Question about setting up OPNsense with double nat

[diyordie]

Hello opnsense users,

I'm quite new in the topic networking and I want to get into self hosting so I red up a few articles about it. As I want to expose open ports to the internet (primary static website, mail-server, and VPN to access my network from outside) as well as securing the rest of the network when practicing pen testing with vulnhubs for example, I decided to buy a NUC for a dedicated firewall and after hearing about the pfsense drama I decided to go for opnsense.

The issue is I'm living in a houseshare with 4 other people and we share the same internet so basically I don't want a huge downtime while setting up the needed hardware and I want to provide them easy wifi access (at the moment guest wifi for their devices) so I am considering taking the double NAT route.

Considering the trouble with can come up I have a few questions, for a visual current network mapping please see the image provided below.

At the moment the network behaves like this:
     
      (192.168.2.x)
ISP -> ComboRouter (from ISP with DHCP) -> Guest Wifi (for their devices and smartphones)
          /                          \
 UnmanagedSwitch  My laptop
 /      |       \     
MyPC 2+Ports git/backupserver (with wake on lan)


My primary idea is to place the NUC in between the combo router and my switch and enable port forwarding for the services mentioned above, rest of the stack (i.E. git server/cloud whatever) I want to access after logging into the VPN (if this is achievable with this setup).

So the questions are:

• Will I be able to set up a VPN gate with double NAT? I am considering buying a domain but I am also open to the Cloudflare tunnel option.
• Am I okay with double NAT if I map the subnet from opnsense / behind opnsense with 192.168.0( or 1).X
• As i don't want to spend money for another WAP for my laptop connection I would login from the guest wifi into the VPN to access the rest of the network. (rsync/cloud, remote development grabbing compiled packages etc.) or is there any other way around.
• Are there any other "noob traps" to watch out for installing this setup?

If you want I can provide more info about the ISP or NIC I am considering to buy (I'm not sure if this is flagged as advertisement and breaks the rules).

I'm happy to hear your considerations about this and hope I find a suiting solution with you as I didn't find much of information about double NAT and VPN access.

I say thank you in advance and happy coding!

p.s.
If formatting of the thread is wrong please let me know I'm not really used to post on forums ^^

[mooh]

If the ISP's Combo router provides a way for the customer to add routes, you don't have to do double NAT. Define the networks your OPNsense should handle, add the OPNsense as router for these networks to the Combo router's routing table. Then, add the necessary firewall rules to the WAN of your OPNsense and turn off NAT on it. Now, only the ISP router does NAT.

IPv6 doesn't need NAT. Just make sure the ISP router can delegate a prefix to OPNsense.

[ludarkstar99]

Hi diyordie, welcome to the OPNsense user forum.
I hope you have a great experience with OPNsense.

If the ISP-provided combo router does not allow the configuration of static routes, double NAT is not necessarily an issue. In this case, you can configure the DMZ on the ISP router to point to the firewall's WAN IP address. With this setup, all inbound traffic initiated from the Internet to your public IP will be forwarded to the firewall, while other devices connected directly to the ISP router (for example, via Wi-Fi) will remain outside the firewall's management.

[diyordie]

If the ISP's Combo router provides a way for the customer to add routes, you don't have to do double NAT. Define the networks your OPNsense should handle, add the OPNsense as router for these networks to the Combo router's routing table.

No unfortunately I am not able to do that. The only routing option I found in the manual is force a connection to use DSL instead of 5G even if the option isn't listed on the admin panel itself (I wonder why though).

So I am pretty sure I have to take the double NAT way.

[diyordie]

Hi diyordie, welcome to the OPNsense user forum.
I hope you have a great experience with OPNsense.

If the ISP-provided combo router does not allow the configuration of static routes, double NAT is not necessarily an issue. In this case, you can configure the DMZ on the ISP router to point to the firewall's WAN IP address. With this setup, all inbound traffic initiated from the Internet to your public IP will be forwarded to the firewall, while other devices connected directly to the ISP router (for example, via Wi-Fi) will remain outside the firewall's management.

Within the admin panel there is not option/header called DMZ but there is to option to do a so called "port activation"/redirection. With this I am able to reroute a specific port/port range to another devices port/port range. As far as I understand it, I will need to do this for every service I want to be accessible from outside (in my case: Webpage, VPN, and email in the future). Is my assumption correct?


Haven't tried out opnsense yet as I first wanna do the research before buying equipment which will just lay around if not needed.
Worst case I gonna buy WAP's for the rest of the house even though I don't see any need for their devices be on "my network" (I would do an own VLAN for them anyways if I take the WAPs) as I think the firewall on the routers + a firewall on their devices should be enough?

[ludarkstar99]

Will I be able to set up a VPN gateway with double NAT?
Yes. As long as the ISP-provided combo router allows you to configure a DMZ or perform port forwarding to your firewall, this will work. OpenVPN, in particular, works very well in this type of setup and is usually the easiest option.

Am I okay with double NAT if my OPNsense LAN uses something like 192.168.0.x or 192.168.1.x?
yes.


Since I don't want to buy an additional access point, I plan to connect my laptop to the ISP router's guest Wi-Fi and then use the VPN to access the rest of the network (rsync, cloud access, remote development, pulling compiled packages, etc.). Is this fine, or is there a better approach?
That's a perfectly valid and straightforward approach. The VPN will give you access to internal hosts and services without requiring complex port-forwarding rules.

-----
Regarding individual port forwarding: the behavior is exactly as you described. Port forwards expose only specific services, while the DMZ forwards all unsolicited inbound traffic to a single internal address (your firewall?).

Personally, I tend to use the DMZ approach. It allows the firewall to block unwanted connections centrally and provides data for my SIEM. That said, forwarding only specific ports is also perfectly fine and will work as expected.

[diyordie]

So after digging a bit more with my/our specific router type ( a speedport smart 4 [a terrible kind for networking as I just found out]), I wonder if it's possible to to use the routers IP as standard gateway within the opnsense config and use portforwording to redirect the ports I want to expose? In some other forum I red to just forward all ports to the firewall (to kinda imitate a DMZ) but then I think all the other devices connecting to the Internet will be having a hard time (especially one housemate as she likes online-gaming) is this correct?

[diyordie]

Will I be able to set up a VPN gateway with double NAT?
Yes. As long as the ISP-provided combo router allows you to configure a DMZ or perform port forwarding to your firewall, this will work. OpenVPN, in particular, works very well in this type of setup and is usually the easiest option.

Am I okay with double NAT if my OPNsense LAN uses something like 192.168.0.x or 192.168.1.x?
yes.


Since I don't want to buy an additional access point, I plan to connect my laptop to the ISP router's guest Wi-Fi and then use the VPN to access the rest of the network (rsync, cloud access, remote development, pulling compiled packages, etc.). Is this fine, or is there a better approach?
That's a perfectly valid and straightforward approach. The VPN will give you access to internal hosts and services without requiring complex port-forwarding rules.

-----
Regarding individual port forwarding: the behavior is exactly as you described. Port forwards expose only specific services, while the DMZ forwards all unsolicited inbound traffic to a single internal address (your firewall?).

Personally, I tend to use the DMZ approach. It allows the firewall to block unwanted connections centrally and provides data for my SIEM. That said, forwarding only specific ports is also perfectly fine and will work as expected.

First of all, thank you for your answers and your time :)
With those answers I'll happily gonna take the next steps and order a NUC (I'm planning to go N100 as i heard N150 is not really that worth it). I guess now it'll be time for tinkering even though I will leave this thread a couple of days unsolved in case any other opinions come in! ':D