I am not very experienced with networking and as I build out my services on prem I have come to this community for help and support.
I have done a lot of reading about subnets and masking and the like and I semi-understand how it works and what I want to do but I don’t know how to actually do it.
Thanks to this community I have a OPNSense Router that I installed on a desktop computer where I purchased a 2x1gb NIC to install. I’ve learned how to open ports and how to NAT/forward even with reflections for my https local services.
I just can’t figure this out. I drew my network topology and put it here: https://imgur.com/a/XY8V5Sl
My wired network is 192.168.1.0/24 meaning 255.255.255.0. My wireless is Google Nest Wifi which limits me a bit. It is using 192.168.86.0/24. The gateway for both networks is my opnsense router 192.168.1.1.
I want to create a route between 192.168.86.0/24 and 192.168.1.0/24. I believe one way to do it is to use 255.255.0.0 meaning /16 but I don’t know where to make that change and since the Google Wifi uses its own DHCP, i am not sure I can change that properly.
My preference is to leave Google Wifi alone (its a piece a shit, by the way, don’t buy it) and my expectation is that I can create a route in opnsense to ‘bridge’ the two different subnets.
Am i correct? If not, can you help me understand? If i am correct, can you guide me?
Couple of things:
First, the subnet router for your wireless network is not 192.168.1.1. Given that the subnet mask is /24 and the subnet is 192.168.86.0, I’d guess that the subnet router for the wireless network is 192.168.86.1. Of course, you’ll need to verify that within your OpnSense configuration.
Second, by creating the two networks on OpnSense, each one likely already has a ‘default route’. On a Linux command line, the would be a destination of 0.0.0.0 with a gateway of 192.168.x.1. This means anything not meant for the local subnet (192.168.x.0) will gets passed to the subnet router.
Third, the firewall on the OpnSense router has to allow the traffic between subnets. This is likely your sticking point. You’ll need to visit the firewall admin area of OpnSense and configure each subnet to be able to pass traffic to/from the other. I’m a pfSense user, so I don’t know the exact steps in OpnSense. But these general steps should still apply.
In opnsense they divide up the rule categories into Floating, LAN, Loopback, WAN. In LAN i have rule which is allow any to any, so as I understand it all devices on the LAN can talk to each other. Thanks for the reply.
Well in Interfaces -> LAN go to where you set your static IP for opnsense and change that to 192.168.1.1/16. That should get you running. But the google device would probably need to be told that it is 192.168.866.0/16 as well so it can see the 192.168.1.0 subnet.
However it would probably be better to disable DHCP on the google device, but I don’t know anything about them. (I read that on some you cannot disable it, so set the DHCP pool to 1 and then assign that IP to some mac address. Essentially stopping the google device from handing out that address).
If this is what you need to do, then on opnsense set up your DHCP pool to say 192.168.1.100-250. Then set the google device pool to 192.168.1.251-251 and then set a static lease in the google 192.168.251 to MAC: de:ad:be:ef:ca:fe.
(That wifi sounds like a shit device - maybe consider a tp-link or something more configurable)
It is a complete shit device, I had to buy smart switches to automatically reboot them every night one by one so they don’t randomly drop from the ‘mesh’ the next day. And they were expensive and I have 5 nodes which is why I am hoping to keep using the damn things. I hate them though.
As I understand it, the effect that you are suggesting is to move the Google Wifi IP Ranges to be the same as the wired, all 192.168.1.0.
I will think on that. Thanks
Well yes. Normally you would put opnsense on 192.168.1.1/24 and then the wifi device on say 192.168.1.10/24. Then you allow opnsense to do the DHCP and disable DHCP on the wifi (they like to offer these services which can be nice for really simple setups).
What you are realistically running into is a DHCP war, and google will probably win over opnsense for wifi devices.
If what you actually want is to separate the devices to different subnets, then you really need to create a LAN / WAN and WIFI interfaces. And plug the wifi devices in the the WIFI interface (another network port on your opnsense box).
Then doing this, you can create a firewall rule(s) that allows data LAN <-> WIFI etc however you please. (or not even, maybe only WIFI <-> WAN and not let wifi devices access your LAN net).
