Messages

Also a lot of L2 managed switches have a function for controlling BUM traffic (Broadcast, Multicast, Unknown Unicast) on a per port level called "Storm control". You can set a threshold to rate limit BUM traffic and excess BUM traffic would be dropped per port. This is something you maybe could investigate more for you scenario, as you could potentially control BUM traffic closest to the source. This feature is usually used for endpoints (anything that is not a NW device such as Servers, Phones, PCs, IoT, etc.)

Thanks for your insightful comments. The VLANs had been a huge relief and honestly I learnt more networking via home automation project than reading OPNSense documentation. It is one thing to watch a YouTube video and slap two appliances on GNS3 to learn that "trunk was successfully formed" and another thing to have your wife screaming at you in the middle of the work day cos the garage door will not open!!

The L2 switches I'm using do have "storm throttling" option but I was not using this option so thanks for pointing me to the next step my in the journey or better learning!!

Thanks @dseven and @seimus for your inputs.

My original message was getting long so I skipped few details. In 2020 when I started home automation, I was not using VLANs and had DHCP servers running on five (5) untagged interfaces. I also started experimenting with WiFi cameras and all the WIFi traffic (IoTs, home devices, cameras and guest) was handled by a single Orbi mesh router set. This topology clearly caused lot of unnecessary broadcasting across the home network and many of the devices (IoTs included) were either unable to get on the network or get enough bandwidth. So to circumvent that problem, I stated adding static IP addresses to each device whenever the device configuration permitted and I'm still continuing this habit.

The above practice of assigning static IP at a device level eased the congestion a little bit but the problem really got sorted out when I added VLANs to the network and separated out the SSIDs for home devices, guest and IoTs. And specifically for the IoT subnet, the DHCP server on OPNSense has all devices IoTs MACs mapped to static IP addresses. So in short I'm duplicating efforts for static IP address assignment:
1) Within each IoT device configuration and
2) OPNSense DHCP server

My question was related to discontinuing 1) and simple let OPNSense handle the static IP mapping for each device based on the MAC address. Based on your comments it seems like a standard practice and should work for me without any foreseeable problems.

Just out of curiosity, pick a device (machine-A) on LAN2 that is not supposed to be able to ping LAN.

If you "statically" assign "machine-A" an IP address from the LAN Subnet, then "machine-A" most likely be able to ping LAN from LAN2.

If this is not the behavior you want then you will need to add VLANs and possibly L2 switches depending on your topology.

This is a basic question about my network configuration and just want some input if I'm overcomplicating things.

My setup:
1.   OPNSense running on a firewall appliance which has six (6) ports, one used for WAN and the other five (5) are running their own subnets with VLAN tagging. With the exception of "Guest WiFi", each DHCP assigns a static IP address based on the MAC address of the device.
2.   In 2020, I started automating my home and was adding new devices on my home LAN aggressively. In the beginning I'd some network congestion which inhibited few of the IoTs, so I started assigning all of my IoTs static IP addresses in their respective configuration files.
3.   Now I've close to 100 IoTs installed throughout the house and I'm questioning the need to duplicate the effort of defining static IP address (against MAC) in the FW and in the configuration for each IoT device.

Question: Since all the IoTs are on one dedicated VLAN (with its own WiFi router), will I experience any network congestion if I configure each IoT in "DHCP" mode and let OPNSense dictate the static IP address assignment based on the IoT's MAC address.

I'll appreciate any pointers from others who may have more insights on network topologies or personal experiences.
Thanks.

Thanks Franco, this one is added and seems slated for 25.1 release.

https://github.com/opnsense/core/issues/7766

I just upgraded to 24.7.1 and love the new dashboard UI, the pie charts and graph visualizations are quiet pleasant...well done team!!

But there is one part i.e. "Interface Statistics" where I liked the old theme table because it was easier to read the stats on "Errors In" and "Errors Out" across all interfaces at a glance but now have to hover mouse on each interface manually.

