Help to setup opnsense for ATT static IP block

marcoi · Feb 8, 2024

I have moved away from pfsense onto opnsense. I have it virtualized and setup with two wans right now. One WAN is ATT fiber and the other verizon internet. The two WANs are working as expected. For ATT, i use wpa_supplication bypass mode with certs. I get DHCP address from ATT. My issue is i cannot get my ATT 8 block static IPs to work. I setup a new interface for ATT_EXT_IPs with the ip block I have. my block is 65.xx.xx.65/29. So i have 65.xx.xx.70 for the new interface. I also setup a new gateway with ip of 65.xx.xx.71. I am testing using DHCP for the free ip range (65 to 69). my machine gets ip from DHCP and sets the mask, gateway and dns server correctly.

It is configured as close to the setup I had in pfsense as far as I can tell, only difference is the opnsense has two wans. So I dont know if opnsense does things differently then pfsense or if because of the dual wan.

Any help to get it working would be appreciated.

zer0sum · Feb 8, 2024

What AT&T gateway device do you have?

What part of it isn't working?
Traffic isn't flowing over the AT&T link?

Did you setup a gateway in OPNsense? Or a gateway group?
Or you doing gateway monitoring?
Do you have firewall rules forcing the traffic out specific gateways?

Mine is a BGW320-500, so I don't do the whole supplicant bypass thing, and I let it handle the /29 and do static IP's on my OPNsense box.
DHCP assigned was also working just fine, and you can do reservations on the BGW320-500 as well.

BeTeP · Feb 8, 2024

for .64/29 routed block .71 is the broadcast address. Pick another address for the local gateway

marcoi · Feb 8, 2024

zer0sum said:
What AT&T gateway device do you have?

What part of it isn't working?
Traffic isn't flowing over the AT&T link?

Did you setup a gateway in OPNsense? Or a gateway group?
Or you doing gateway monitoring?
Do you have firewall rules forcing the traffic out specific gateways?

Mine is a BGW320-500, so I don't do the whole supplicant bypass thing, and I let it handle the /29 and do static IP's on my OPNsense box.
DHCP assigned was also working just fine, and you can do reservations on the BGW320-500 as well.

Device is BGW210, but I no longer use it.
Traffic isnt going out from static ip when using the gateway setup for static block. It will go out if do not use that gateway but then my whoami IP is still the DHCP and not the static ip address.
I have 3 gateways setup. ATT DHCP and VZW DHCP, they are in a group for failover. ATT is primary. Gateway monitoring is on for these two.
The 3rd gateway is static IP gateway and monitoring is disabled.
No i havent setup any rules on the ATT EXT interface other than access dns port 53 and internet access only blocking access to private lans.

I would need to ask for new GW device to setup like you, but I dont recall if the BGW320 has that limitation the BGW210 has.

marcoi · Feb 8, 2024

BeTeP said:
for .64/29 routed block .71 is the broadcast address. Pick another address for the local gateway

~~my address block starts at .65/29 so usable ports are .65 to .69, so I have the interface ip set to .70 and the gateway ip set to .71. That is how i had it setup in pfsense.~~

maybe i am wrong on the start, ill have to double check my notes.

zer0sum · Feb 8, 2024

BeTeP said:
for .64/29 routed block .71 is the broadcast address. Pick another address for the local gateway

Yeah, you definitely want to get that part of it correct

IP Address:	65.1.1.65
Network Address:	65.1.1.64
Usable Host IP Range:	65.1.1.65 - 65.1.1.70
Broadcast Address:	65.1.1.71
Total Number of Hosts:	8
Number of Usable Hosts:	6
Subnet Mask:	255.255.255.248

marcoi · Feb 8, 2024

doesnt seem to matter if i change the IPs still not working

Right now
Interface opt2 is called ATT_EXT_WAN_VL65. is using the LAN interface with VLAN of 65. IP is setup as 65.1.1.69 /29 and gateway points to 65.1.1.70

.

Jorge Perez · Feb 9, 2024

And you assigning those IP addresses to the WAN interface?

You either need to NAT them, or distribute them internally to another router.

ATT assigns private IPs using the DHCP IP as a transit address.

marcoi · Feb 9, 2024

Jorge Perez said:
And you assigning those IP addresses to the WAN interface?

You either need to NAT them, or distribute them internally to another router.

ATT assigns private IPs using the DHCP IP as a transit address.

I have them assigned to a vlan on the main lan out of opnsense. The plan is to assign individual boxes an external ip address to allow services etc.

Here is a diagram

ATT WAN comes in and is passthru NIC to the opnsense VM.
VWZ goes to switch where it is tagged as vlan 2, it sent to opnsense as virtual nic using virtual switch of vcenter
Opnsense has one Lan interface with three vlans
Vlan 9 - opnsense Lan
Vlan 10 - IOT network
Vlan 65 - External IP Block
All traffic is pass back to switch.
I use a secondary FW - Sophos FWOS for home network. It uses Vlan 9 LAN of opnsense for WAN and passes Lan to switch without any tags
Sophos Lan and Vlan 10 IOT also go to the Omada VM to AP for home network and IOT network wifi.
Final part is the external Ips on Vlan 65 will be assigned to individual VMs for providing services like website etc..

Hopefully that helps

marcoi · Feb 21, 2024

anyone know how to force vlan65 traffic out the ATT wan interface? vlan65 is setup on Lan out, not sure if my issue is due to have group of gatways in place.

Search

Help to setup opnsense for ATT static IP block

marcoi

Well-Known Member

zer0sum

Well-Known Member

BeTeP

Well-Known Member

marcoi

Well-Known Member

marcoi

Well-Known Member

zer0sum

Well-Known Member

marcoi

Well-Known Member

Jorge Perez

Active Member

marcoi

Well-Known Member

marcoi

Well-Known Member