Show Posts
1
Tech Discussions / Re: Use Static Routing to Second OPNsense Router with NAT Disabled for a Homelab
« on: April 21, 2022, 05:22:08 AM »
And now I'll open the more specific questions.
But I'll try to describe my home network first...
In my network there is
This ISP router has only some features that could be helpful, e.g. static routing table, open ports to WAN of specific clients connected to LAN.
Any router has multiple ethernet ports.
I'm planning to install OpenWRT on Mikrotik hEX S and OPNsense on gateprotect GPO 150.
Generally I was thinking about a setup like this:
Internet > ISP router (= modem & router)
ISP router > OpenWRT router
OpenWRT router > DMZ Switch
OpenWRT router > OPNsense router
OPNsense router > LAN Switch
This means the DMZ is in between external and internal firewall. To my understanding this is a recommended setup to strengthen security.
What makes setup a little more complicated: my ISP offers 2 WAN:
Luckily this ISP router provides bridge-mode for static public IP.
So consequently the OpenWRT router will have 2 WAN ports.
Now here are the questions:
Is it advisable to setup "NAT disabled for homelab" if ISP router only offers static routing, but very limited firewall rules (specific ports can be opened for internal devices connected to this ISP router)?
Is it advisable to use the same subnet for managing any network device's WebUI? Or would this undermine all measures for strengthen security?
The ISP router can only provide 1 subnet (= LAN) that is used for administration.
And WANdynamic of OpenWRT router will be connected to this subnet.
I'm not sure if it makes sense to use this LAN for administration of all network devices then.
Certainly I could use ISP router LAN for administration of this router only and another network for administration of OpenWRT and OPNsense router.
THX
But I'll try to describe my home network first...
In my network there is
- router Fritz!Box 6490 provided by ISP
- router Mikrotik hEX S
- router gateprotect GPO 150
This ISP router has only some features that could be helpful, e.g. static routing table, open ports to WAN of specific clients connected to LAN.
Any router has multiple ethernet ports.
I'm planning to install OpenWRT on Mikrotik hEX S and OPNsense on gateprotect GPO 150.
Generally I was thinking about a setup like this:
Internet > ISP router (= modem & router)
ISP router > OpenWRT router
OpenWRT router > DMZ Switch
OpenWRT router > OPNsense router
OPNsense router > LAN Switch
This means the DMZ is in between external and internal firewall. To my understanding this is a recommended setup to strengthen security.
What makes setup a little more complicated: my ISP offers 2 WAN:
- static public IP
- and dynamic public IP
Luckily this ISP router provides bridge-mode for static public IP.
So consequently the OpenWRT router will have 2 WAN ports.
Now here are the questions:
Is it advisable to setup "NAT disabled for homelab" if ISP router only offers static routing, but very limited firewall rules (specific ports can be opened for internal devices connected to this ISP router)?
Is it advisable to use the same subnet for managing any network device's WebUI? Or would this undermine all measures for strengthen security?
The ISP router can only provide 1 subnet (= LAN) that is used for administration.
And WANdynamic of OpenWRT router will be connected to this subnet.
I'm not sure if it makes sense to use this LAN for administration of all network devices then.
Certainly I could use ISP router LAN for administration of this router only and another network for administration of OpenWRT and OPNsense router.
THX