When running enough desktop office machines doing maintenance and making changes like installing new software quickly becomes a problem. You can configure unattended upgrades but this becomes a problem when it does not work. Often a update won’t install and you’ll need to intervene.
To resolve this we decided to try Ansilbe, which has worked out great for us. We start up the machines using wake on lan at night, apply any changes run the updates and clean up the system.
If you do not know how Ansible works, read up on it here. We needed to work around some bugs in Ansible but the playbook below is what works right now.
With a Dutch XS4ALL VDSL connection you only get a basic VDSL modem with router which cannot be bridged. So using your own router and firewall is not possible. To make this possible we got a Draytek Vigor 130 and a OPNsense router which gives us a lot more capabilities and control for the small office environment it is installed at.
Thanks to two separate posts I found on this topic it was possible to do this. First the post by Harold Schoemaker who explains the configuration of the modem.
The modem just needs to talk to the DSLAM and allow the router to setup a PPPoE session. Login to the modem and configure the following under “Internet Access” and “General Setup”.
Next go to the MPoA settings and configure the following:
MPoA (RFC1483/2684): Enable
Bridge Mode: Enable Bridge Mode
Once saved the status of the modem should say ‘SHOWTIME” and show the correct speeds.
Now we can configure the OPNsense appliance. With the help of a post by FirewallOnline.nl I got this to work.
First a vlan needs to be configured, for XS4ALL internet this is VLAN 6. In the menu go to “Interfaces”, “Other Types” and “VLAN”.
Create a new VLAN and make the parent interface your wan interface, re1 in my case. Add the VLAN tag 6, add a Description and save.
Next under “Interfaces” go to WAN and configure the following.
IPv4 configuration type: PPPoE
IPv6 configuration type: none
Username (under PPPoE configuration): firstname.lastname@example.org (it does not matter what you fill out here, it cannot be emtpy though.)
Block private networks en Block bogon networks need to be on.
Save the configuration and under “Lobby” go to the “Dashboard”, you should see your external ip address here at the WAN interface.