Messages

I used one of those for almost a year and it was overall pretty good.  It will impact your performance once you get above around 500Mbps and there was a bit of a "delay" before changes became active.  BUT the arp spoofing could introduce weird issues on your network.  I eventually did move away.

While OPNsense does have client traffic filtering it's not enough.  I tried Sensei and honestly it looks cool but I found it difficult to get detailed data whenever I had an issue (ex:  something being blocked that shouldn't be, or not being blocked) and it's just too limiting.

After trying SafeDNS, DNSfilter, OpenDNS, Cloudflare for Teams, ADGuard and piHole I ended up with NextDNS.  Just the right balance of ease of use and features.  Cost is dirt cheap.  Much easier to use IMHO then Sensei.
That with Screentime and Bark.us and I'm covered.

I will say that Netgear has some options with a "lite" version of Circle.  I found that implementation a bit hokey but YMMV. 

I just upgraded my NAS to an 8 bay Synology and I found that their routers have "Safe Access".  I haven't tried this out yet but it looks promising. 

Also some of the Firewalla devices have a version of the arp spoofing built in and while I haven't used it myself I know a few friends that have with good success.

Hello all,

So I'm following this guide here:  https://forum.opnsense.org/index.php?topic=8783.0  and I've tried a few others that just had some settings differences from the guide above.

So any of the external scans just show the port as being blocked or filtered and my internal app never gets the port forward requests.  To isolate the issue I dusted off my Unifi USG and Palo Alto PA-220 and after a bit of updating and configuration plugging them in allows the port forward to work (scans show it to be open and my application gets the requests). 

Looking at the firewall logs are a bit hard to understand but I don't clearly see what/where it's being blocked.  If I filter it to show port 32400 I see traffic being allowed (second screenshot) but it's not on the WAN side.  Any help figuring this out will be greatly appreciated.  Thank you!

I do have an alias but I have tried it with just the IP of the plex server. 

That worked thank you!  I still can't get the port to be unblocked.  For now I'm just going to run on my USG since that can handle my gigabit connection without IDS/IPS unlike my PA220.

You are correct, it's really two separate issues.  For what ever reason opnsense does not open ports on my new AT&T gigabit connection (it was fine on Comcast's gigabit).  But I have no issues opening ports if I switch to Unifi USG, Palo Alto PA-220 (or even my Orbi RBK853 when in router mode).  I can confirm the port is open by external scans (shows up on the other devices and blocked with OPNsense.

I was running my fw/gateway virtualized on ESXi on one big box for some years.  But having everyone in one box was a bit limiting so I then I went with multiple supermicro boxes for virtualization.  In the end I found some things just ran better bare metal (firewalls, unraid, TrueNAS, etc...) so I stopped worrying about trying to cram everything in a VM/container/microservice and just deployed it to what worked best for me.

I was going to give that a try but I do not have the option to create a rule, just none or pass.

So I've been back on OPNsense for while but since the move I have changed ISP's from Comcast to AT&T.  The main reason is that the Comcast gigabit service is only 1G/40mb while the AT&T service is 1G/1G.  When everyone was home that 40mb (at best) was starting to be a PITA bottleneck.  AT&T does do some things I'm not crazy about (no true bridge mode) but the ip-passthrough works well enough and I did not detect a double NAT.

My problem is that since I made the move to AT&T my PLEX server is unable to maintain it's external connection.  You basically have to port forward or UPNP to port 32400.  Back on Comcast this would work with UPNP or any port to 32400.  This could drop occasionally but it would come back up.  Now I can't get this to work for typically more then a few minutes although occasionally it will work for a few hours or more.

I was working on this being an AT&T issue except just about everyone on the AT&T forums was getting PLEX remote access to work.  Someone suggested getting static IP's to see if that helped.  It did not.  But that gave me an idea and since I still have my Unifi switch and USG I plugged them into the BGW-320 and assigned them a static IP (public) and now I have to "paths" out to the internet. 

When I connect my PLEX server to go out through the USG PLEX can maintain it's external connections.  I've tested this with some friends and it's been up solid for just over a week.  When i move it to the Cisco SG350 switch (which is where the OPNsense LAN port connects to), it will drop within a few mins or less.  Just to make sure I eliminate everything I broke out my Juniper EX3300 and took turns connecting each router to this switch and then the PLEX box and I got the same results. 

Just as an extra test for my Sanity I dusted off the PA220 and after some updates and settings tweaks I connected this to the EX3300 and the PLEX server to this and it so far has maintain remote access for almost 3 days.  I've attached the PF rule that I'm using.

If I don online port checkers whatever port I set for the port for PLEX is open on my USG IP but not the OPNsense IP.

I've tried looking through the logs but I really can't see anything that would pin point what my issue is with this.  Thank you ahead of time.

I also had a USG (with a Unifi switch and 5 of their APs).  I wanted to move away from USG (some years ago) b/c at the time they just had the USG and the Pro and the pro didn't have the performance I needed.  I moved back to opnsense (which I had used prior to the USG) and it's been mostly a good experience.  It's not quite as polished and it can take a bit to figure out how to do things but it's been pretty rock solid.  I am currently having an issue with port forwarding (i'll post about that in a bit). 

I do miss the clear insights that you can get from Unifi, if I was to do it again I would run the controller on my network.

Currently using NextDNS and I wanted to give AdGuard home a try to see how they compare.  Before I started I did the following:

Disabled Unbound.
Disabled NextDNS CLI (checked status )

Was able to get this installed but when I try to enable encryption under the Encryption settings it tells me that port 443 is being used:

Error: control/tls/validate | port 443 is not available, cannot enable HTTPS on it | 400

I then took a look to see what is using port 443 (if this is not the correct way of checking please let me know):

#sockstat -4 -l

root     lighttpd   46986 5  tcp4   *:443                 *:*
root     lighttpd   46986 7  tcp4   *:80                  *:*

Not sure exactly what is using lighttpd for the port.

I figured as much but then I'm not sure how to connect a device with a static IP through my opnsense box.  If I connect it directly to the BGW320 I'll be bypassing the fw.

For a number of reasons I now have 5 useable public IPs from AT&T giga service.  My current config is this:  LAN devices on the 10.0.0.0/22 network and Public IP's 50.x.x.x. 

internet >> AT&T ONT >> ip-passthrough mode >> OPNsense WAN (50.x.x.150)>> OPNSense LAN (10.0.0.1)>> cisco managed switch

All my LAN devices connect to the cisco switch.  I may be off base here but I think if I have a server that is connected to the cisco switch with an IP of 50.x.x.145 do I need to put in a static route in OPNsense so that it knows where to send this traffic (out the WAN port)?  If I have this correctly how would I do that or am I just completely off base here?

I have been working on trying to get this done myself.  Plex remote access will not work unless I can figure out how to do this.

Other then what you have already done I'm not sure if that's available in OPNsense and it doesn't look to be a feature of the plugin.  I normally just get a DDNS update tool that works with your registrar (or a command line tool like noipy) that allows you to see the full response.

That worked for me also until my 210 went bad and they replaced it with a 310.  Bridged mode only for me now.