Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Patrick M. Hausen

#1
Tagged an untagged is a property of a link between two devices, not your entire network. You can have e.g.

Access point to switch on a single port:

- guest tagged
- iot tagged
- lan and mangement untagged "because Unifi"

OPNsense to switch:

- guest and iot tagged on one port
- lan and management untagged on a different port

Thus you get the "do not mix tagged and untagged" for OPNsense - all other devices simply do not need to care.
#2
25.7 Series / Re: System:Firmware:Plugins list
August 30, 2025, 10:26:05 AM
Yes, they are all named os-* for "OPNsense".
#3
General Discussion / Re: Multi DHCP servers
August 29, 2025, 11:09:46 PM
You cannot remove anything from the UI. What is the problem? There are multiple options for providing DHCP to client systems, just pick the one that suits you best. Ignore the other ones, they will remain in the UI, though.

As for the IDS/IPS related question, best open a separate thread about that in the proper subforum.
#4
This thread is 2 years old and so hardly relevant. What version of OPNsense are you running and what exactly is your problem? You are not running 23.x today, are you?
#5
Quote from: wiggler on August 29, 2025, 09:24:09 PMI suppose it would be worth a shot, since it wouldn't cost me anything, besides one more ethernet cable. Even if I do get a managed switch this would probably be the preferable configuration since it would avoid mixing untagged and tagged networks on one interface at the firewall, correct?

Correct. And if you have the ports, it's just one cable, so go ahead.
#6
Du kannst doch alle Zertifikatsdateien kopieren lassen, so lange auf den Linux-Servern die nicht relevanten einfach nirgends in der Konfiguration hinterlegt sind.
#7
You need to create a bridge interface with two members:

- the VLAN interface on the trunk port connected to your switch
- the plain ethernet port you want to be part of that VLAN

Then you need to switch the assignment (Interfaces > Assignments) from the VLAN to the bridge interface.

You are essentially building a virtual switch with an untagged port and a VLAN as member interfaces.
#8
I am quite puzzled by the fact that you set your NUT service to "disabled" and things still seem to work.
#9
Try

grep igb /var/run/dmesg.boot
and

pciconf -lv
That should give you enough information to identify the exact model of your interfaces.
#10
General Discussion / Re: Basic Vnet questions
August 29, 2025, 04:17:25 PM
You need an IP address on the VLAN interfaces for the clients to be able to reach anything at all. That IP address is in most configurations the default gateway and the DNS server for your clients. Configure DHCP accordingly.

If you are not talking about the VLAN interfaces but the VLAN parent interface - do not configure that at all. No assignment (Interfaces > Assignments), no IP address, nothing. This is considered best practice for OPNsense and FreeBSD.
#11
25.7 Series / Re: System:Firmware:Plugins list
August 29, 2025, 03:13:17 PM
Check the address field in your browser. Maybe the search expression is part of a cached URL.
#12
General Discussion / Re: Basic Vnet questions
August 29, 2025, 02:41:22 PM
First, it's VLANs, not vnets 😉

Second, here's a nice introduction: https://www.thomas-krenn.com/en/wiki/VLAN_Basics

Third build an alias named e.g. "local networks" or "RFC1918" containing all your local networks.

Then for each VLAN create rules like this:

Source: VLAN X net
Destination: This Firewall
Action: allow

Source: VLAN X net
Destination: the local networks alias
Destination invert: check
Action: allow

The first rule allow DNS and other services to still work. The second one allows access to the Internet but not to other VLANs.
#13
This will not run the job every minute, but on minute number 1 every hour, i.e. 7:01, 8:01, ...

Place a * into the minute field if you really want every minute. I'd recommemd */5 or */10 for every 5 or 10 minutes, respectively.
#14
Please attach to your post here - I block image hosting sites.
#15
25.7 Series / Re: packet capture firewalled?
August 29, 2025, 01:32:58 PM
No idea, never used the UI.