It is not a big deal but is there way for me to restore the tabular representation for "Interface Statistics" in the Lobby Dashboards?

OPNSense cannot block devices on the same subnet from communicating with each other. So even if you set a rule that 192.168.1.1 cannot access 192.168.1.2, the rule is useless because the traffic will never make it to OPNSense and the packets from 192.168.1.1 would automatically be forwarded to 192.168.1.2.

This also brings up a good point that if you have all untagged ports on your network then technically you can create a rule that 192.168.1.1 cannot access 192.168.2.1. But this rule can be easily circumvented if the machine (192.168.1.1) manually assigns itself 192.168.2.2 address and then it will be able to access 192.168.2.1.

If you are trying to create logical separation of sub-nets such as LAN, IoTs, Guest WiFi etc then you need to look into VLANs.

Hi,

I've OpenVPN server running on my home network that has 4 underlying VLANs. The server is configured to provide access to all the four VLANs.

https://imgur.com/a/8Ec6y6i

Based on my understanding of OpenVPN documentation, it is possible to restrict a certain client (say user-A) to a subset of the networks. For instance, I created an override for user-A and added following in the CSO:
https://imgur.com/a/hfqZXW7

But user-A is still able to access all the VLANs so either CSO is not working or I understood it incorrectly from the documentation.
I'll appreciate any pointers or anything done incorrectly above.
Thanks.

Absolutely spot on, I've not selected WAN interface on NTP listening interface! Thanks for weighing in  :)

I run couple of VLANs on my home network and faced the same problem as you, the root cause was that I was assigning static addresses that were inside the DHCP range. And I ended up with following policies on home LAN:

1. For IoTs VLAN - no DHCP and all devices are assigned static address, this has also helped reduced lot of network clutter as 50+ devices are not broadcasting any more over WiFi.

2. Other VLANs - I take out a reasonable number of IP addresses from the DHCP range (from the start of the subnet) for static assignment and leave the rest for DHCP.

HTH

Hi,

I just ran a Nessus scan on my home network and it showed a "medium" vulnerability for NTP service running on OPNSense. I am not sure what to make out of this output but hoping someone can take a look at it and guide if this is serious and how to plug if necessary.

My hesitation to tweak the NTP settings is due to the fact that few months back I had lots of issues with my IoTs related to NTP service (which I blocked for outside access) and forced the IoTs to use the NTP server running on OPNSense box.

Thanks,

Hi,

On my home network I run OPNSense with VLANs and there are no untagged ports on the firewall appliance. A friend of mine runs an IT company and has given me access to his LAN via a Fortinet client so that I can backup my stuff on his LAN.

After connecting to Fortinet client when I check fast.com for speed, I get 940 Mbps. But when I try to rsync files with
following command:

Code Select Expand


rsync -avz --progress <src> <dest>

I only get 6 Mbps for upload and 4Mbps for downloads.

My computer is running on nvme card and at the other end the backup end point is a Qnap NAS.

Is there a way to figure out why the speeds are so slow and if there is a way to speed things up?

I've no experience with Tailscale so cannot comment. For my home I use OpenVPN, for accessing home LAN (including HA) from outside, which I installed using this tutorial:

https://www.youtube.com/watch?v=ocGAcZD8qYo

HTH

Not really, tried it before posting here  :D

Hi,

I just re-designed the entire home network from scratch with VLANs and removed all untagged interfaces and unmanaged switches. There seems to be an improvement in network performance and see minimal broadcast traffic on ntopng so seems like the project was totally worth it.

Also noticed that the stats in the dashboard for network interfaces have not changed in last one week, that seems odd but I am not expert so thought I'd ask here. Thoughts?

Is there a way to reset the stats for network interfaces in the dashboard?  Does any one know for what time duration (24h, 1 week, 1 month etc) these stats represent?

Thanks,
Pankaj