Having trouble with setup

ironuckles · March 24, 2025, 04:18:45 AM

Hello,
I have installed and am setting up a new OPNsense router on Protectli FW4C hardware. My upstream ISP is Google Fiber.
Overall I can get through setup and installation and get to a point where I am on the GUI. However, here is where I am stuck. I cannot get the firewall to let me pass through no matter what I do. I have outbound NAT set to auto and disabled DNSSEC. I am connecting via ethernet cable to a desktop and can load the GUI portal just fine on 192.168.1.1.
Now if I boot into console and go to shell, I can ping 1.1.1.1 just fine. But from the LAN I cannot. Only 192.168.1.1 is pingable. The WAN blocks all outbound traffic from LAN.
Here is what the interfaces say from console:

```
LAN (igc1) -> v4: 192.168.1.144/24
OPT1 (igc2) ->
OPT2 (igc3) ->
WAN (igc0) -> v4/DHCP4: 192.168.1.169/24
v6/DHCP6: [elided]
```

I know there must be an issue with the WAN outbound NAT but I am lost about how to debug this. I just have the auto setting for outbound NAT. I saw some posts on forums suggesting I should configure manual rules but I have no idea how to go about that or what they should point to. Any advice?

passeri · March 24, 2025, 06:00:27 AM

Your IP ranges are not distinguished. They are in the same range, 192.168.1.0/24

Did you choose specifically during configuration to set up WAN on igc0, LAN on igc1? By default they are the other way around.

I suggest you leave everything else, such as NAT, as defaults until you resolve the above.

EricPerl · March 24, 2025, 08:43:13 PM

There's no way OPN is getting an RFC1918 IP via DHCP for WAN from an ISP, especially something as common as 192.168.10/24, unless OPN was deployed behind an existing router, which is probably what's happening here.
As is, a separate range should definitely be used on the LAN. Other settings should be changed as well (disable block private/bogons on WAN).

An alternative is to remove the edge router or switch it into bridge mode.

pfry · March 24, 2025, 10:38:54 PM

Tangential to the above posts: I was bored enough to look at GFiber Self-Install Kits - most utilize a Google-supplied router. One ("Use Your Own Router") indicates a direct option via a "Google Fiber Jack". Heh. The connectivity instructions? Plug your router's Ethernet into the "fiber jack" and "Follow the router manufacturer's instructions to get set up." How helpful. A service description so concise it eliminates all technical detail. And they pay folks to write this stuff.

So for an OPNsense setup, I'd get the "use my own router so gimme a fiber jack" setup. Then I'd (as necessary) 1) Try DHCP; 2) search the Internet for an actual service description; 3) call Google. But all of that's up to the user, of course. Actual users of Google Fiber should be more helpful, I imagine.

ironuckles · March 26, 2025, 03:19:04 AM

Quote from: passeri on March 24, 2025, 06:00:27 AMYour IP ranges are not distinguished. They are in the same range, 192.168.1.0/24

Did you choose specifically during configuration to set up WAN on igc0, LAN on igc1? By default they are the other way around.

I suggest you leave everything else, such as NAT, as defaults until you resolve the above.

According to Protectli, the interface ending in zero is the WAN. I'm also able to connect to the web GUI through a connection on the LAN port so I think the assignments are correct.

ironuckles · March 26, 2025, 03:22:29 AM

Quote from: EricPerl on March 24, 2025, 08:43:13 PMThere's no way OPN is getting an RFC1918 IP via DHCP for WAN from an ISP, especially something as common as 192.168.10/24, unless OPN was deployed behind an existing router, which is probably what's happening here.
As is, a separate range should definitely be used on the LAN. Other settings should be changed as well (disable block private/bogons on WAN).

An alternative is to remove the edge router or switch it into bridge mode.

Google claims their router cannot run the default wireless network and operate in bridge mode at the same time, so I don't think that will work for my use case. My intention here is to have this network live behind my ISP's router, not to replace the ISP equipment. I had the same setup work in a previous location with a different ISP and I don't remember ever having to mess around with the ISP's equipment to get it to work.

Would setting the LAN range to something that doesn't overlap with 192.168.1.0/24 work? Or will this have the same problem?

passeri · March 26, 2025, 03:34:12 AM

Quote from: ironuckles on March 26, 2025, 03:19:04 AMAccording to Protectli, the interface ending in zero is the WAN. I'm also able to connect to the web GUI through a connection on the LAN port so I think the assignments are correct.

Your IP assignments as described are incorrect or else they are not as described.

Your final sentence to EricPerl touches on this. If your ISP router is distributing 192.168.1.1/24 then change your LAN IP range away from that. Bridging the ISP router might be better but that is not a current problem. Your described IP ranges are.

