If you are just getting started with Opnsense or first time with a static block This post is for you! When trying to figure this out a lot of form posts said it couldn’t be done this way and to use 1:1 NAT; so maybe even those around the block a few times will benefit.
This post is a somewhat how-to for setting up a static block with routing on opnsense over pppoe with a modem in transparent bridge mode.(vdsl2 & centurylink) This Assumes you want to end up with a NATed DHCP Private LAN and a DHCP Public ipv4 routed LAN. Buckle in!
This site is actually served over the configuration I will discuss below. Opnsense is running as a virtual machine and the web server lives in the same physical box. believe it or not you pulled this from my 80/40 VDSL 2 connection. Im going to cover what im actually running this on as its a oddball/ one of the more complex setups ive which was nesicateted by lack of hardware. Odd how you can own something but not touch it…. but we wont go into that :D.
First lets define the desired End Result and whats needed to follow along:
Maybe my google foo is sub par these days but when I first set out to do this every post/result I found was wrong or saying “I’ve never seen that work”. I’ve had it working in a few permutations now. Due to a lot of drama im working with minimial hardware avalible at the moment. my configuration reflects that…. It might just be easier to describe that first:
Call support or Snoop at whats running in modem?
Request your PPP/PPPoE credentials.
preface: when I got the right person on the phone, they imediately no questions asked gave me the credentials. I was calling for another reason having already snooped my modem (and at last retail job in double NAT having done the same lol) that said i wanted to know if they would give the info out so i asked on a unrelated call. YMMV but I was given the creds first ask with the right department.
Im decently impressed with the actual service from CL… As in the performance of the pipe.
That said CL is kinda like if ma bell was hacked into pices and kids grew from her severed limbs then hacked apart again and multiple frankenstines were created and deaimated in the name of service… or er.. something like that but franado frankinstido..
.monopoly this ma bell …has alzheimer’s. At least with customer service.
what do i mean? with the different mergers and splits CL has ended up with DHCP in some regions PPPoE in others. Talking with different customerserservice reps and or sales ive gleamed there are several different billing systems possibly from different decades as well. With a biz account they literlay will not give you access to everything you pay for with out scheduling an “On boarding call” and none of the support short of this will know why your mycentruylink login doesnt work if you do as i do and blow this off.
in short, some of the reps you will encounter are great and knowledgeable people. dont count on ever talking to the same one again. One night i ended up talking to support in an office in poland other times its been in the midwest and once in Arizona. in shorter… imho: calling centurylink for anything is like pulling teeth over the course of 6hrs per tooth with out Novocain
that said: you will need the firstname.lastname@example.org and pass that your modem is currently using to get you online. one route to obtain this is calling centurylink (or your providers) customer service.
tell them you are putting your modem in bridge mode and need the PPPoE user and Pass, be ready to write it down or type it and somewhere other than the credentials field in opnsense… i recommend google keep or docs, maybe an actual sticky note.
There is an alternative route to obtain these creds for most of you. This is shortened and adapted from a tutorial at Inaudible Discussion. it was written with a Zyxel C1000Z in mind but I found substituting ssh for telnet and zyxel for actionteck c3000a worked just fine.
long and short is you need 3. this can be one physical NIC and 3 vlans, 3 physical NICS or mix and match.
you need the appearance/function of a NIC for:
if the modem can be set to do pppoe on a vlan you might even reuse its switch ports (i did until just today). my c3000a has a qirk where it only does the 2xx vlan when set to not connect on vlan you might have to play with yours. aka dont trust Ceuntrylink firmware to do what it says.
im from this point assuming you set up your 3 interfaces/vlans/combo of via ssh and the “assign interfaces” while doing the setup. If not log back in via ssh and its easy to do again.
now you should have a note pad with your modem credentials and nic assignments (or a better memory than i do … what were we talking about?)
assuming you went with normal settings your box can be reached via browser at 192,168.1.1 Login and :
From the “Interfaces -> Assignments” screen:
first we will get rid of auto rules and then replace them with the same rules plus two more. feel free to harden this config later. this is just a basic wide open it will work presented as is.
Switch to manual outbound:
Now we need rules
this just replaced what went away when we went to manual. Now we need to exclude the public lan from NAT
make sure each interface has at least one rule in each direction. with 0 rules its effectively disabled.
ill make this look pretty and finish this part soon
I was eventually able to get the centurylink modem to provide pppoe and act as a switch. This simplified it quite a bit and boosted speeds. As seen above half of the x540 is connected to the 100 megabit switch on the cheap linksys. When I was able to make the c3000a play switch this linksys just became wifi ap. I couldnt get wifi to reliably stay on in bridge mode. I am sure i can get it on via gui or more sure via ssh and i havent tried very hard to be honest… this was just quicker.