OPNSense on Protectli Vault 1610

Posted inprofessional, technology, work

Overview

A Cisco LRT224 Dual WAN router has been the cornerstone of my home network for over a decade: solid, easy to configure, above-average performance, VPN server, and other prosumer features beyond your typical home router. Its dual WAN capability has proved exceptionally helpful when DSL/fiber burps – sometimes for weeks – and then failover to cable. It hasn’t disappointed

The problem: the LRT224 was EOLD’ed October 2020, no firmware updates since March 2021, and end-of-support upcoming in October 2025. The writing has been on the wall for some time, so know I needed to start investigating possible replacements.

Network Overview

The LRT224 router WAN ports are directly connected to broadband modems with ethernet cables (no SFP ports). The modems are pass-through and therefore the WAN ports are assigned public IP addresses via DHCP.

The LAN ports are configured into separate subnets:

  • Family Users: Trusted users with unfettered access to internal network devices plus devices requiring Layer2 discovery (Sonos, printer). VLAN 9, network 192.168.9.0/25.
  • Services: Backend services: Synology, TrueNAS, WiFI access point management, Navidrome streaming. VLAN 10, network 192.168.9.128/25.
  • Guest Uses: Untrusted users such as house guests and apartment tenant. Isolated from other internal subnets. VLAN 11, network 192.168.10.0/25.
  • Devices: Various hardware and internet-of-thing devices: TiVo, smart plugs. Isolated from other internal subnets. VLAN 12, network 192.168.10.128/25.

Before you ask: no business reason for subdividing the last octet into smaller subnets other than a 255.255.255.128 submask seemed cool!

Router Evaluation

My requirements for a new router platform includes:

  • Dual WAN: In the ten months since I moved from DSL to fiber, I’ve discovered that the connect goes down – usually briefly – weekly, usually at an inopportune time.
  • Faster Ports: LRT224 ports are 1-gigabit, limiting fiber to 1 gigabit. 10-gigabit ports are overkill and too expensive but 2.5-gigabit are a reasonable compromise. Faster ports = faster broadband = less congestion.
  • Multiple LAN ports: Tagged VLAN traffic allows multiple subnets to share LAN ports, but requires (someone) more effort to configure, administer, debug. My strong preference is one subnet per LAN port.
  • Modern VPN Support: The LRT224 theoretically can be configured as a VPN server using OpenVPN but I it didn’t work for me: the connection terminated in VLAN 1, which is unused. I’d also require VPN client functionality to direct certain traffic through NordVPN.
  • Wired, Not WiFi: Most SOHO routers have built-in WiFi, which, for my setup, is unnecessary, extraneous, and distracts from the router’s main purpose: routing traffic. I desire a wired-only router if at all possible..
  • Non-Chinese: Too many stories of Chinese companies and/or Chinese-manufactured devices stealing data or phoning home or inappropriate behavior. The EU and US are taking measures to limit exposure and protect themselves. No, I’m not that important, but friends doing same.

I regular read various Best Dual WAN Router articles which often arrive at similar results, but often falls short of my requirements. Despite their limitations, I briefly purchased a Mikrotik hEX RB750Gr3 5-port Ethernet Gigabit Router and a Ubiquiti EdgeRouter 4, investigated their capabilities, and ultimately returned them.

Undiscovered, unbeknownst and unmentioned in any article is Protectli whom sell powerful hardware that can be used for networking (among other things). I purchased their Vault 1610 with OPNSense pre-installed and began configuring it. OPNSense is open source allowing anyone to review and contribute to the codebase.

Getting Started

Out of the box, Port 1 is LAN (192.168.1.0/24) and Port 2 is WAN address assigned by DHCP. By connecting Port 1 to my Mac Mini and Port 2 to my switch, I completely configured the router without disrupting my home network.

First Login

The default OPNSense credentials are Username root and Password opnsense and are restored upon factory reset.

Upon successful login, the OPNSense dashboard is displayed.

To change the default password – very recommended – navigate to System: Access: Users and edit the user.

Firmware Update

Any device purchased with OPNSense preinstalled likely has out-of-date firmware: my Vault 1610 arrived with end-of-life‘d version 24 firmware. The WebUI is the way to easily update the firmware to latest/greatest.

Navigate to System: Firmware and press Check for updates.

When updated firmware is available, OPNSense displays details about the new, soon-to-be-installed version plus upgrade instructions, including calling out when the upgrade requires a reboot.

Press Upgrade to start the upgrade and monitor progress.

The upgrade is downloaded and prepared for install, and, in my case, notifying me that the device has rebooted.

Router Settings

Navigate to System: Settings: General to configure the base settings of the router.

My internal DNS maps Domain int.sosna.org and Hostname router to its assigned address.

Unless you comfortable with UTC/GMT, select your local Time zone from the DDLB.

