NEED WITH HELP OPNSENSE CONFIG.(Modem>Opnsense firewall>managedSwitch>OpenwrtAP)

[iwanttolearn]

Hi everyone.

Im tryinging to install a opensense firewall for about 1 and a half year now without succes. I have wasted countless hours trying and watching all yt content without succes. Both HomeNetworkGuy's 2025 and old guides, sheridan computers videos you name it. I dont even know why and what im doing wrong. Last year at new years eve i finally had a IP Lease but i noticed it after restarting the firewall appliance. The setup goes like this: modem>(protectli)Opnsense firewall>(Zyxel) managed switch> Openwrt AP. I dont know if im doing it wrong on the Opnsense firewall, the zyxel managed switch or on the Openwrt AP im configuring.

Can someone help me out with this task since i tried by myself for about a year now and cant pull it off. Im using the GUI (NO COMAND LINE) to do it.

[Patrick M. Hausen]

How is your Internet uplink supposed to work? DHCP? PPPoE? That information can come from your ISP only. Or from examining a working device if you have access to its admin UI.

You must know this upfront or no YT video is going to help you. There are settings very specific to your ISP and the "Internet" product you rented alone.

[iwanttolearn]

I have PPPoE if im not wrong. On the site it said:

Annex: A
Mode: PPPoE.

Side question.
Is it a must to be connected to the internet to configure Opnsense and get a IP LEASE ?

[Patrick M. Hausen]

What do you mean by "connected to the Internet"? To make OPNsense your Internet router and firewall of course you need to connect OPNsense's WAN port to the modem. Then you connect your switch to OPNsense's LAN port and your PC to the switch.

Your PC should get an IP address from OPNsense's default LAN range 192.168.1.x. You should be able to connect to the OPNsense UI at address 192.168.1.1 with your browser and login.

Then you follow the well documented procedure to set up a PPPoE link, using the username and password and potentially other information (VLAN?) you got from your ISP.

The documentation is here:

https://docs.opnsense.org/manual/how-tos/pppoe_isp_setup.html

HTH,
Patrick

[iwanttolearn]

Hi Patrick

First of all thank you so much for the response. I hope you understand that its all a bit new to me.

What i meant is that i walked all/as much of the steps of configuring the firewall without having the modem installed yet or having it connected to the internet (keeping it offline) since cutting off internet at home for to long of a period might cause a uprising, heavy resistance and protest from kids and wife.

I followed this guide step by step: https://www.youtube.com/watch?v=fPP4UE6IuRc&pp=ygUXaG9tZW5ldHdvcmtndXkgb3Buc2Vuc2U%3D

And for the zyxel managed switch this guide: https://www.youtube.com/watch?v=2VHgZg5jFiM&pp=ygUsenl4ZWwgbWFuYWdlZCBzd2l0Y2ggZ3MgMTIwMC04IGNvbmZpZ3VyYXRpb24%3D

I followed it step by step except for the only part i did not do from the start is the PPPoE and ISP credentials part. My thought was that i could do this part last so that i would not lose wifi connection from the ISP router i am connected to now. But this shouldn't be necessary for a valid IP Lease from the Openwrt AP right?

Also what i still don't get is if the switch and AP should be in the same IP range as the modem and Opnsense firwall. Meaning if the modems IP address is lets say 192.168.1.1 the firewall is 192.168.1.2 should the the switch and AP also be at 192.168.1.3 and 192.168.1.4 or a different 192.168.1. IP?
I did it this way just to not complicate things more than they already are but since the switch recognizes the VLAN TAGs not the IP addresses right?

[meyergru]

For starters, you have got a few problems here:

a. That video of the HomeNetworkGuy handles an internet connection with DHCP only, not with PPPoE - so, you cannot follow this from the very start. That is the problem with many of these video guides: They show one specific setup - in reality, every setup is different and you will have to know what your are doing.

b. Speaking of this, the question you ask about IPs clearly show that you have little to no networking skills. Different networks (like WAN with the modem and LAN with your switch and/or AP) not only have different IPs, but even different IP ranges. So, you cannot have 192.168.1.1 for the modem, 192.168.1.2 for OpnSense WAN and also 192.168.1.x for anything that connects to your LAN (like the switch and AP). Besides that, OpnSense has an IP for every which interface, say 192.168.2.1 for LAN.

c. If you aim to learn while your regular network does not get interrupted, you should consider to use OpnSense behind your ISP router first. That way, you can try out these things. However, that is what is called a "router-behind-router" scenario, which in some ways is even harder to understand than a normal setup.

You could start with this post for hints and the official OpnSense docs, I do not recommend YT videos or AI to learn this. YT videos cannot cover every variant, like you see and AI is wrong most of the time.

However, you will find that it may take you serious time to learn the skills to master this. OpnSense is a professional tool, not your average consumer appliance.

[Patrick M. Hausen]

Adding to @meyergru - first and foremost, do you *have* the information from your ISP at all?

- username
- password
- VLAN if applicable

You need this. There is no way to configure a working Internet connection without this information.

Apart from that: your AP as well as your switch should get their IP addresses via DHCP and be connected to the OPNsense LAN interface. Switch to OPNsense LAN, AP and all wired PCs to switch. The AP must be configured in "AP" or "bridge" mode. If the AP is in itself a router and firewall with NAT you won't have much fun. The general idea is for OPNsense to control all aspects of the network.