Alternatively if you have a smart enough switch you could isolate with VLANs. But for a simple network, this isnt really necessary.
Thank you!! Yes, it is a DHCP war. I just realized that I can talk to my hardwired devices but only by IP! Even though I specify my DNS server in google, its ignoring it for the browser. I wonder if that is DNS over HTTPS (DOH) in Chrome.
This is a different problem. But when you configure a competent DHCP server, you tell it to give out a bunch of information to the client, not just an IP address. It should tell it IP, subnet, gateway, DNS server IP and default domain name. (in opnsense most of this is default so you dont have to actually configure it - hit the (i) button and it will tell you. Example for domain name: “The default is to use the domain name of this system as the default domain name provided by DHCP. You may specify an alternate domain name here.”)
Then on top of that google devices are notorious for ignoring DNS (ahem chromecast, etc) and want to use 8.8.8.8. This is because google does all sorts of non-DNS buggery on those devices, for example checking and pushing updates). Chrome on you PC could well be doing this as well, but it shouldnt it should be honouring your NICs config. However I don’t for a second doubt that Chrome is preferring DoH to somewhere like 8.8.8.8 first.
You will need to create a rule to enforce your local DNS server and block all other outgoing attempts.
To do this create a NAT rule port forward -> set the interface to LAN ,set the destination to LAN net and INVERT. Then destination port to DNS. Finally redirect target to your DNS server (127.0.0.1 for your opnsense) and DNS port (53).
This NAT rule says any DNS NOT headed to the LAN network must be redirected to the DNS server in your LAN.
Holy crap. Burn it with fire and make the switch.
A few weeks ago, I purchased a TP-Link AX53 for $200 AUD. Not the absolute bleeding edge for speed, but its WIFI6 does WPA3, mobile devices typically get 1Gb/s. More than enough for most use cases (Yes, you can get much faster but expect $$$$$)
Are you using VLANs on your switch? Are you using the LAN or WAN port on the google device? As others have said, those two subnets do not overlap using /24 (255.255.255.0) so you would either need to use something like 192.168.0.0/17 that would cover both 192.168.1.0/24 and 192.168.86.0/24 but that is way overkill for most networks (192.168.0.0 - 192.168.127.255, 32766 hosts).
If you are having trouble understanding subnetting (or are like me and have a brain that refuses to learn any tricks to do it in your head) I highly recommend this really simple subnet calculator as it is very easy to see how you can divide subnets down from the RFC 1918 supernet (192.168.0.0/16) by clicking on “Divide” on the right side. In fact, that’s pretty much the only subnet tool I use anymore, super quick and easy.
It might be easier to just disable DHCP on the google side (or configure it as a DHCP relay if you can) and just use one subnet from OPNSense.
If you are not able to disable DHCP on the google side then I would set up a VLAN for the google wifi device and then create a VLAN interface in the 192.168.86.0/24 subnet that DHCP won’t use (like 192.168.86.2) and configure DHCP to use that for the gateway. This will then allow you to route between your two networks internally and to the internet (firewall permitting, obviously). If your switch does not allow VLANs then you could use another physical interface on the firewall and connect that to the LAN port on the google wifi device and do the same thing for the same result.
I hope all of that makes sense, please do ask for clarification if not, I do this kind of stuff every day and love teaching it so fire away.
This will fuck your plans but you should look at internal ipv6 routing, it’s confusing at first but for situations exactly like this it’s a gamechanger.
I disabled IP6 completely… it was completely confusing and looking at the damn thing I couldn’t understand it. I figured that I didn’t need it. I guess I am missing something then.
https://www.youtube.com/watch?v=oItwDXraK1M best quickstart, explains how DHCP and subnets become a thing of the past and how you can basically transfer network hardware between “master” networks without having to touch a host or waste time on routing ports & co. , the main reason ipv6 is so confusing is because the engineers went overkill on the futureproofing after suffering ages of ipv4 being a combination of “temporary” solutions and outdated networking philosophies, it’s a case of “never again”.