Hi,
I'm not network administrator, so don't be so cruel if i ask something obvious for you :). I'm still learning ;) and i need firewall for my home setup.
But to the point, few questions:
1. I wonder why there are so many options for DNS and DHCP (in menu i can see at least 3: Dnsmasq DNS & DHCP, ISC DHCPv*, Kea DHCP, Unbound DNS). Which one i should use and how to remove not used to avoid misconfiguration?
2. I've tried to make some VLAN-s to isolate some IOT stuff (smart plugs, ip cameras and so on) but every time i reboot my router (after adding VLANs) my VLAN parent NIC is not giving DHCP addresses for connected devices. Do i need to make some sort of firewall rules tweaking at first (before reboot) to make DHCP working? Without ip address i can't connect to administration GUI :) and cannot configure further. Maybe i don't understand something?
Here is my topology:
- one main gateway (opnsense), here i'm trying to do VLAN-s. Only two NICs, one for ISP(internet access) second for LAN (on this device i would like to have VLAN with dhcp)
- one main switch (not managed) 16 ethernet ports
- one PoE switch for ip cameras (not managed)
- 2 openwrt dump switches and wifi access points (they relay on IP from main gateway for briges for wifi and ethernet), here all devices are connected
- some home computers <- i would like to make them not using VLAN at all, only dhcp on VLAN parent NIC
- plenty of wifi smart plugs and some cleaning robots (all on wifi) <- this should be in VLAN
3. Do you know any Quick Start for noobs(like me :)) that wanted to start playing with OPNSense? Documentation is very good but it is more for advance user who looks for advice and not how to start. I've tried to look something on youtube but... there is more for pfsense than for opnsense.
Quote from: s3b0 on October 02, 2025, 09:56:28 AM[...]
1. I wonder why there are so many options for DNS and DHCP (in menu i can see at least 3: Dnsmasq DNS & DHCP, ISC DHCPv*, Kea DHCP, Unbound DNS). Which one i should use and how to remove not used to avoid misconfiguration?
Flexibility. Choose one and use it, and simply disable the others (you cannot remove them easily). For instance, I do not use OPNsense for DNS processing, so I use Kea for DHCP.
Quote2. I've tried to make some VLAN-s to isolate some IOT stuff[...]
I understand what you'd like to accomplish, but not how, given your equipment. I isolate traffic using VLANs, using a Netgear MS510TX switch (smart/web managed) that I've broken down into a port expander. That is, ports 1-9 are each assigned a unique VLAN, untagged, and port 10 has all, tagged, and uplinks to a port on my firewall. Clients plugged into the switch do not have to be VLAN-aware. Note that this is not a common configuration, as most folks would prefer that their switch actually switches, and would have fewer VLANs assigned to multiple ports. You can accomplish something similar with basically any switch that offers some sort of management. A cheap example would be the Netgear GS108T, but there are (very) many others (ServeTheHome (https://www.servethehome.com/) is a good resource if you'd like to look at quick reviews).
I also cheesily isolate my wi-fi by breaking down my AP (OpenWRT) into two bridges, one for management and one for wi-fi client access. The management bridge acquires an IP via DHCP; the access bridge has no IP. The OpenWRT firewall is broken down such that it only isolates the bridges, and wi-fi clients are isolated from one another. Wi-fi client DHCP is served from the firewall. Oh, the management side is a bridge so that I can assign multiple ports to it, just in case. I could divide the management from access via VLANs and save a port, but I prefer to minimize special port configuration and I have plenty of switch ports.
This is not to say that you can't make VLANs work for you with your current hardware... but I don't think it's what you're looking for. In the short term you might consider foregoing the isolation. Another isolation option would be additional port(s) on your firewall, each serving a different switch.
And, of course, other folks here may have different/better advice.
See the OPNsense docs for guidance on selecting a DHCP server. https://docs.opnsense.org/manual/dhcp.html
Quote from: pfry on October 02, 2025, 06:56:11 PMQuote from: s3b0 on October 02, 2025, 09:56:28 AM[...]
1. I wonder why there are so many options for DNS and DHCP (in menu i can see at least 3: Dnsmasq DNS & DHCP, ISC DHCPv*, Kea DHCP, Unbound DNS). Which one i should use and how to remove not used to avoid misconfiguration?
Flexibility. Choose one and use it, and simply disable the others (you cannot remove them easily). For instance, I do not use OPNsense for DNS processing, so I use Kea for DHCP.
Quote2. I've tried to make some VLAN-s to isolate some IOT stuff[...]
I understand what you'd like to accomplish, but not how, given your equipment. I isolate traffic using VLANs, using a Netgear MS510TX switch (smart/web managed) that I've broken down into a port expander. That is, ports 1-9 are each assigned a unique VLAN, untagged, and port 10 has all, tagged, and uplinks to a port on my firewall. Clients plugged into the switch do not have to be VLAN-aware. Note that this is not a common configuration, as most folks would prefer that their switch actually switches, and would have fewer VLANs assigned to multiple ports. You can accomplish something similar with basically any switch that offers some sort of management. A cheap example would be the Netgear GS108T, but there are (very) many others (ServeTheHome (https://www.servethehome.com/) is a good resource if you'd like to look at quick reviews).
I also cheesily isolate my wi-fi by breaking down my AP (OpenWRT) into two bridges, one for management and one for wi-fi client access. The management bridge acquires an IP via DHCP; the access bridge has no IP. The OpenWRT firewall is broken down such that it only isolates the bridges, and wi-fi clients are isolated from one another. Wi-fi client DHCP is served from the firewall. Oh, the management side is a bridge so that I can assign multiple ports to it, just in case. I could divide the management from access via VLANs and save a port, but I prefer to minimize special port configuration and I have plenty of switch ports.
This is not to say that you can't make VLANs work for you with your current hardware... but I don't think it's what you're looking for. In the short term you might consider foregoing the isolation. Another isolation option would be additional port(s) on your firewall, each serving a different switch.
And, of course, other folks here may have different/better advice.
Thx - so, as far i notice i must have switch that supports tagging and make isolation of VLANs there(and on opnsense too). I don't want to spend more on my net so i think i will stay with one network+dhcp and split subnet addresses among my hardware and isolate them with firewall rules. It will keep my setup simple and ... cheap :). I had that kind of configuration on pfsense and it worked :) - so i stay that way.
One more "Thank you" for fulfilling answer ;)
Thinking about it, you may have managed switches - the OpenWRT devices. Assuming at least one has a built-in LAN switch. I don't tend to think of them as primary aggregation devices, just out of personal bias. Whether you'd want to use (part of) them as such...
One more thing: On the "minimize special port configuration" theme, I like to have some "vanilla" ports available on all of my devices, just to avoid the steps required to access them through tagged VLANs if something goes wrong. Paranoia.