NOOB - OPNS on Protectli with modem in bridge mode not working

[sisu888]

I truly have tried to research this but cannot figure out what the steps are to proceed.

I have a router/modem from the provider that they set into bridge mode.

The vault/OpnSense is in a default configuration except I set the WAN interface to allow private network traffic. But plugged directly into the LAN port on the vault I cannot see anything other than the vault.

Rather than a long text description I have attached a network diagram and a PDF file that has configuration screen shots for the modem and for the OPNSENSE config.

Any help would be greatly appreciated. I have a 2nd PDF file with additional configs from OpnSense but the attachment limit won't let me upload them. I suspect I can in response to a reply

[patient0]

According to your diagram you get the an IP from 192.168.1.0/24 from the Huawei modem on igc1 (WAN). And you set igc0 to 192.168.1.2/24 (LAN?). But the DHCP range is 192.168._2_.10-192.168._2_.245?

In general, you can't have the same subnet on WAN as on LAN. The router doesn't know where to send the traffic, WAN or LAN since they are the same.

On the other hand: the Huawei is in bridge mode you write, which would mean OPNsense get's a public IP.

Do you get a WAN IP at all (WAN IPv4 gateway -> *defunct*)? How are you supposed to get a WAN IP from you provider? Using PPPoE or directly?

[meyergru]

@patient0 is right, see this, point 1.

Your LAN interface should be using 192.168.2.1/24, the DHCP range would already fit that. Your WAN ist set correctly to DHCP mode.

If you want to access the GUI of your modem, you can add a VIP of 192.168.1.2/24 to your WAN, not 192.168.1.1, because presumably, the latter is your modem's IP. You can then access this from your OpnSense, but for access from your LAN, you will need a specific outbound NAT rule.
That being said, I find 192.168.18.100 on the internet as the default address for these Huawei modems, so YMMV.

There is also a guide on this topic.

I urge you noobies to sift through the tutorial sections more often.

[sisu888]

@patient0 / @meyergru - Thank you for your replies.

1. Sincere apologies - Typo on my network diagram. The DHCP was set to  subnet 192.168.1

@patient0 - Your points are well taken. I need to check how the modem is really functioning. Issue is that I am in Thailand and the technicians don't speak much English and I have been unable to figure out how to set up the bridge mode myself. My Thai is very basic but I am going to get them out here to work on it and try to figure out what is going on.

@meyergru - I did look but I did not see that specific guide. I am going through it now. Thank you for that. I will try to implement the VIP solution that you mention. I am also trying to find a manual for it but from Huawei it appears to be locked unless you have an account they recognize as being from a carrier. ANyway ... thank you ... let me try this stuff and I will get back to you

[sisu888]

Here are the other configs that I pulled from screen shots of the modem GUI (when I connect directly to the modem)

[meyergru]

Your new network diagram still shows the same network on two different interfaces, namely 192.168.1.x/24. It won't work. If the modem's IP was 192.168.18.100, it might work with 192.168.18.1 as VIP on the WAN interface. If it is 192.168.1.1, you will have to renumber your LAN to another network.

[patient0]

Here are the other configs that I pulled from screen shots of the modem GUI (when I connect directly to the modem)

I don't think your modem is in bridge mode. Bridge mode usually disables all router functionality, and in the screenshot in the PDF (attached below) Wifi seems enabled.

Additioally a VLAN seems needed to connect to WAN, VLAN 10 (TR069 or VLAN 33). I don't know what TR069 is, your provider should be able to clarify that.

You cannot view this attachment.
You cannot view this attachment.

[sisu888]

Just an update. Sorry for long delay I was very ill.

In the end, I hired someone on FIVERR and he talked me through and got it working by taking the modem out of Bridge mode and just using CLASS A private for the internal network and the default Class C private network on the modem. The fiber modems here are not great. They are old and the firmware isn't that easy to figure out and although I can get by in Thai, my ability is not to where I can have a troubleshooting dialog with a technician :-).

Thank you for your time and interest - it was helpful and pointed me in the right direction.

Out of curiousity - is there any particular advantage one way or the other to using bridge mode vs. router mode for the modems? My use cases have no super high bandwidth or latency requirements.

My next step is failover and load balancing. I will look through the tutorila section first.

THanks to both of patient0 and meyergru.

Anthony

[patient0]

Out of curiousity - is there any particular advantage one way or the other to using bridge mode vs. router mode for the modems

In router mode you get double NAT, the modem/router does NAT and OPNsense does NAT again.
The biggest drawback of that is you can't configure dynamic DNS if you want the OPNsense to be accessible from the outside. And for port forwarding (e.g. you want to host a public webpage on you own LAN) you have to configure it on the router/modem and the OPNsense, more complicated.

Using Tailscale/Netbird and similar you can work around some of that.

TL;DR: for simple everday use, you making connections from your LAN to the world it will work just fine.

[cookiemonster]

just watch out, don't want to worry you unnecessarily but something to keep in mind in the future. If the modem allows, download and save your config.
I notice there is some TR69 reference in the screenshots. I worked a long time in Telecoms and can tell you what that is. Is a protocol used to standardise a way for ISPs to push firmware and configs to their customers' devices. The problem is when a badly configured push wipes out the configs and resets to factory/defaults.
So it might never materialise but won't hurt to have your settings saved if you need to reapply.