HTH,
Patrick

[iwanttolearn]

Hi meyergru

Thank you so much for the clarity! Now i at least know that i was going in the wrong direction and trying to do the impossible. Also for the tips. I really appreciate it. Ill try and follow the guides you and Patrick posted instead of the videos and AI. To bad for me because the videos made everything so much more simple and easy.

As i already confessed from the beginning i'm kind of new to this all (especially Opnsense) and well aware its for pro"s, but i really want to learn my way around it so i can replace what i have now. Besides, i have to much hours invested already to just quit and give up now.

Do you have anymore tips or references good resources i should checkout that could help me on this journey?


Hi Patrick

Yes i have the following information from my ISP:

- Annex
- Mode: PPPoE
- VLAN
- PPP authentication
- username
- password

Your AP as well as your switch should get their IP addresses via DHCP and be connected to the OPNsense LAN interface: Yes correct i have this configured. i meant the local ip address to get tho the login portal.

The AP must be configured in "AP" or "bridge" mode: This also im well aware of and was a real pain in the ass to get my head around on Openwrt since im accustomed with ddwrt and in Openwrt its kind of different since they want you to construct/configure the whole bridge from scratch by yourself.

The general idea is for OPNsense to control all aspects of the network: Yes this is what drew my attention and why i want to learn how to use it. I always have been accustomed doing this all in the router it self.

[Patrick M. Hausen]

Yes correct i have this configured. i meant the local ip address to get tho the login portal.

The local IP address of OPNsense is 192.168.1.1 and you should leave it at that at least first. Or do you mean any other login portal? Also this is simply the OPNsense configuration UI. Users of the network do not need to login to any portal. At least in the default setup. A captive portal *can* be added if you think you need one.

OPNsense is 192.168.1.1

All other devices should be set to DHCP configuration. They will then receive an IP address that matches OPNsense so all devices can communicate.

[iwanttolearn]

Understood.

Is there any specific reason why i should leave it at 192.168.1.1?

And if i already changed to something else should i leave it, do a reset or put it back to 192.168.1.1?

All other devices should be set to DHCP configuration: Isn't this what the HomeNetworkGuy also talks about in this video? Is that part and the part where he creates the firewall rules valid or should i disregard the whole video?

[Patrick M. Hausen]

If you change the IP address of OPNsense you also need to change a whole lot of other advanced stuff like the configuration of the DHCP service. And possibly connect your PC manually without DHCP before you can adjust it. Wich implies that you know how all of this works.

I am not wasting my time watching youtube videos, sorry. Everything one needs to know is in the documentation and help about network fundamentals can be got from this forum.

- start with a fresh default installation
- connect a PC to LAN
- make sure you can reach the UI at 192.168.1.1
- connect WAN
- configure WAN via the UI

--> if you did the last step correctly, your PC and your OPNsense now have Internet access, everything runs on secure defaults, you are essentially done.

*Then* disconnect your PC, connect a switch to LAN, connect PC and all wired devices to switch --> boom, all wired devices now have Internet in a secure manner.

*Then* connect an AP in bridge with a reasonably secure WPA3 password --> boom, all wireless devices now have Internet in a secure manner.

You do not need to change *any* IP address, *any* firewall rules, *anything* but the root password and the WAN configuration for your ISP.

Nothing, niente, nada. Whatever these youtubers are recommending must be a whole lot of BS - a "factory new" OPNsense needs exactly the WAN setup and nothing else.

I hope that clears it up - not your fault.

[iwanttolearn]

Wait. So you want to tell me that the Opnsense firewall comes secure out of the box? Are you sure about that? No need to segment/isolate VLANs ect like they show in the videos? I mean even on the router i have now i have some firewall rule settings and other stuff changed to make it (for what that is worth) more secure.

Or are you just giving me the basis of how to make my setup work so i can start building from there?

[Patrick M. Hausen]

I am giving you the basics of a secure setup with a single LAN network. Why would that be insecure? OPNsense comes like this out of the box.

If you have devices that you want to isolate from your trusted LAN - ok. But that comes *after* establishing the fundamentals work.

There are millions of households all over Europe (mainly Germany) with a single LAN behind a product called "Fritzbox" connected to a DSL, cable or fibre uplink. They work, they are secure, because while being a consumer router this product comes with sane defaults and very (and I mean *very*) long term support and security updates.

A factory default OPNsense is essentially the same - you get to pick the hardware and you get way more features you can explore after you get the fundamentals working. But out of the box it's simply a perfectly secure device for a single network and a single uplink.

So, what makes you think you need VLANs? You said yourself you don't have much knowledge in networks, you are struggling to make even a basic setup work - why would you need anything but a single network? How many devices do you have? Of which kind? Again: why do you want this if you (so far) cannot even get "Internet" working? There's nothing wrong with a handful of laptops, phones, tablets, a set to box and a printer all connected to the same network. Far from it.

Kind regards,
Patrick

[iwanttolearn]

I understand.
Thanks for the info and the patience while explaining everything Patrick. I dont know nor pretend to know everything but i can only imagine the great annoyance i cause you and those who do. (;

If you are really interested or curious about the why.
I wanted to install a NAS and started to watch and read what it would take to implement this in the house hold and ended up reading about having to put it on its own network ect ect. From there on after some reading i came to the conclusion that Opnsense would be best for the job and that's how i ended up here.

I am going to read the links posted in the comments and follow the instructions you gave me to see if i can get this all working. Ill let you know if ill manage to set it up.