1

I’ve been scouring the web for hours readin every post I could find… So if this has been asked before, and I missed the answer I apologize in advance…

Long story short, I have a HP2920 that I am planning on using as the entry point to my network, before going to a redundant OPNSense configuration…

My main issue lies in that the ISP is only providing me one DHCP’d IP Address, and for CARP in OPNSense, I need 3 IPs.

My “Goal” is to take the incoming ISP Connection on Port A1 (VLAN 1 - IP Address set to DHCP), and Route it somehow (IP Routing, NAT, whatever) to my “Transfer” VLAN (VLAN 2 - 192.168.1.1/30 - Ports B1 & B2), which will go to my OPN1 (192.168.1.2) and OPN2 (192.168.1.3) which have a shared Virtual IP (192.168.1.4)

For reference, my Redundant OPNSense configuration will handle my LAN (192.168.10.x), with each OPN Box routing 4x 1gbps trunks to ports 37-40 and 41-44 on the 2920 (Ports 1-48 are VLAN 3), and each OPN Box also has a 10Gbps connection to my server and desktop directly… VLAN 3 is mostly just for management, and the ethernet spread through my house.

Is what I’m trying to do even possible? Any suggestions for how to resolve this that doesn’t involve introducing another SPoF? (the 2920 as a SPoF is acceptable to me for now, as I have extra PSU’s for it)

Appreciate any help that can be provided

3 Spice ups
2

Everything I’ve ever seen about this says you can not have DHCP or PPPOE on the wan side. You need a static subnet with a minumum of a /29 on the wan subnet to make this work.

1 Spice up
3

If I was using direct WAN IP’s, you would be correct. CARP on OPNSense needs 3 WAN IPs.

But it doesn’t necessarily care if its actual WAN, or a “fake” WAN (in my example, the 192.168.1.x “transfer” network). That subject has been firmly established on the OPNSense documentation.

Specifically the subject talks about using a router to NAT the single DHCP WAN to a small intermediary LAN network for CARP to use…

I’m just trying to accomplish this with a managed switch I already have, and was already planning on using, as my rack doesnt have space for more equipment…

So it boils down to “is the 2920 capable of Translating a DHCP WAN IP to another subnet”

In theory, I 100% could (and have tested) doing this by IP Routing the existing IP from the WAN on my 2920… my only concern is the IP changing when the DHCP lease renews.

1 Spice up
4

The 2920 can route between VLANs, but in your case, you aren’t routing stuff from VLAN x (internal WAN) to VLAN y (External WAN) you specifically want stuff in VLAN X to route to a specific IP in VLAN Y so you’re going to have a default route that points to that IP. If that IP changed, you would have to update the route.

How often does your DHCP IP change? I don’t think mine has changed in years.

1 Spice up
5

I’d like to understand what problem you are trying to solve, you say you don’t want another single point of failure, but isn’t your ISP exactly that?

Is this purely for learning and understanding load-balancing, CARP and failover?

1 Spice up
6

Yeah IP Routing is what i used in my test.
And I’m not sure to be honest. I’ve had Dynamic DNS setup for a while with my existing configuration. Haven’t personally tracked the IP Changes

1 Spice up
7

Your switch cannot NAT. You would need to NAT to convert the one public IP to a private IP (VIP for the carp group).
Layer3 switches rarely NAT - use a router instead.

The best solution is to ask ISP fort 5 useable IPs. Or use different firewall that supports failover without requiring 3 IPs.

4 Spice ups
8

The problem is that I want to use an HA OPNSense setup, while only having one Dynamic IP from ISP.

So I’m trying to use my HP2920 to translate that Dynamic address to a static one on an intermediary LAN.

and eh, ISP is a reliable enough source for me to not consider it SPoF. Technically it is, you’re right, but I’m more concerned with my own equipment failing than the ISPs lmao.

Could I abandon the HA OPNSense idea and just use a single OPNSense, and have everything work fine probable for years? Yeah probably.

Could I abandon OPNSense entirely and just use my old Asus Router for all of my firewall, and DHCP stuff? also sure.

But where’s the fun in that :wink:

Sure my “problem” is a self-imposed one, and ai just want to know if there’s a way to implement what I’m looking for, on the equipment I have lmao

1 Spice up
9

Yeah that’s basically the conclusions I had landed at myself :frowning: I was mostly just hoping I had missed something stupid.

1 Spice up
10

The question of why still remains, so based on what you’ve said, this is purely for your own understanding.

Then replace it with someone more reliable - this would be the simpler, less complicated setup and you’re right, “where’s the fun in that” but it wont be fun when your CARP is down and your family are complaining they’ve had no internet for days while you troubleshoot.

I’m all for helping you, but the KISS principal exists for a reason. Why burden yourself with it unless this is purely for learning.

What you have asked is technically possible, but you still need some type of NAT in front - another OPNsense box acting as the router/NAT server a Raspberry Pi or some other router.
Maybe your ISPs existing router?

I’ve run a virtual Pfsense box for over 10 years, moving between physical servers, and different hypervisors without issue.

I like simple but i like to learn too, I have nested labs for this reason, but it does add another layer that you may soon not want to troubleshoot.

2 Spice ups
11

I am not familiar with OPNSense and how it does HA, but you mention single public IP and 3 “WAN” IPs needed by OPNSense and a transit network. This is an issue for NAT, not just routing. The only way for multiple devices to use the same IP address is NAT.

L3 switches usually don’t do NAT because you can’t do that in hardware with TCAM tables. I have seen Cisco Catalyst 6500 series switches do things like NAT, but that is done by the supervisor engine which can also do things like GRE tunnels and IPSec termination that a regular L3 switch cannot do, and these things do not happen at wire speed.

Long story short, you need a router or firewall that can do NAT, or a different network architecture.

2 Spice ups
12

Lol its just me in the house. I have people using my plex server remotely, but if that goes down, they can deal with it :joy:

as for keeping it simple… As an Engineer, I don’t know the meaning lmao

In reality, I’m just having fun with my home network

It definitely seems loke NAT would be needed, and apparently I just can’t do that in the 2920. Is what it is

1 Spice up
13

And this is all i was looking for at the beginning - the purpose.

So other than experimenting, there isn’t one, which is fine, but knowing the reason often helps, sometimes leading to options you didn’t think about.

I’m sure there are other things you could have fun with and give you less headaches when it does go wrong, but either way, I wish you luck.

1 Spice up
14

Use CARP on the LAN side and then configure the WAN with the same MAC address on each but only have 1 WAN up at a time. Add a static route to the other that’ll be low precedence that the ISP gateway when its up.

The HP2920 can’t do NAT but can be used to connect the OPNsense routers to the ISP a layer 2 with only one active at a time. Put the switch management interface on the LAN VLAN instead of the WAN VLAN. Don’t use the switch for routing or only within the LAN.

If OPNsense is a VM could replicate between the 2 hosts.

Use Cron to update at night to avoid updating during the day.

3 Spice ups
15

Since this was already answered (and this is a home-lab) it might not matter…but another way to go about this would be to use a LAN/WAN aggregator.