How to Configure OPNsense (Rift Raven) with du Internet

 

Switching from a standard ISP router to a dedicated firewall like the Rift Raven gives you enterprise-grade control over your network. However, connecting it to a du (Nokia ONT) connection involves navigating MAC address locking, private WAN IPs, and NAT configurations.

This guide walks through the successful configuration, specifically tailored for a setup requiring a large internal network (/22 subnet) and handling "Double NAT" scenarios.

Phase 1: The Hardware & Cabling

Before touching the software, the physical connections must be correct. The Rift Raven typically has 2 ports: Port 1 (WAN) and Port 2 (LAN).

The Setup

1. The Source (du): Locate the white/black Nokia ONT on your wall. Find the active LAN port (usually LAN 1 or GE 1).

2. The Bridge: Connect an Ethernet cable from Nokia LAN 1 directly to Rift Raven Port 1 (WAN).

3. The Local Network: Connect Rift Raven Port 2 (LAN) to your PC (for setup) or to a Gigabit Switch.

   • Note: Since the Raven only has one LAN port, a switch is required to connect the rest of your home’s wall sockets (Patch Panel).

Critical Step: The "Handshake" Reset

du’s Nokia ONT locks onto the MAC address of the device connected to it. If you simply unplug your old router and plug in the Raven, it will likely block the connection.

The Fix:

1. Unplug power from the Nokia ONT.

2. Unplug power from the Rift Raven.

3. Wait 5 full minutes. (This clears the active session at the exchange).

4. Power on the Nokia ONT and wait for the "PON/Optical" light to turn solid green.

5. Power on the Rift Raven.

---

Phase 2: OPNsense Initial Configuration

Access the OPNsense interface (default: https://192.168.1.1) and run the Wizard.

WAN Settings (For du)

• Type: DHCP (du uses IPoE, not PPPoE, so no username/password is needed).

• Block Private Networks: UNCHECK (Crucial: See Phase 4).

• Block Bogon Networks: UNCHECK.

LAN Settings (The Custom /22 Range)

We configured the LAN to be larger than a standard home network to avoid IP exhaustion.

• IP Address: 192.168.0.1

• Subnet Mask: /22 (255.255.252.0)

• Range: This provides IPs from 192.168.0.1 to 192.168.3.254.

Tip: If changing the LAN IP locks you out of the web interface, use the physical console (VGA/HDMI + Keyboard) and select Option 2 to reset the interface IP.

---

Phase 3: Troubleshooting "No Internet" (The Gateways)

Once connected, you might see the WAN interface turn green, but devices on the LAN cannot access the internet. This is usually due to two specific issues found in du setups.

Issue 1: The "Double NAT" Problem

The Nokia ONT often acts as a router, assigning the Raven a private IP (e.g., 192.168.70.x) instead of a public one. OPNsense sees this "Private" WAN IP and assumes it shouldn't route traffic out to it.

The Fix: Hybrid Outbound NAT

1. Go to Firewall > NAT > Outbound.

2. Change Mode to Hybrid outbound NAT rule generation.

3. Click Save and Apply.

4. Ensure a rule exists mapping LAN net to WAN interface.

Issue 2: The Gateway Trap (Critical Configuration Error)

A common mistake is assigning a Gateway to the LAN interface.

• The Error: In System > Gateways, you might see a gateway named LAN_GW pointing to 192.168.0.1.

• The Consequence: This creates a routing loop. OPNsense tries to send internet traffic back into the LAN port.

The Fix:

1. Go to System > Gateways > Configuration.

2. Delete any Gateway associated with the LAN interface.

3. Go to Interfaces > [LAN].

4. Ensure IPv4 Upstream Gateway is set to Auto-detect or None.

---

Phase 4: Validating the Connection

To confirm everything is working, perform these tests in order:

1. Test from the Firewall (Diagnostics)

Go to Interfaces > Diagnostics > Ping.

• Ping 8.8.8.8 (Source: WAN): Success means the Raven connects to the internet.

• Ping https://www.google.com/search?q=google.com (Source: WAN): Success means DNS is working.

2. Test from a LAN Device (PC/Laptop)

Open a command prompt on your computer.

• ping 8.8.8.8

• If it fails: It is likely a NAT issue (See Phase 3, Issue 1).

• If it works: You are online.

---

Summary Checklist for Future Reference

If you ever reset the device, follow this "Golden Config":

• [ ] WAN Interface: DHCP enabled, "Block Private Networks" Unchecked.

• [ ] WAN Gateway: Monitor IP set to 8.8.8.8 (Disable Gateway Monitoring unchecked).

• [ ] LAN Interface: Static IP (192.168.0.1/22), Upstream Gateway set to None.

• [ ] NAT: Outbound NAT set to Hybrid.

• [ ] Cabling: Nokia LAN 1 → Raven WAN. Raven LAN → Switch.

Final Note on Hardware: Because the Rift Raven has limited ports, ensure your Gigabit Switch is connected to the Raven's LAN port to distribute the connection to the rest of your home's patch panel (D-5, etc.).