Messages

I do not get your first sentence. However, I "misused" it as a WiFi AP and extended its range by a repeater.

So forget about the AVM / Fritz! components. I connected the AP directly to the LAN of the OPNsense and all worked as expected.

To be honest, I have no clue what happened inside the Fritz! hardware and honestly I do not care, since I assume, that there is not enough settings to play with to make it work. However, it seems I did everything correct besides mixing different vendors. I seems like the AVM hardware did all the routing correct but maybe filtered out DHCP traffic on VLANs (other ICMP / UDP / TCP) went through.

Whatever, I close that chapter for me now. Thank you anyway for trying to help.

Could you elaborate more on your network setup, please?

Of course.

I have a Fritz!Box acting as a cable modem (10.0.0.1). The WAN interface of the OPNsense connects to it physically (10.0.0.2).

Then the OPNsense has a physical LAN interface (10.0.1.1) to another Fritz!Box (10.0.1.2), that I am using as an intermediate WiFi AP. Part of this WiFi network (DHCP 10.0.1.100 - 10.0.1.200) is Fritz!Repeater, to whose physical port the UniFi AP is connected to.

I also have a Proxmox host running beneath others the Unifi Controller (10.0.3.X) that I use to configure the Hotspot.

And then I wonder how you create vlans in you fritz box.

Not at all, but it seems to work since if I give a manual IP, I see all the right rules applied to the Guest VLAN and I have perfect access as intended. All traffic comes to the OPNsense on the VLAN interface.

On the other hand, maybe your unifi is directly connected to the opnsense.

No, this is not the case, see above.
has an invalid untagged/tagged configuration for your setup. But again, you never mentioned a switch, so I guess there is none.[/quote]
No, there is no dedicated switch, but the Fritz!Box acting as AP could be considered one.

What is strange to me is that only DHCP does not work. If something with the

Then the behaviour could come from the fact that a switch in between VLAN configuration / tagged / untagged would be wrong, I would expect nothing at all to work.

I switched to KEA, same behavior.

No idea? Anyone? I am desperate ...

BTW: if I give a manual address and DNS on the client, all works on the VLAN interfaces. It's really just DHCP.

I also rebooted - same behavior before and after.

Hello,

I have the following topology: OPNsense -(cable)-> Fritz!Box as WiFi AP -(WiFi)-> Fritz!Box Repeater -(cable)-> Unifi AP -(WiFi)-> Clients

The Unifi AP spans 3 WiFi networks:

1) Standard
2) Guest (VLAN 110)
3) IoT (VLAN 120)

In OPNsense, I created the VLANs, the interfaces and enabled DHCPv4 on the interfaces. I also added firewall rules.

If I connect to the standard WiFi (no VLAN), all is fine.

If I connect to either the Guest or the IoT network, I see at the OPNsense a DHCPDISCOVER and a DHCPOFFER from the respective VLAN in the logging; so I conclude that VLAN tagging is fine and the traffic comes (at least) to the OPNsense.

However I do not see a DHCPREQUEST nor a DHCPACK by the client on the VLAN. What I DO see is a ping from the client with the non-DHCP-given address (169.X.X.X) which is blocked and logged by my "block all" rule at the end of the firewall rule set. What I expect is a 10.0.110.X or a 10.0.120.X client IP address provided via DHCP based on the respective WiFi net / VLAN (110 or 120).

Any ideas what I am doing wrong?

P.S. Fritz!Box is planned to be replaced but this is my current test setup.

I have Unbound blacklists in place which filter some ads. Now one device shall have access to some of the blocked DNSs. I have created an alias with the respective MAC address of the device. How can I make Unbound deliver the correct DNS resolution if the request is coming from "the" device from the alias?

Hi,

I would like to setup a Matrix Synapse server. I own a domain and could forward ports from my router to the OPNsense. There I am currently running HAProxy to point on a Proxmox Hypervisor server. For services like Wireguard etc. I use DynDNS, but for Matrix Synapse I would like to use my "proper" domain. Since this seems a quite complex setup, may someone guide me in a direction where I could start? I think most of my problems are with handling the proper domain instead of using DynDNS.

Thanks!

Ich auch ... gibt es hierzu etwas Neues?

Hi, I want to start monitoring my network better. Therefore, I found that check_mk may be suitable. Since I do limit my hardware a little and the OPNsense is running 24/7 anyway, I thought I would make the OPNsense the check_mk Server and all other real (Proxmox) and virtual (VM / LXC) hosts agents. Does this make sense? Does anyone do this? I only found a check_mk agent plugin for OPNsense, no server plugin. Or is check_mk not the right approach? I would like to see if my apt / yum packages are out of date and monitor suspicious activity in logs / network traffic. The OPNsense could be server and agent at the same time I think. Glad if you can help me get on the right track!

Hi all,

is it possible to display an explanatory static page once either DNS block lists or firewall rules kick in and avoid the display of a webpage?

Thanks!

No, I did not try it, only using it in the LAN. Do a PCAP and check if the correct MAC address is in the package coming from the mobile device.

You can set the MAC address as an alias and add it as the source in the firewall rule.

I added a captive portal to Wireguard and in that I added to "Allowed MAC addresses" the MAC addresses of the mobiles being allowed to connect.

Nice idea with the MAC address. You could still make a firewall rule for the MAC address though ...