Messages

Tagged an untagged is a property of a link between two devices, not your entire network. You can have e.g.

Access point to switch on a single port:

- guest tagged
- iot tagged
- lan and mangement untagged "because Unifi"

OPNsense to switch:

- guest and iot tagged on one port
- lan and management untagged on a different port

Thus you get the "do not mix tagged and untagged" for OPNsense - all other devices simply do not need to care.

Yes, they are all named os-* for "OPNsense".

You cannot remove anything from the UI. What is the problem? There are multiple options for providing DHCP to client systems, just pick the one that suits you best. Ignore the other ones, they will remain in the UI, though.

As for the IDS/IPS related question, best open a separate thread about that in the proper subforum.

This thread is 2 years old and so hardly relevant. What version of OPNsense are you running and what exactly is your problem? You are not running 23.x today, are you?

I suppose it would be worth a shot, since it wouldn't cost me anything, besides one more ethernet cable. Even if I do get a managed switch this would probably be the preferable configuration since it would avoid mixing untagged and tagged networks on one interface at the firewall, correct?

Correct. And if you have the ports, it's just one cable, so go ahead.

Du kannst doch alle Zertifikatsdateien kopieren lassen, so lange auf den Linux-Servern die nicht relevanten einfach nirgends in der Konfiguration hinterlegt sind.

You need to create a bridge interface with two members:

- the VLAN interface on the trunk port connected to your switch
- the plain ethernet port you want to be part of that VLAN

Then you need to switch the assignment (Interfaces > Assignments) from the VLAN to the bridge interface.

You are essentially building a virtual switch with an untagged port and a VLAN as member interfaces.

I am quite puzzled by the fact that you set your NUT service to "disabled" and things still seem to work.

Try

Code Select Expand

grep igb /var/run/dmesg.boot
and

Code Select Expand

pciconf -lv
That should give you enough information to identify the exact model of your interfaces.

[VLAN parent interface]

You need an IP address on the VLAN interfaces for the clients to be able to reach anything at all. That IP address is in most configurations the default gateway and the DNS server for your clients. Configure DHCP accordingly.

If you are not talking about the VLAN interfaces but the VLAN parent interface - do not configure that at all. No assignment (Interfaces > Assignments), no IP address, nothing. This is considered best practice for OPNsense and FreeBSD.

Check the address field in your browser. Maybe the search expression is part of a cached URL.

First, it's VLANs, not vnets 😉

Second, here's a nice introduction: https://www.thomas-krenn.com/en/wiki/VLAN_Basics

Third build an alias named e.g. "local networks" or "RFC1918" containing all your local networks.

Then for each VLAN create rules like this:

Source: VLAN X net
Destination: This Firewall
Action: allow

Source: VLAN X net
Destination: the local networks alias
Destination invert: check
Action: allow

The first rule allow DNS and other services to still work. The second one allows access to the Internet but not to other VLANs.

This will not run the job every minute, but on minute number 1 every hour, i.e. 7:01, 8:01, ...

Place a * into the minute field if you really want every minute. I'd recommemd */5 or */10 for every 5 or 10 minutes, respectively.

Please attach to your post here - I block image hosting sites.

No idea, never used the UI.