Messages

I'd suggest having a look at the ISP setup guides https://docs.opnsense.org/interfaces.html#setup-guides. They're only a few but might give an insight on what the ISP requires.

yes, $ifconfig will show all detected interfaces and their names will hint what drivers is in use for each.
Post the results in code brackets and we can guide on next steps if needed.
Note you need to assign the interface so that the assignment persists reboots. Can be done from the console or GUI. The docs are useful https://docs.opnsense.org/manual/install.html

I consider haproxy battle-tested and secure, with a lot of resources behind it as in people developing, using, reporting defects, etc. A lot more than more recent thingies like caddy and such likes. I see haproxy similar in security as nginx.
That said mostly for placebo maybe I am using crowdsec on haproxy to permaban those scanners types.
As for being a plugin it has pros and cons. You get a nice UI but not every functionality is exposed by it. For the basic reverse proxy is excellent, maybe webadmin can help if using it on a separate VM or LXC. I haven't looked. So if you need/wnat to do config changes it is easier more flexible without the plugin. See for instance https://github.com/opnsense/plugins/issues/4923

did you reboot OPN after changing tunables? It is needed for these.
Otherwise review the steps just in case. AP definitively not running its own dhcp server or any other service?
Next is to look at firewall live log to see if the traffic is arriving. Are you using IPV6 ?

yes there are some additional settings to add. Please look in the documentation. Actually it is here https://docs.opnsense.org/manual/how-tos/lan_bridge.html#lan-bridge

scratch that for now. Even I am not sure.

@buckey96 - I took the opportunty to change from maxm to ipinfo with this. I was meaning to look into anyway.
I had at of trouble getting the download but solved it and I think what is happening is that you get the error because like me at first, your download hasn't succeeded yet.
First, the ipinfo download url for OPN has to be like Patrick's i.e. https://ipinfo.io/data/ipinfo_lite.csv.gz?token=YOURTOKEN
Second, you need to get the download to work before you can use the alias. Otherwise the error. Here is where I noticed no errror but no update since last for me ie. yesterday's from maxmind.
To force it I had to, on the "Alias" page/tab untick it to disable & apply at the bottom. Tick to enable & apply again.
Try that and see but have a little patience. It download about what 20 or more MB file, uncompress it and save before it shows a new timestamp.

> Does this mean I need to download an image onto a bootable USB drive, adjust my BIOS to boot from USB, and perform a complete fresh install with the ZFS option?
Correct. As a new installation.

>Is "Import Configuration" referring to a configuration I've previously exported, or is this functionality now included in the installer?
Correct again. You save your current config to your PC/laptop, ready to use when re-installing.

> Will choosing the "Install (ZFS)" option reformat the disk and also download or install all of my packages, plugins, and configurations?
Correct once again. The installation will format the target disk with your choice of file system, ZFS or UFS, wiping it clean of previous data.
The config you then restore will include your packages and plugins and configurations, as long as those have been managed using the UI because that is what saves the states in the config file. Anything you add/change/remove via console will not.
What will happen after the restore is that the plugins will show as "orphaned" or "missing" or somesuch which then you need to go to "resolve plugin something" and that will re-install them.
Be aware that there are some plugins that despite this known flow, do not get re-configured as they were, an example from the ones I know because I use it is Crowdsec. That one needs reconfiguring completely.

Alternatively use AdGuardHome directly on OPNSense. It's a plugin, simple to setup and exposes a UI similar to PiHole. Also saves you a VM.
Here https://github.com/AdguardTeam/AdGuardHome for a view but do not install it from their instructions there, use the plugin instead.

Have you tried to re-assign interfaces after the reboot in OPNSense? All rules should move to the new assignments without the need to re-setup all again. Boot to console and then from the menu, option 1) Assign Interfaces.
Then after that reassignment you might need to use 11) Restart web interface - so you can login to the UI from the newly assigned LAN interface.
Possibly followed by a reboot maybe ?

thanks for the hints @malhal . I'll revisit the thread when ready to have another go. Had to abandon it for the time being.

didn't try to "catch" you and I was not intending to advice on the actual problem.
It's for the benefits of newcomers that the terms are clearer so they don't walk away with a misconception.

ok. I can't spot the problem although others might. I'd be running a packet capture to see what is going where and how is returning.
Personally still using legacy method.

You have some strange statements there.

A 'Firewall' is more a marketing term than anything else. A firewall, by my definition, is a router with extra layers of software that does this and that to protect the network. 'This and that' being technical terms. 99.5% of everyone or more only needs one router active at any given time at a location.

Firewall is not just marketing. It is a different type of functionality to a router and not router+extra software. They perform different purposes. For instance you can have a firewall doing no routing, only firewall duties. Yes most of the time a firewall will be ABLE to perform routing duties since the funcitonality is often included but is not just marketing.

In the network world you have routers and switches. Only. Retail routers are a combo router and switch, often with a wifi component. The Chinese router / pc with 4 or 6 ports becomes a router with a WAN and LAN port when you load OPNsense. The remaining ports are just sitting there until configured to do something. I've read that the extra ports are best for subnetting and not as VLANs because these boxes make poor switches compared to dedicated switches. The ports may look the same but they are not the same. Each subnet is a separate network and needs to go to its own dedicated switch and / or wireless access point.

Regarding the extra ports. Why would be best for subnetting? Subnetting is about altering the network mask to partition the network in a way different to the default mask like making a class C /24 into a /25 one. Then "not as VLANs.." a VLAN is about using tags in frames to carry that traffic over a link. I can't see the relation you are making to unused ports on the appliance.

Each subnet is a separate network and needs to go to its own dedicated switch and / or wireless access point.

yes a subnet is a separate network but it doesn't need a separate switch. That's where the managed switch comes into play, because it is what will tag/untag traffic. Unless you are in your description calling a network a subnet. Network =! subnet. Exception would be default-independent ports converted to switched ports.

Routers carry traffic between networks. Switches carry traffic on a network and they are designed for heavy traffic. Most of what happens on a network is confined to the switch and only goes to the router if it needs to jump to another network or possibly to renew a lease.

Not only to renew a lease. Pretty much all other networking services need to be managed somewhere, typically the router: DHCP yes, but NATing, DNS, etc.

VLANs segment a broadcast domain on a smart / managed switch so one subnet can create privacy zones. Normally, everything on the switch can access everything in the same broadcast domain. VLANs break it up. The managed / smart switch manages the VLAN entirely. It has always been this way. The VLAN capability in OPNsense, pfSense, and whatever is clever but more confusing than helpful as the extra ports are said to make bad switches as they are not designed for traffic that heavy. Unlike a retail router that is a deliberate mix of router and switch. You do not need to create a VLAN on the router to use a VLAN on a smart switch. Even a used retail router with wifi from a thrift shop can work with the VLAN on the smart switch properly as soon as you plug it in and configure it as a router.

Again VLAN != subnet. Privacy is a benefit but not really the main purpose of either.
 

The managed / smart switch manages the VLAN entirely

I'd say not entirely. Something has to route between VLANs. That is normally the router's job hence the trunk goes to OPN. Unless of course another device or even the said managed switch can (not all do).

Even a used retail router with wifi from a thrift shop can work with the VLAN on the smart switch properly as soon as you plug it in and configure it as a router

Really? This router needs to be VLAN-aware. Rarely basic like the ISP-provided routers/wifi devices are VLAN-aware.

I'm not trying to be contrary, but terminology is important.

It does look like either or both of: installation incomplete / OPN device behind another router.
I suggest going over the installation instructions https://docs.opnsense.org/manual/install.html again. It should make it clearer whereabouts your installation is.