Messages

It also offers multiple MAC addresses per single IPv4 address, eg if your laptop traverses between lan and wifi.

That's a nice idea. My current reservation list has several duplicates for wireless vs wired pcs and 5ghz vs 2.4ghz on cell phones. I'll take a closer look.

I completed a successful install of OPNsense and Adguard Home in a new router PC. It works well. My former router PC is now a backup and a hobby machine.

My install includes about 30 static DHCP reservations using the ISC DHCPv4 menu selection. I think it was the default.

I later read that DNSmasq should have been used for my small home install because ISC is end of life. I took a look and decided I have no idea how to properly configure it or how to migrate or install my current static reservations. The documentation makes no real sense to me. On pfSense, all I had to do to change DHCP backends was check off a box.

So, what is the recommended path and if it involves changing over to DNSmasq, can the DHCP reservations be moved automatically? My DHCP pool is 256 devices but only about 50 are auto-congif and the rest are for static reservations if needed. The ISC page was easy to understand. The Other 2 are not.

Thanks.

Additional LANs or VLANs are not that different. As long as you can throw HW at the problem, physical isolation is fine.
For example, with a 4-port router, that's 3 LANs max.

It just was not possible for me. The physical wiring of my house is way too constraining.
My only HW requirement was VLAN aware switches and AP.

I understand completely. A VLAN is a great thing when you need one. It can solve a lot of problems quickly.

I transitioned from a prosumer router to OPN last fall. I had a bunch of VLANs already.
I merely added OPN on my existing network and migrated the VLANs one by one until only my core network was left on the old router.
I made the final switch on a morning when I was the only user. I don't even know if I had 10 minutes of downtime.

You can get a dual NIC mini-PC for $150 nowadays...

Thank you.

VLANs over-complicate a simple situation. Hyper-V Virtual Switches should do the job. It's only temporary and also only a hobby fun project, after all. A full laptop install on a spare laptop is my fallback. Also simpler.

I'll be using a different subnet for the 2xNAT. Which reminds me that all my static IPs will need to be reset after I install the config into my 5 port pc / router. I hope OPNsense makes it easy.

Since that router gives me 3 ports I'm not currently using, my next project may be to set one up with a different subnet. Easier than a VLAN and all in one device. I can tie a different Access Point into the 2nd subnet.

Edit: After writing about address reservations, I realized a gotcha. If I change the subnet range before the final install, it either won't let me since reservations are there or it will wipe out all the reservations, making me reenter them again. Years ago on pfSense I accidentally changed the LAN subnet on the console screen and doing that cleared all my reservations. I had to enter them again. 

The solution: Create a 2x wide subnet range that's 1 off from my existing one. It will hold a max of 512 devices rather than 256. Enter the new ones in the one-off range. After testing, change all the reservations to the correct number. After no devices exist in that one-off range, then close the range back to the proper one or simply leave it alone since the excess numbers can be easily ignored. An online subnet calculator can give me the details I will need.

Using a new subnet range is a possibility but that means I will have to change some nightly backups that depend on LAN IP numbers to know where to go.

From amazon, find a i226-v pc with a J4125 processor. Unless you are running a good sized business with multiple hard users, this will do well. Add ddr4 memory and a ssd. Even an old 2.5 inch ssd will fit usually. Cheap and way more than enough. The n100 is also ok, but it is super powered, about $50 more in the box, and it runs hot by design. Intel says the heat is ok and not an issue.

If the systems have different HW, the physical devices will have different names and the configuration won't carry over seamlessly.
It's one of the reasons why I use OPN under proxmox and now use the bridges (versus passthrough). The vtnetX can be used on both systems.
This said, moving the config only requires a find/replace otherwise. I did that when I moved from passthrough to bridges.

Using WAN on a private network requires couple tweaks (bogons & reply-to).

If you only have 1 NIC, VLANs seem unavoidable.
The USB NIC might be sufficient for an experiment to work around that aspect. I never used one with a router...

Thanks. If I go the laptop route, the 2x NAT and USB RJ45 will only be for testing. The final install will look very normal.

Today's project will be to see if anyone has migrated a VM install to actual hardware and not had showstopper issues reloading a backed up config.

Also, I saw a pfSense VM install into Hyper-V documented and it claims to use 2 virtual switches. Taking a closer look at that is another project before I start.

One gotcha that I learned was that I could not restore a config saved from one installation, to another installation. I probably asked about that here but got nowhere.

Big thanks. I will definitely look into that. That's one of those little things that can stop the entire project.

@EricPerl,

Thanks for the caution about Hyper-V. I'm most familiar with it but also VirtualBox somewhat. Not so much the others.  I've seen tutorials for OPNSense and pfSense in Hyper-V but haven't looked them over in detail yet. I'll be sure to visualize the whole process of virtual switch building and install of OPNsense before doing it. I assume the pfSense instructions will work for OPNsense.

I decided to make the test easy on myself. I will double NAT and add a couple of downstream PCs. The main network will be the 'ISP', WAN. It should apply good enough. No VLAN needed, I think as the VM instructions mentioned didn't mention one, I think.

The interface names is a good call. I see the problem you are referring to.

For the final install, eventually, I will swap out the SSD in the current router / PC and install OPNsense on a different one. If I mess it up I can always put the old one back.

If the whole thing goes belly up, I might use a different spare laptop with a RJ45 port and a USB LAN dongle to figure it all out. Only temp as the USB dongle is supposed to be unstable.

I will look at your write-up. Thanks again.