The only explanation for specifying DNS Servers is for the router to resolve its NTP servers when synchronizing the device’s time; however, not sure it’s necessary since the firmware upgrade happened without DNS provided. If not provided, are they assigned based on the WAN DHCP request? Something to investigate in the future.

Press Save to save these changes.

LAN Setup

Each LAN port is configured with the same steps but different subnets. OPNSense does support Link Aggregation if required, but I did not need it.

Interface Assignment

Navigate to Interfaces: Assignments to list the assigned interfaces.

Interfaces are assigned at the bottom of the page, underneath the list of assigned interfaces. Select an unassigned interface from the Devices drop-down, provide the Description (name), and press the Save.

Interface Configuration

Navigate to Interfaces and select the just-created interface [VLAN12].

Enabling Enable Interface shows the detailed options for the interface. I am only configuring IPv4 by choosing from the IPv4 Configuration Type list Static IPv4.

[For now, IPv4 is sufficient; I may subsequently configure IPv6 if I confirm my broadband providers support it.]

The IPv4 address and subnet mask must not overlap the address/subnet mask of other interfaces (LAN or WAN). My subnets use a 255.255.255.128 mask which therefore is /25 for a 25-bit mask.

Press Save to save the interface configuration.

After saving, OPNSense notifies you that the configuration changes must be applied before taking affect. Press Apply changes and wait.

DHCP

I typically enable DHCP on all subnets; even though all devices on my Backend subnet are static and hard-coded, I will be converting them to DHCP-assigned addresses in the future.

The OPNSense router is not aware of the addresses assigned by the LRT224, so it’s possible to lease an in-use IP address to a second device. To avoid this, adjust your address Range to avoid potential conflicts.

A of 86400 seconds is 24 hours, a reasonable choice for my network.

Press Save to start fulfilling client DHCP requests on this interface.

WAN Setup

Navigate to System: Gateways: Configurations.

I renamed the original WAN port to [WAN1] and assigned the last port to [WAN2]. I connected [WAN2] to a different VLAN to confirm both ports came up with addresses.

I followed the OPNSense Multi WAN instructions for creating a load-balanced router.

Add Monitor IPs

A Monitor IP is the address OPNSense pings to determine if the WAN gateway is available or not. The addresses provided must be reliable, such as Cloudfare‘s and Google‘s public DNS addresses. The instructions per-gateway monitor addresses without explaining why.

Make sure Disable Gateway Monitoring and Mark Gateway as Down are unchecked.

Add Gateway Group

Navigate to System: Gateways: Group. No gateway groups should exist. Press the plus sign to add a new one.

  • Group Name: whatever is meaningful to you, doesn’t appear to be used anywhere
  • Gateway Priority: How the gateways are prioritized, based on priority assigned to individual gateway interfaces.
  • Trigger Level: the default is Member Down but decided to go with Packet Loss and High Latency …we’ll see how well that works.
  • Pool Options: How outgoing traffic is distributed, chose Round Robin with Sticky Address because certain sites don’t appreciate when traffic flips between gateways.

Press Save to save the group definition.

Router DNS

Similar to configuring DNS used by router, but now needs to be specified for each gateway. I chose Cloudfare’s DNS for [WAN1] and Google’s DNS for [WAN2]. Press Save to update the router’s settings.

Other Stuff

Block Inter-VLAN Traffic

The Guest and Devices subnets have no need to access the Users and Backend subnets; my larger security concern is a malicious user or rogue device infiltrating my network with bad intent. To reduce that possibility – I don’t think you can ever say remove – I’ve added a rule for [VLAN11] and [VLAN12] interfaces that blocks inter-VLAN traffic but does allow internet access.

Navigate to Firewall: Rules: <INTERFACE> and create the following rule.

Add DHCP Static Mappings

Navigate to Services: ISC DHCPv4: <INTERFACE>, scroll to the bottom, and press + (plus sign) to add a new mapping.

Provide the required information:

  • MAC address: the hardware identifier of the network interface.
  • IP address: the IP address to be assigned to this device.
  • Hostname: the host name assigned to the device by DHCP.
  • Description: human-readable description if the hostname is cryptic.
  • DNS Servers: DNS used by the device.
  • Gateway: the IPv4 address of the gateway for this interface.
  • Domain name: the domain, if any, for the internal network.

Press Save to store the final mapping.

Final Thoughts

This is my initial foray into OPNSense and so far so good! I have enough networking knowledge to understand the concepts and UI navigation was simple and straight-forward. Incoming traffic is blocked OOTB, requiring explicit steps to expose your network. It did take multiple attempts to get it right, but reseting to factory defaults got my out of trouble.

The Protectli Vault 1610 is thoughtfully designed, best shown by the screw-in power connector that can’t be easily displaced. The box itself runs a little hot due to its passive cooling, so I placed it away from other devices to prevent problems.

But in general, very happy with the results!

Tags: