1
24.1 Legacy Series / Re: No DHCPREQUEST on VLAN
« on: May 16, 2024, 05:04:14 pm »
I do not get your first sentence. However, I "misused" it as a WiFi AP and extended its range by a repeater.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
24.1 Legacy Series / Re: No DHCPREQUEST on VLAN
« on: May 15, 2024, 08:47:17 pm »
So forget about the AVM / Fritz! components. I connected the AP directly to the LAN of the OPNsense and all worked as expected.
To be honest, I have no clue what happened inside the Fritz! hardware and honestly I do not care, since I assume, that there is not enough settings to play with to make it work. However, it seems I did everything correct besides mixing different vendors. I seems like the AVM hardware did all the routing correct but maybe filtered out DHCP traffic on VLANs (other ICMP / UDP / TCP) went through.
Whatever, I close that chapter for me now. Thank you anyway for trying to help.
To be honest, I have no clue what happened inside the Fritz! hardware and honestly I do not care, since I assume, that there is not enough settings to play with to make it work. However, it seems I did everything correct besides mixing different vendors. I seems like the AVM hardware did all the routing correct but maybe filtered out DHCP traffic on VLANs (other ICMP / UDP / TCP) went through.
Whatever, I close that chapter for me now. Thank you anyway for trying to help.
3
24.1 Legacy Series / Re: No DHCPREQUEST on VLAN
« on: May 15, 2024, 05:16:44 pm »Quote
Could you elaborate more on your network setup, please?
Of course.
I have a Fritz!Box acting as a cable modem (10.0.0.1). The WAN interface of the OPNsense connects to it physically (10.0.0.2).
Then the OPNsense has a physical LAN interface (10.0.1.1) to another Fritz!Box (10.0.1.2), that I am using as an intermediate WiFi AP. Part of this WiFi network (DHCP 10.0.1.100 - 10.0.1.200) is Fritz!Repeater, to whose physical port the UniFi AP is connected to.
I also have a Proxmox host running beneath others the Unifi Controller (10.0.3.X) that I use to configure the Hotspot.
Quote
And then I wonder how you create vlans in you fritz box.Not at all, but it seems to work since if I give a manual IP, I see all the right rules applied to the Guest VLAN and I have perfect access as intended. All traffic comes to the OPNsense on the VLAN interface.
Quote
On the other hand, maybe your unifi is directly connected to the opnsense.No, this is not the case, see above.
has an invalid untagged/tagged configuration for your setup. But again, you never mentioned a switch, so I guess there is none.[/quote]
No, there is no dedicated switch, but the Fritz!Box acting as AP could be considered one.
What is strange to me is that only DHCP does not work. If something with the
Quote
Then the behaviour could come from the fact that a switch in between VLAN configuration / tagged / untagged would be wrong, I would expect nothing at all to work.
4
24.1 Legacy Series / Re: No DHCPREQUEST on VLAN
« on: May 15, 2024, 02:28:03 pm »
I switched to KEA, same behavior.
5
24.1 Legacy Series / Re: No DHCPREQUEST on VLAN
« on: May 15, 2024, 12:47:52 pm »
No idea? Anyone? I am desperate …
6
24.1 Legacy Series / Re: No DHCPREQUEST on VLAN
« on: May 14, 2024, 05:41:42 pm »
BTW: if I give a manual address and DNS on the client, all works on the VLAN interfaces. It‘s really just DHCP.
I also rebooted - same behavior before and after.
I also rebooted - same behavior before and after.
7
24.1 Legacy Series / No DHCPREQUEST on VLAN
« on: May 14, 2024, 04:05:22 pm »
Hello,
I have the following topology: OPNsense -(cable)-> Fritz!Box as WiFi AP -(WiFi)-> Fritz!Box Repeater -(cable)-> Unifi AP -(WiFi)-> Clients
The Unifi AP spans 3 WiFi networks:
1) Standard
2) Guest (VLAN 110)
3) IoT (VLAN 120)
In OPNsense, I created the VLANs, the interfaces and enabled DHCPv4 on the interfaces. I also added firewall rules.
If I connect to the standard WiFi (no VLAN), all is fine.
If I connect to either the Guest or the IoT network, I see at the OPNsense a DHCPDISCOVER and a DHCPOFFER from the respective VLAN in the logging; so I conclude that VLAN tagging is fine and the traffic comes (at least) to the OPNsense.
However I do not see a DHCPREQUEST nor a DHCPACK by the client on the VLAN. What I DO see is a ping from the client with the non-DHCP-given address (169.X.X.X) which is blocked and logged by my "block all" rule at the end of the firewall rule set. What I expect is a 10.0.110.X or a 10.0.120.X client IP address provided via DHCP based on the respective WiFi net / VLAN (110 or 120).
Any ideas what I am doing wrong?
P.S. Fritz!Box is planned to be replaced but this is my current test setup.
I have the following topology: OPNsense -(cable)-> Fritz!Box as WiFi AP -(WiFi)-> Fritz!Box Repeater -(cable)-> Unifi AP -(WiFi)-> Clients
The Unifi AP spans 3 WiFi networks:
1) Standard
2) Guest (VLAN 110)
3) IoT (VLAN 120)
In OPNsense, I created the VLANs, the interfaces and enabled DHCPv4 on the interfaces. I also added firewall rules.
If I connect to the standard WiFi (no VLAN), all is fine.
If I connect to either the Guest or the IoT network, I see at the OPNsense a DHCPDISCOVER and a DHCPOFFER from the respective VLAN in the logging; so I conclude that VLAN tagging is fine and the traffic comes (at least) to the OPNsense.
However I do not see a DHCPREQUEST nor a DHCPACK by the client on the VLAN. What I DO see is a ping from the client with the non-DHCP-given address (169.X.X.X) which is blocked and logged by my "block all" rule at the end of the firewall rule set. What I expect is a 10.0.110.X or a 10.0.120.X client IP address provided via DHCP based on the respective WiFi net / VLAN (110 or 120).
Any ideas what I am doing wrong?
P.S. Fritz!Box is planned to be replaced but this is my current test setup.
8
23.7 Legacy Series / No Unbound blacklists for certain MAC addresses
« on: November 17, 2023, 04:29:49 pm »
I have Unbound blacklists in place which filter some ads. Now one device shall have access to some of the blocked DNSs. I have created an alias with the respective MAC address of the device. How can I make Unbound deliver the correct DNS resolution if the request is coming from "the" device from the alias?
9
General Discussion / Matrix Synapse behind OPNsense
« on: October 27, 2023, 06:44:47 pm »
Hi,
I would like to setup a Matrix Synapse server. I own a domain and could forward ports from my router to the OPNsense. There I am currently running HAProxy to point on a Proxmox Hypervisor server. For services like Wireguard etc. I use DynDNS, but for Matrix Synapse I would like to use my "proper" domain. Since this seems a quite complex setup, may someone guide me in a direction where I could start? I think most of my problems are with handling the proper domain instead of using DynDNS.
Thanks!
I would like to setup a Matrix Synapse server. I own a domain and could forward ports from my router to the OPNsense. There I am currently running HAProxy to point on a Proxmox Hypervisor server. For services like Wireguard etc. I use DynDNS, but for Matrix Synapse I would like to use my "proper" domain. Since this seems a quite complex setup, may someone guide me in a direction where I could start? I think most of my problems are with handling the proper domain instead of using DynDNS.
Thanks!
10
German - Deutsch / Re: qrencode: Wireguard-Zugänge direkt als QR-Code anzeigen lassen?
« on: March 18, 2023, 05:46:54 pm »
Ich auch ... gibt es hierzu etwas Neues?
11
General Discussion / check_mk Server (!) on OPNsense appliance
« on: October 12, 2022, 11:55:57 am »
Hi, I want to start monitoring my network better. Therefore, I found that check_mk may be suitable. Since I do limit my hardware a little and the OPNsense is running 24/7 anyway, I thought I would make the OPNsense the check_mk Server and all other real (Proxmox) and virtual (VM / LXC) hosts agents. Does this make sense? Does anyone do this? I only found a check_mk agent plugin for OPNsense, no server plugin. Or is check_mk not the right approach? I would like to see if my apt / yum packages are out of date and monitor suspicious activity in logs / network traffic. The OPNsense could be server and agent at the same time I think. Glad if you can help me get on the right track!
12
22.7 Legacy Series / Display an explanatory page when DNS block / firewall rules kick in
« on: July 29, 2022, 08:12:01 am »
Hi all,
is it possible to display an explanatory static page once either DNS block lists or firewall rules kick in and avoid the display of a webpage?
Thanks!
is it possible to display an explanatory static page once either DNS block lists or firewall rules kick in and avoid the display of a webpage?
Thanks!
13
Virtual private networks / Re: Harden OPNsense for WireGuard Access
« on: July 29, 2022, 07:52:18 am »
No, I did not try it, only using it in the LAN. Do a PCAP and check if the correct MAC address is in the package coming from the mobile device.
14
Virtual private networks / Re: Harden OPNsense for WireGuard Access
« on: July 29, 2022, 07:47:19 am »
You can set the MAC address as an alias and add it as the source in the firewall rule.
15
Virtual private networks / Re: Harden OPNsense for WireGuard Access
« on: July 29, 2022, 07:34:20 am »I added a captive portal to Wireguard and in that I added to "Allowed MAC addresses" the MAC addresses of the mobiles being allowed to connect.
Nice idea with the MAC address. You could still make a firewall rule for the MAC address though ...