Just a guess, but I think your cable modem lost the DHCP lease for the router and it won't renew. The ASUS resets it because the cable modem sees a different MAC address. Turning the  PC off and leaving it off long enough to let the capacitors drain might do it. Google might offer other solutions. Address Resolution Protocol is the issue. The ARP table in the modem is losing information and needs to be reset. Seeing a new MAC address causes the ARP table to wake up, more or less.

A small UPS for power blips would remove this problem completely. I use one to protect the network from brief power outages that only last a couple of seconds but are long enough to reboot everything.

Edit: See if the DHCP leases page on the router has a refresh button. Just in case the issue is on the OPNsense side.

Since OPNsense say you have no WAN IP when it drops, the problem more likely is on the Modem side. The refresh probably won't work but it's worth a try anyway.

I just ordered more ram and a larger m.2 ssd for my laptop so I can build a Hyper-V VM with OPNsense. I want to build a functional router with the intention of saving off the configuration. Then Installing OPNsense and the saved config on my current 2.5g 4 port router / pc. I'll probably plug in the laptop for a little while just to see how my experiment works overall. The laptop has 1 RJ45 port.

I'm sure there are a few gotchas in there so I am asking in advance what they might be. I plan to set up a few static addresses, an adblocker (either the adguard home add-on or whatever is built into OPNsense that can use blocklists), a VPN, and whatever else looks useful.

There are enough guides on the internet to show me how to do these things in the VM. Plus, figuring it all out is most of the fun.

I have no doubt there will be a few problems to deal with that aren't normally described. Can anyone provide a few pointers so I don't get to a place where I think I'm done but it doesn't work in the router / PC because of that thing nobody ever mentions.

Thank You.

I just signed up to the forums and I'm considering switching to OPNSense due in small part to the AES-NI situation with pfSense 2.5 but mainly due to the way they conduct themselves on HN and Reddit regarding the change.

I noticed also that they're not longer supporting 32-bit in 2.4 but made an exception for their own ARM SG1000 (32-bit ARM CPU) it also doesn't feature AES-NI (it has its own cryptographic hardware that implements AES in hardware) but it too will get release 2.5.

But of course if we (the community) wish to use 2.4 on 32-bit we're not allowed, nor can we use cryptographic accelerators or architectures that have their own crypto hardware which isn't AES-NI.

So I have to agree that this whole situation feels like planned obsolescence to get community members to purchase branded hardware.

And that is why I'm here really, I don't like the way things are going there and I've woken up to the realities that they're moving away from openness to make money.

Regardless though I'm happy to be here and learning about OPNSense.

Me too. I'm using a Supermicro j1900 motherboard for mine. No AES-NI. No plan to toss it out either since the home router cost nearly $400 at the time I built it. Supermicro isn't cheap but it's supposed to be ultra reliable.

Going to try to convert first on a spare laptop and use a usb lan cable for the 2nd lan outlet. After I get it to work as I like, I'll install on the Supermicro and load the config from the laptop experiment.

If the laptop experiment fizzles I'll do the same but on Hyper-V.

fabian, franco,

Thank you. I think I read that both Opnsense and sophos work with a usb lan attachment.  I have a couple lying about and also a spare laptop that has a gigabit port. I plan to replace the hard drive in it temporarily and try both softwares. Sophos is only an indulgence as I have always wanted to see it. I suspect the learning curve will be far too steep, but I'm curious.

Then I will install Opnsense on it and configure it to my needs. After it works I'll reformat my Supermicro, install Opnsense and update the configuration. I'll decide about the wifi later as It would only be for fun; I have a R6400 as a wireless access point on the 1st floor; the main router is in the basement where the wires enter the house - I wired the 1st floor with cat6.

edit: Decided to go straight to Opnsense and ignore Sophos. Sophos has a 3 year free license renewal period. It's free but I don't want to have to worry about a router not working 3 years down the road because of a failure to replace it with a new free 3 year license.

BTW, you might want to add to the improvement list an auto-update capability for new versions of Opnsense as they are pumped out. Perhaps give it a delay so it's not installed until a month or so after release so it can be pulled if there's a problem before auto-update.

I'm going to switch over too. Here's my concerns. I assume the conversion will work well, however.

1) I have a supermicro j1900 based motherboard with 8gb ram and 120GB SSD. two i210-at intel gigabit lan ports ... OK? No AES-NI.

2) As an aside, i noticed opnsense will support wifi. I have a spare intel 6205 dual band card. My motherboard will support it. Will I need an external antenna ... if so, pointers on how to install it. Thanks.

3) I'm assuming openVPN still support multiple servers like pfSense? I want to install a tun, possibly a tap, and a site to site. Can openvpn be locked to specific users and the certs must match the user? Is there a client export capability?

4) Geoblocking and IPS/IDS are needed and appear to be offered. Any big differences? It took a while but I eliminated most snort false positives in pfSense. Are specific false positives easy to override in opnsense?

5) No-IP dynamic DDNS is used by me. Is it supported?

6) I need to afix a few permanent ip addresses on a couple of devices. I assume it's pretty easy?

7) Any big differences you have to deal with? The above pretty well described my complete needs. My preference is that the forum here doesn't have as many snotty contributors as pfSense has.

Thanks, much. Glad opnsense is available. My other option was sophos, and I was not looking forward to the learning curve. I don't like being forced to buy new hardware just to continue with pfSense. It's good but not the only product out there. Apparently, other products support AES-NI if it's detected, otherwise it's ignored.

edit: jut did some research. Looks good. I plan to test it out soon. Still wondering about the wifi - mostly how to deal with antennas on a motherboard - in general.