Use Static Routing to Second OPNsense Router with NAT Disabled for a Homelab

Started by cmonty14, April 21, 2022, 05:08:09 AM

Previous topic - Next topic



based on the turorial Use Static Routing to Second OPNsense Router with NAT Disabled for a Homelab I would like to discuss some generic questions and some questions specific for my home network.

I'll start with the generic question:
I could connect the secondary router to a separate, unused interface on the primary router.
What do you mean when saying "unused interface"?



And now I'll open the more specific questions.

But I'll try to describe my home network first...

In my network there is

This ISP router has only some features that could be helpful, e.g. static routing table, open ports to WAN of specific clients connected to LAN.

Any router has multiple ethernet ports.
I'm planning to install OpenWRT on Mikrotik hEX S and OPNsense on gateprotect GPO 150.
Generally I was thinking about a setup like this:
Internet > ISP router (= modem & router)
ISP router > OpenWRT router
OpenWRT router > DMZ Switch
OpenWRT router > OPNsense router
OPNsense router > LAN Switch

This means the DMZ is in between external and internal firewall. To my understanding this is a recommended setup to strengthen security.

What makes setup a little more complicated: my ISP offers 2 WAN:

  • static public IP
  • and dynamic public IP

Luckily this ISP router provides bridge-mode for static public IP.
So consequently the OpenWRT router will have 2 WAN ports.

Now here are the questions:
Is it advisable to setup "NAT disabled for homelab" if ISP router only offers static routing, but very limited firewall rules (specific ports can be opened for internal devices connected to this ISP router)?
Is it advisable to use the same subnet for managing any network device's WebUI? Or would this undermine all measures for strengthen security?

The ISP router can only provide 1 subnet (= LAN) that is used for administration.
And WANdynamic of OpenWRT router will be connected to this subnet.
I'm not sure if it makes sense to use this LAN for administration of all network devices then.
Certainly I could use ISP router LAN for administration of this router only and another network for administration of OpenWRT and OPNsense router.