Messages

I am trying to set up a separate VLAN for a kids' network on my home setup. Latest stable opnsense running on a stand-alone box. The main goal is to firewall as well as DNS limit kids from accessing stuff on the web they don't nee via my NextDNS subscription. However I am running into a limitation where I can't run two separate DNS services on port 53 even though I specify which address/interface I want used. My main DNS server is Unbound and it is set up to run on the LAN interface, port 53. Trying to spin up Bind, or dnsmasq, or ideally dnscrypt-proxy on the address associated with my KIDS0 interface and port 53 says "Unbound is already using port 53 on this address". This seems like a bug in Unbound unless I am missing something.

The eventual goal is to have Unbound continue serving LAN and forwarding its queries to the main/adult NextDNS profile, and another forwarded just on the KIDS0 interface that forwards queries to a kids NextDNS profile. I do have options such as using a separate piece of hardware to run a separate DNS server for the kids VLAN or setting up each of the kids' devices with a DNS config for DNS-over-HTTPS directly to NextDNS but I was hoping there would be an oprion that involved me only configuring things in my opnsene box.

Thanks in advance.

Thank you both. Thankfully I was smart enough to use 172.20 as my starting point so I won't be limited to the /24 limit of 192.168.

I'll give this a try when there are fewer people online at my house and fingers crossed, that'll do it. Don't have too many devices on static IPs active (well, not IPv4 at least, but IPv6 has plenty of space).

I am using opnsense as my firewall and router for my house. Due to a large number of IOT devices I am starting to run into the limits of a /24 subnet for my LAN. While I have IPv6, not many devices support it and not all control apps do.

I know the correct solution here is to set up a separate VLAN and subnet for IOT devices but when I tried that it presented a couple of problems, such as apps on my family's devices not being able to connect to their IOT stuff.

Is there a seamless way to transition my current /24 to something like a /20 without too much downtime? If so, what would the process look like?

Unfortunately that wouldn't work. It's HTTPS, not HTTP so packet capture only tells me what IPs my phone is communicating with, not the contents. This particular app, I suspect, doesn't verify the TLS certificate as the server presents a default self-signed one. By inserting my own proxy between the app and their server I can hopefully capture what data is actually being exchanged and potentially create my own version of the app that would work better.

For some more context, the app controls a proprietary piece of consumer hardware and is the only way to interface with that hardware. It's decent hardware but the app leaves something to be desired: for example trying to edit what is essentially a spreadsheet on a phone sucks.

I am trying to figure out what a particular mobile app on my phone is doing when it's talking to its mothership server via HTTPS. I created a simple HTTP/HTTPS proxy server that I am running on my laptop and I want to use my OPNSense router/firewall to redirect all traffic such that when my phone tries to connect to the given server, it instead goes to my laptop. Specifically:

Phone: 172.20.20.249
Laptop: 172.20.20.160
Server: example.com

I want to set a rule that whenever my phone tries to connect to example.com:443 instead it connects to 172.20.20.160:443. Would I do this with a firewall rule under Rules? A one-to-one NAT? Something else? Thanks in advance!

P.S.: I should mention that it seems the app is connecting by IP address and not using DNS at all which would have been easier to redirect.

Thanks again Franco! With some more testing I see that they use any which VLAN or sometimes no VLAN at all. No matter what I do I still can't get it to work, whether directly, through a dumb switch, etc. I am going to keep complaining to the ISP about this, but in the meantime I gotta get work done and have the rest of the house be able to get online so back to OpenWRT I go, at least for now.

Looks like pfsense has a similar issue: https://redmine.pfsense.org/issues/8526 with a still open pull request https://github.com/pfsense/FreeBSD-src/pull/9. I think this matches exactly what I'm experiencing with OPNSense. How can I report this bug upstream?

I tried that already. I can actually verify that their DHCP servers don't care if there is an active lease: I can just keep requesting new IP addresses using different MAC addresses and I see new offers with new addresses. The issue is that dhclient is either not getting or ignoring DHCPOFFERs.

From doing a bunch of web searches it seems that the issue might be VLAN tagging related. In tcpdump I can see that the incoming traffic comes in as VLAN 0. Some online posts suggest that stripping this tag may help: https://www.reddit.com/r/PFSENSE/comments/9l7my1/dhcp_client_not_working_on_wan_att_fiber_dhclient/e76dj12/?utm_source=reddit&utm_medium=web2x&context=3

OK so digging into it further, what I see as being weird here is that the DHCP server is at 184.16.6.157 while the address it's offering is 32.219.250.238 and the gateway is 32.217.174.1. I believe this is all in a /21. Could the issue be that dhclient is ignoring the DHCPOFFER because it's coming from a different subnet?

There is clearly something funny going on here. I was able to use tcpdump to capture a DHCPOFFER:

https://hpd.gasmi.net/?data=45C00148D3670000401170D720DBF80120DBFAEE004300440134D671020106004357CA8B001700000000000020DBFAEE0000000020D9AE0180615F082D7A000000000000000000006468637030352E667477792E696E2E66726F6E746965726E65742E6E6574000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000638253633501023604B810069D330400000E100104FFFFF800030420DBF8010F0F66747264686370757365722E6E657406084A284A284A284A29FF0000000000&force=ipv4

I am running dhclient manually to see its output in the terminal and it claims it never got any offers.

Yes already saw that one and talked to their tech support who told me there were no issues. They see everything as fine on their end :(

There is abs I am asking on there as well, but the issue is clearly happening when I switched to OPNSense. I can plug my old router back in and it gets an address right away.

Oh and there is no CG-NAT. It's just a public IP.

MAC address was spoofed from the old router. This is Frontier fiber in CT, USA. There are no other pieces of equipment, just the ONT box that translates optical signal to Ethernet and the OPNSense box plugged right into that.

I should say that I can either fake a cached lease or just use the previously assigned IP address as a static assignment and that works no problem.