Context
I recently purchased an OPNsense appliance (https://shop.opnsense.com/dec700-series ... appliance/). The appliance is basically a dedicated computer/device running OPNsense (fork of pFsense) and is HardenedBSD (a fork of FreeBSD) based.
I previously had a Netgear R7000 with DD-WRT as my main gateway from the ONT to the rest of my local network. After getting the OPNsense appliance, I swapped it in as the primary device connected to the ONT and the Netgear (DD-WRT) an unmanaged switch+access point after the OPNsense appliance.
Before the getting the new 10GB service I was using the Netgear router running DD-WRT with the 1GB service via AT&T until Sonic recently hooked up their lines to our neighborhood. Got the 10GB service and was running that without issue on the Netgear for 2 weeks before getting the appliance and using that as primary device attached to the ONT.
Issue
At first, everything was fine for a few days. Then after playing around with network topology and settings I seemed to have lost my public IP. Factory resetting both the OPNsense and Netgear router yielded no results in getting a public IPv4.
While on the phone with tech support, I found out the IP table was full (ONT holds 8 most recent IPs). Remote clear of the table instantly allowed the Netgear to get a public IPv4 via the ONT and showed up in the DD-WRT details (I had swapped back the Netgear to be directly connected to the ONT to simplify troubleshooting). After ending the call, I decided to try the new setup again with the OPNSense appliance connected to the ONT.
After about 6 hours, everything just dropped again. I just assumed it was the same thing as the first time and the IP table was full again and called support and called them back again. A few mins later after giving some context, and restarting the appliance everything was up again.
On the call I did mention that the OPNsense has default firewall rules of ignoring incoming ICMP requests because when the Sonic rep tried to ping the currently connected device there was no response.
It was also mentioned that IPv6 addresses take up more space in the IP table. I opted to disable IPv6 DHCP requests on the OPNsense appliance just in case it exhausted the 8 IP limit in memory (everything I read online says Sonic doesn't currently support native IPv6 on fiber... so not sure if IPv6's are actually being requested by the ONT or not... :shrug:).
I added a rule to the firewall to allow incoming ICMP requests and allow responses. Ironically enough, it cut out while I was writing this post, but an appliance reboot seemed to fix it. I'm starting to wonder if there's just something weird about the defaults in the OPNsense appliance causing issues with Sonic DHCP services...
NOTE: No issues with LAN network at any point. Just WAN side public IP.
Questions
- Does anyone run an OPNsense instance between the ONT and the rest of their network?
- If so, has anyone specifically used the appliances you can get from opnsense.org partners?
- Would an ICMP deny firewall rule cause weird DHCP/ONT issues (in general and for Sonic specifically)?
- Any other hypothesis?
I recently purchased an OPNsense appliance (https://shop.opnsense.com/dec700-series ... appliance/). The appliance is basically a dedicated computer/device running OPNsense (fork of pFsense) and is HardenedBSD (a fork of FreeBSD) based.
I previously had a Netgear R7000 with DD-WRT as my main gateway from the ONT to the rest of my local network. After getting the OPNsense appliance, I swapped it in as the primary device connected to the ONT and the Netgear (DD-WRT) an unmanaged switch+access point after the OPNsense appliance.
Before the getting the new 10GB service I was using the Netgear router running DD-WRT with the 1GB service via AT&T until Sonic recently hooked up their lines to our neighborhood. Got the 10GB service and was running that without issue on the Netgear for 2 weeks before getting the appliance and using that as primary device attached to the ONT.
Issue
At first, everything was fine for a few days. Then after playing around with network topology and settings I seemed to have lost my public IP. Factory resetting both the OPNsense and Netgear router yielded no results in getting a public IPv4.
While on the phone with tech support, I found out the IP table was full (ONT holds 8 most recent IPs). Remote clear of the table instantly allowed the Netgear to get a public IPv4 via the ONT and showed up in the DD-WRT details (I had swapped back the Netgear to be directly connected to the ONT to simplify troubleshooting). After ending the call, I decided to try the new setup again with the OPNSense appliance connected to the ONT.
After about 6 hours, everything just dropped again. I just assumed it was the same thing as the first time and the IP table was full again and called support and called them back again. A few mins later after giving some context, and restarting the appliance everything was up again.
On the call I did mention that the OPNsense has default firewall rules of ignoring incoming ICMP requests because when the Sonic rep tried to ping the currently connected device there was no response.
It was also mentioned that IPv6 addresses take up more space in the IP table. I opted to disable IPv6 DHCP requests on the OPNsense appliance just in case it exhausted the 8 IP limit in memory (everything I read online says Sonic doesn't currently support native IPv6 on fiber... so not sure if IPv6's are actually being requested by the ONT or not... :shrug:).
I added a rule to the firewall to allow incoming ICMP requests and allow responses. Ironically enough, it cut out while I was writing this post, but an appliance reboot seemed to fix it. I'm starting to wonder if there's just something weird about the defaults in the OPNsense appliance causing issues with Sonic DHCP services...
NOTE: No issues with LAN network at any point. Just WAN side public IP.
Questions
- Does anyone run an OPNsense instance between the ONT and the rest of their network?
- If so, has anyone specifically used the appliances you can get from opnsense.org partners?
- Would an ICMP deny firewall rule cause weird DHCP/ONT issues (in general and for Sonic specifically)?
- Any other hypothesis?