EricPerl · March 26, 2025, 06:01:02 PM

The LAN subnet is yours to configure (best to stick with RFC1918 ranges) on either router.
But they can NOT overlap.

If you intend to use Wi-Fi on the edge router and need machines on the internal router LAN to access these Wi-Fi devices, then you'll need to disable Reply-to in OPN.
You realize that you're adding a 2nd level of NAT with that setup, right?
As long as you only deal with outbound traffic, that's only a small performance hit.

If the goal is to reuse the Wi-Fi of the ISP router, the other option is to use OPN at the edge and convert the ISP router into a pure Wi-Fi access point.

ironuckles · March 26, 2025, 11:27:49 PM

QuoteYour IP assignments as described are incorrect or else they are not as described.

Am I not reading this correctly?

```
LAN (igc1) -> v4: 192.168.1.144/24
OPT1 (igc2) ->
OPT2 (igc3) ->
WAN (igc0) -> v4/DHCP4: 192.168.1.169/24
v6/DHCP6: [elided]
```

```
Model WAN LAN OPT1 OPT2 OPT3 OPT4
FW4C igc0 igc1 igc2 igc3 N/A N/A
```

Respond to the rest of comments:

Yes, sounds like I do need to define an IP range for the OPNsense firewall to use. Unfortunately it doesn't seem I can easily go to bridge mode on the ISP router since this would mean I have to disable their Wi-Fi (and thus incur the wrath of my household co-inhabitants). So I think I am okay with going to a double NAT solution, which I know is not ideal. Performance is not that important for my use case.

My plan is to have [ISP router] -> [OPNsense firewall] -> [openWRT access point]. I plan to then connect my personal devices to the openWRT AP wi-fi. My overall goal is to be able to put a VPN on the OPNsense firewall so I can protect anything that connects to the openWRT AP.

Would this be possible if I just set the OPNsense firewall LAN to use 10.0.0.0/24 for example? Then there would be no overlap with the ISP router's range? If I understand correctly, then that would mean that for example, a device connected to the OPNsense firewall's LAN would receive some 10.0.0.X address. Since this does not fall under 192.168.0.0/24 range, the firewall would allow it to go out to public internet? Or would I need some specific outbound NAT to make that work?

Thank you very much for your time and attention.

EricPerl · March 26, 2025, 11:58:44 PM

There are subnet calculators out there, even though it's pretty simple in your case.
/24 CIDR is equivalent to 255.255.255.0 subnet mask.
You can clearly see that both LAN and WAN end up with a common address 192.168.1.0/24 (same range). Both interfaces would end up with the same route.

192.168.2.0/24 is sufficient. Any 10. subnet will obviously work too.

I'm not sure what kind of protection you expect to get out of a VPN on OPN.
And the perf impact of double NAT will be the least of your concern at that point.

passeri · March 27, 2025, 12:34:18 AM

Explaining slightly differently, any address A.B.C.x/24 falls in the same subnet regardless of the value of x. Simply changing the value of C, as suggested, will suffice as will changing A as you propose, staying within RFC1918. Playing with a couple of the different subnet calculators on the web, with different presentations, is quite useful for understanding IPv4 addressing.

ironuckles · March 27, 2025, 04:38:27 AM

I was able to get this working by changing the LAN to use 10.0.0.1/24. Thanks! I realize I was making some stupid newbie mistakes. I'm learning.

As for why I would want to use a VPN on the OPN device, I don't like having to run individual VPN applications on my devices at home. I like to use a home firewall to put all my home network behind VPN for privacy reasons. I also plan to eventually self-host services and run a VPN that I can use to connect into my home network.

Thank you for the guidance.

EricPerl · March 27, 2025, 06:46:23 PM

I guess you trust your VPN provider more than your ISP...

Running a VPN server on your internal router will still work. You will have to port forward from the edge router.

Having trouble with setup

ironuckles

March 24, 2025, 04:18:45 AM

passeri

March 24, 2025, 06:00:27 AM #1 Last Edit: March 24, 2025, 06:02:29 AM by passeri

EricPerl

March 24, 2025, 08:43:13 PM #2

pfry

March 24, 2025, 10:38:54 PM #3

ironuckles

March 26, 2025, 03:19:04 AM #4

ironuckles

March 26, 2025, 03:22:29 AM #5

passeri

March 26, 2025, 03:34:12 AM #6

EricPerl

March 26, 2025, 06:01:02 PM #7

ironuckles

March 26, 2025, 11:27:49 PM #8

EricPerl

March 26, 2025, 11:58:44 PM #9

passeri

March 27, 2025, 12:34:18 AM #10

ironuckles

March 27, 2025, 04:38:27 AM #11

EricPerl

March 27, 2025, 06:46:23 PM #12