense and pfSense in Hyper-V but haven't looked them over in detail yet. I'll be sure to visualize the whole process of virtual switch building and install of OPNsense before doing it. I assume the pfSense instructions will work for OPNsense.

I decided to make the test easy on myself. I will double NAT and add a couple of downstream PCs. The main network will be the 'ISP', WAN. It should apply good enough. No VLAN needed, I think as the VM instructions mentioned didn't mention one, I think.

The interface names is a good call. I see the problem you are referring to.

For the final install, eventually, I will swap out the SSD in the current router / PC and install OPNsense on a different one. If I mess it up I can always put the old one back.

If the whole thing goes belly up, I might use a different spare laptop with a RJ45 port and a USB LAN dongle to figure it all out. Only temp as the USB dongle is supposed to be unstable.

I will look at your write-up. Thanks again.
March 13, 2025, 12:00:11 AM #3
One gotcha that I learned was that I could not restore a config saved from one installation, to another installation. I probably asked about that here but got nowhere.
March 13, 2025, 02:56:03 AM #4
If the systems have different HW, the physical devices will have different names and the configuration won't carry over seamlessly.
It's one of the reasons why I use OPN under proxmox and now use the bridges (versus passthrough). The vtnetX can be used on both systems.
This said, moving the config only requires a find/replace otherwise. I did that when I moved from passthrough to bridges.

Using WAN on a private network requires couple tweaks (bogons & reply-to).

If you only have 1 NIC, VLANs seem unavoidable.
The USB NIC might be sufficient for an experiment to work around that aspect. I never used one with a router...

March 13, 2025, 01:09:31 PM #5
Quote from: verfluchten on March 13, 2025, 12:00:11 AMOne gotcha that I learned was that I could not restore a config saved from one installation, to another installation. I probably asked about that here but got nowhere.

Big thanks. I will definitely look into that. That's one of those little things that can stop the entire project.
March 13, 2025, 01:14:53 PM #6 Last Edit: March 13, 2025, 01:17:58 PM by coffeecup25
Quote from: EricPerl on March 13, 2025, 02:56:03 AMIf the systems have different HW, the physical devices will have different names and the configuration won't carry over seamlessly.
It's one of the reasons why I use OPN under proxmox and now use the bridges (versus passthrough). The vtnetX can be used on both systems.
This said, moving the config only requires a find/replace otherwise. I did that when I moved from passthrough to bridges.

Using WAN on a private network requires couple tweaks (bogons & reply-to).

If you only have 1 NIC, VLANs seem unavoidable.
The USB NIC might be sufficient for an experiment to work around that aspect. I never used one with a router...



Thanks. If I go the laptop route, the 2x NAT and USB RJ45 will only be for testing. The final install will look very normal.

Today's project will be to see if anyone has migrated a VM install to actual hardware and not had showstopper issues reloading a backed up config.

Also, I saw a pfSense VM install into Hyper-V documented and it claims to use 2 virtual switches. Taking a closer look at that is another project before I start.
March 13, 2025, 08:33:55 PM #7
I transitioned from a prosumer router to OPN last fall. I had a bunch of VLANs already.
I merely added OPN on my existing network and migrated the VLANs one by one until only my core network was left on the old router.
I made the final switch on a morning when I was the only user. I don't even know if I had 10 minutes of downtime.

You can get a dual NIC mini-PC for $150 nowadays...
March 14, 2025, 03:41:44 PM #8 Last Edit: March 15, 2025, 02:12:41 PM by coffeecup25
Quote from: EricPerl on March 13, 2025, 08:33:55 PMI transitioned from a prosumer router to OPN last fall. I had a bunch of VLANs already.
I merely added OPN on my existing network and migrated the VLANs one by one until only my core network was left on the old router.
I made the final switch on a morning when I was the only user. I don't even know if I had 10 minutes of downtime.

You can get a dual NIC mini-PC for $150 nowadays...

Thank you.

VLANs over-complicate a simple situation. Hyper-V Virtual Switches should do the job. It's only temporary and also only a hobby fun project, after all. A full laptop install on a spare laptop is my fallback. Also simpler.

I'll be using a different subnet for the 2xNAT. Which reminds me that all my static IPs will need to be reset after I install the config into my 5 port pc / router. I hope OPNsense makes it easy.

Since that router gives me 3 ports I'm not currently using, my next project may be to set one up with a different subnet. Easier than a VLAN and all in one device. I can tie a different Access Point into the 2nd subnet.

Edit: After writing about address reservations, I realized a gotcha. If I change the subnet range before the final install, it either won't let me since reservations are there or it will wipe out all the reservations, making me reenter them again. Years ago on pfSense I accidentally changed the LAN subnet on the console screen and doing that cleared all my reservations. I had to enter them again. 

The solution: Create a 2x wide subnet range that's 1 off from my existing one. It will hold a max of 512 devices rather than 256. Enter the new ones in the one-off range. After testing, change all the reservations to the correct number. After no devices exist in that one-off range, then close the range back to the proper one or simply leave it alone since the excess numbers can be easily ignored. An online subnet calculator can give me the details I will need.

Using a new subnet range is a possibility but that means I will have to change some nightly backups that depend on LAN IP numbers to know where to go.
March 15, 2025, 02:03:28 AM #9
Additional LANs or VLANs are not that different. As long as you can throw HW at the problem, physical isolation is fine.
For example, with a 4-port router, that's 3 LANs max.

It just was not possible for me. The physical wiring of my house is way too constraining.
My only HW requirement was VLAN aware switches and AP.
March 15, 2025, 01:56:43 PM #10
Quote from: EricPerl on March 15, 2025, 02:03:28 AMAdditional LANs or VLANs are not that different. As long as you can throw HW at the problem, physical isolation is fine.
For example, with a 4-port router, that's 3 LANs max.

It just was not possible for me. The physical wiring of my house is way too constraining.
My only HW requirement was VLAN aware switches and AP.

I understand completely. A VLAN is a great thing when you need one. It can solve a lot of problems quickly.
Print
Go Up Pages1
User actions