Messages

1

General Discussion / Re: Can OPNsense isolate a guest WiFi network on a networked WiFi AP?

« on: February 10, 2021, 04:27:25 pm »

If your router-in-ap mode supports VLANs and you can attach an SSID to a VLAN then there is no problem separating them, otherwise you're probably screwed :-(

That is what I have done in my home:
- Ubiqity AP's with SSID attached to VLANS;
- created separate interfaces in opnsense coupled to those VLANS;
- added firewall rules on those interfaces

normal wifi: no vlan  -> [LAN interface in opnsene]
guest wifi: vlan id 50 -> [GUEST interface in opnsene]
iot wifi: vlan id 60 -> [IOT interface in opnsene]

Each has its own ip addresses and dhcp server, all handled by opnsense.

2

General Discussion / Re: OPT1 Firewall DNS Issues.

« on: February 10, 2021, 02:35:30 pm »

Hi,
You can add firewall rules per interface, just add a block rule on the OPT1 interface to block trafic to the opnsense address and port
Say OPT1 has 192.168.50.1 as opnsense address and port 8443 than add a rule to block all trafic to that address.

It is easier to add a specific block rule than to create a reverse allow rule ;-)

Regard Hilbert

3

General Discussion / Bind and dhcp (rndc)

« on: February 10, 2021, 02:10:27 pm »

Hi,

My first post here. I did a search and could not find a satisfying answer ;-)

My problem, I don't like unbound dns and dnsmasq. Because of the lack of a cname.
- Unbound knows aliases, but after a query it gives a random alias back (that is what I have seen)
- dnsmasq something along the same lines.

bind has this posibility and is working in the 21.0 release.

My problem is that rndc is generated by the bind plugin, but the dhcp userinterface does not give the posibiliy to include that at the appropriate position:

Code: [Select]

include "/etc/dhcp/rndc-keys/rndc.key"; 
     
 zone somedomain.com. { 
  primary 172.31.30.5; 
  key rndc-key; 
 } 
   
 zone 30.31.172.in-addr.arpa. { 
  primary 172.31.30.5; 
  key rndc-key; 
 } 

This part can, at this point not be done. Because it is not a "sub" zone/network.

Is there a way to add this to the user interface, or is there a way to do it by hand and is it not removed by an update when you change it in the gui... some sort of "super adcanced" options ;-)

Something like:

Code: [Select]

[ ] use rndc key (bind plugin is obligated)

Zone include:
[ text box:
 zone somedomain.com. {
  primary 172.31.30.5;
  key rndc-key;
 }
]

Reverse zone include:
[ text box:
zone 30.31.172.in-addr.arpa. {
  primary 172.31.30.5;
  key rndc-key;
 }
]
[button: delete zone] |  [ button: add more zone's ]

Something like this would make it possible to use bind as primary dns server within your opnsense network.

Regards,
Hilbert