Enabling OPT interface on SG-1100
-
Hi.
My LAN is working fine on my new SG-1100. Now I am trying to enable the OPT interface with an IP of 10.0.0.1 /24 with its own DHCP. My LAN is 192.168.1.1 /24. Is that even possible?
Eventually I want my OPT to not have any outbound permissions, but LAN to be able to go into OPT. However, to start with I just want to be able to connect a device to internet through OPT. Why is it not working? Here are my detailed settings:
Interface OPT
- Enable interface
- Static IPV4
- IPV6 none
- Swith port: Port 1
- Everything else blank (default)
DHCP Server OPT
- Enable DHCP server on OPT interface
- Subnet 10.0.0.0
- Subnet Mask 255.255.255.0
- Everything else blank (default)
Firewall Rules OPT
- Protocol: IPV4*
- Source: OPT net
- Port *
- Destination *
- Port *
- Gateway *
- Queue none
- Schedule blank
-
Yes, that's certainly possible. What you have set there should work from what I can see.
The only reason I can think it might not is if that conflicts with another subnet, WAN perhaps?
Steve
-
My WAN is a public IP. My router before SG-1100 was a NetGear that had the LAN IPs as 10.0.0.* (which is the reason why I am so keen on making that subnet work. Some of my PoE cameras have those static IPs, and I'll need to climb walls to change those if I can't make 10.0.0.* work).
If my WAN had some issues with 10.0.0.*, then my Netgear setup wouldn't have worked in the past, right?
-
Indeed it would have conflicted there too.
Just reading your other thread here it seems you had an issue trying to use that subnet as LAN too. Is it possible something else there is still handing out leases in that subnet?
If you connect a client directly to the OPT port does it get a DHCP lease?
Do you see that lease in the pfSense webgui in Status > DHCP leases?
Steve
-
Turns out it was an embarrassingly newbie mistake. I was working with a dead ethernet cable. It's online now.
Second step, I want to make the rules more restrictive. My first attempt is to say OPT only allowed to go to the internet, but not LAN.
So I changed from "Allow OPT net to *" to "Allow OPT net to WAN net". That cut-off my internet. What should I have said instead?
-
WANnet in that context is the immediate WAN subnet only so you still need a pass rule with destination 'all' to allow access to any external IP.
Just put a block rule above it for destination LANnet.You might also want to block destination 'this firewall' so OPT devices cannot hit pfSense itself. If you do that though you will probably want a pass rule above that allowing access to the OPTaddress for DNS only.
Steve
-
Thank you, that makes perfect sense. I've set it up like you suggested, and it works great.
I have a follow up question. My OPT is now working fine with a 10.0.0.0 subnet. My PoE cameras and NVR devices show up the way I expect them to.
My PoE cameras have static IPs. When they come into OPT, the router respects their self assigned IPs. That makes my current setup work fine.
But, the PFSense DHCP lease list does not list those devices. Isn't that odd? (my Netgear showed them as DHCP assigned IPs, even if they came in with a specific IP request. And then I was able to reserve a specific IP for each device, which I find a more elegant solution than relying on the device itself telling the router which IP it wants each time). I fear that this setup can break someday.
What's a more elegant way to do that on SG-1100?
-
The DHCP lease list will not show them if they are statically assigned and do not request a lease.
The correct way to do this is set the DHCP range on OPT so it does not include any of the fixed IP devices. Then as a static dhcp lease for each of them manually in pfSense. They should never ask for that lease but if one of them default's to dhcp pfSense will then give it to them. The static leases are listed on the DHCP status page and they will show on-line if they have current ARP table entries.
Steve
