Messages

thanks for the hints @malhal . I'll revisit the thread when ready to have another go. Had to abandon it for the time being.

didn't try to "catch" you and I was not intending to advice on the actual problem.
It's for the benefits of newcomers that the terms are clearer so they don't walk away with a misconception.

ok. I can't spot the problem although others might. I'd be running a packet capture to see what is going where and how is returning.
Personally still using legacy method.

You have some strange statements there.

A 'Firewall' is more a marketing term than anything else. A firewall, by my definition, is a router with extra layers of software that does this and that to protect the network. 'This and that' being technical terms. 99.5% of everyone or more only needs one router active at any given time at a location.

Firewall is not just marketing. It is a different type of functionality to a router and not router+extra software. They perform different purposes. For instance you can have a firewall doing no routing, only firewall duties. Yes most of the time a firewall will be ABLE to perform routing duties since the funcitonality is often included but is not just marketing.

In the network world you have routers and switches. Only. Retail routers are a combo router and switch, often with a wifi component. The Chinese router / pc with 4 or 6 ports becomes a router with a WAN and LAN port when you load OPNsense. The remaining ports are just sitting there until configured to do something. I've read that the extra ports are best for subnetting and not as VLANs because these boxes make poor switches compared to dedicated switches. The ports may look the same but they are not the same. Each subnet is a separate network and needs to go to its own dedicated switch and / or wireless access point.

Regarding the extra ports. Why would be best for subnetting? Subnetting is about altering the network mask to partition the network in a way different to the default mask like making a class C /24 into a /25 one. Then "not as VLANs.." a VLAN is about using tags in frames to carry that traffic over a link. I can't see the relation you are making to unused ports on the appliance.

Each subnet is a separate network and needs to go to its own dedicated switch and / or wireless access point.

yes a subnet is a separate network but it doesn't need a separate switch. That's where the managed switch comes into play, because it is what will tag/untag traffic. Unless you are in your description calling a network a subnet. Network =! subnet. Exception would be default-independent ports converted to switched ports.

Routers carry traffic between networks. Switches carry traffic on a network and they are designed for heavy traffic. Most of what happens on a network is confined to the switch and only goes to the router if it needs to jump to another network or possibly to renew a lease.

Not only to renew a lease. Pretty much all other networking services need to be managed somewhere, typically the router: DHCP yes, but NATing, DNS, etc.

VLANs segment a broadcast domain on a smart / managed switch so one subnet can create privacy zones. Normally, everything on the switch can access everything in the same broadcast domain. VLANs break it up. The managed / smart switch manages the VLAN entirely. It has always been this way. The VLAN capability in OPNsense, pfSense, and whatever is clever but more confusing than helpful as the extra ports are said to make bad switches as they are not designed for traffic that heavy. Unlike a retail router that is a deliberate mix of router and switch. You do not need to create a VLAN on the router to use a VLAN on a smart switch. Even a used retail router with wifi from a thrift shop can work with the VLAN on the smart switch properly as soon as you plug it in and configure it as a router.

Again VLAN != subnet. Privacy is a benefit but not really the main purpose of either.
 

The managed / smart switch manages the VLAN entirely

I'd say not entirely. Something has to route between VLANs. That is normally the router's job hence the trunk goes to OPN. Unless of course another device or even the said managed switch can (not all do).

Even a used retail router with wifi from a thrift shop can work with the VLAN on the smart switch properly as soon as you plug it in and configure it as a router

Really? This router needs to be VLAN-aware. Rarely basic like the ISP-provided routers/wifi devices are VLAN-aware.

I'm not trying to be contrary, but terminology is important.

It does look like either or both of: installation incomplete / OPN device behind another router.
I suggest going over the installation instructions https://docs.opnsense.org/manual/install.html again. It should make it clearer whereabouts your installation is.

Reflection for port forwards should be enabled in this case I think, and you might (on this I am not certain) need to see if you need to disable the force gateway.

Not clicking on links but... I would check that you have disabled "block private networks" on the WAN intrface configuration and that your nat rule prob should work better with "wan address" as the destination.

seems that way. In my setup I don't have this problem, probably because I don't bother with selecting interfaces for AdG. That is where the firewall rules come into their own. So my AdGuard has in its config

Code Select Expand

dns:
  bind_hosts:
    - 0.0.0.0
  port: 53

I think the issue is a bit clearer now. Hopefully someone will have a suggestion.
I'm thinking maybe new sessions get blocked and existing ones are still visible but pure guess.
Firewall > Log Files > General : might have something.
I just checked mine, a URL Table (IPs) Alias.
Last updated 2025-06-21 13:18:03 and log has

Code Select Expand

"2025-12-06T12:42:00    Error    firewall    alias resolve error IP_PublicDNS (error fetching alias url https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv4.txt)"So I had missed that alias failing to update and I can see why.
I'm not saying you have the same problem but you need to try to narrow down _why_ it is happening.

What I mean is that your process is perfectly valid but unknown to us here on how it works.

yes I'm keeping the list in remote server. Firewall Aliases has a rules ( URL IP's tabele) who is checking every 60 sec for update the remote black list. from this rule i got Floating who does actual restriction to the network.

Before the update if I want restrict an IP,  just have to add it to the remote server black list.  And Firewall Aliases fetching this list automatic and blocking the new ip's.
Now this doesn't work anymore , to do so i need to go to Firewall: Diagnostics: States: find were is the new  ip or IP's  and manual drop it. And then the actual block comes in force.

It is impossible to tell why "this does not work anymore", your mechanism to fetch the list I imagine is the Alias automation on OPN. But the content might not be "correct".
Maybe use the Diagnostic part of the alias in OPN, to look into the table.
Or when you say "this doesn't work anymore". Does it mean nothing is fetched or something else?

it helps. So have you diagnosed the process ?

any clues in /var/log/AdGuardHome/AdGuardHome.log ?
You might need to search around the time of the attempted start i.e. boot of OPN, because the log is noisy.
Only one service can use a port at any given time, so if your manual start succeeds, then there won't be another service using it. Your manual start would simply fail.

So you have a server where you keep list or lists of ip addresses to block. Then you have OPNSense fetching them and what, update an alias with that? What is not working, the fetching, the update of the alias, something else?

Maybe just me but I'm unclear what is that you are saying. Can you break it up a bit?
What/where is the blacklist? You say they are restricted TO access your network. Is that they are allowed ?
If however you mean you are seeing a lot of attempts to access your network from ips in some sort of blacklist, then how is that a problem?
As I say, just all very unclear what the setup is, and what the problem is.

Alrighty. Thanks Seimus. I'm beginning to feel I'm close.