Messages

OK, what I am missing is the part of how to set up the VLAN so that all traffic from it routes via the VPN.

All necessary steps are explained above.

If you have trouble anyway, show all details of your settings, please.

OK, here goes. It's the first time I respond to that type of request so if there is a different way I should share the settings, please let me know.
VPN:



Gateways:



The two relevant VPN interfaces:


Details:



Assignments:


Devices:


Aliases:


Firewall:





DHCP:

But do you have a managed switch to tag the traffic of this VLAN, and have setup your interface in OPN to act as the trunk from it?
If not, you don't have a VLAN but perhaps a separate network on a separate interface in OPN? I'm a bit unclear.

Yes, I have a managed switch for the Ethernet connection, but I also have my Unifi AP that will broadcast a separate SSID for the VLAN (I am doing this already for another VLAN). The WiFi connection will be the main way this VPN VLAN will be used, the Ethernet is just a back-up.

OK, what I am missing is the part of how to set up the VLAN so that all traffic from it routes via the VPN. What I have tried is:

1. Create a VLAN
2. Create an interface that is assigned the VLAN device, a static IP of 192.168.6.1 and a configuration of 192.168.6.1/24
3. Set DHCP to hand out 192.168.6.20-200 to clients on the VLAN interface

Now I am not clear on whether I should
a. Create an outbound NAT rule that directs all traffic from the VLAN net to the VPN interface,
b. Create a normal rule that passes all traffic coming in on the VLAN interface to the VPN interface,
c. Create a bridge between the VLAN and VPN interfaces, or a mix of all three.

I see in the interfaces overview that the new interface has IPv4 and routes set to 10.100.0.2/16. Is this the range of addresses that will be handed out to clients connecting to the VLAN?

This is your VPN client IP.
It's not range, but just a single IP and you cannot hand it out to any other device.

If you route traffic to the VPN server, the suggested outbound NAT rule translates the source address into this one, so that responses are coming back to you.

There is nothing to configure in the VPN interface settings. Just enable it.
IP address assignment is done by the VPN server.

Right, but what local IP address does a client connecting to the VLAN get? In order for the NAT rule to translate source addresses, there need to be source addresses to translate...I must be missing something?

Many thanks!

I see in the interfaces overview that the new interface has IPv4 and routes set to 10.100.0.2/16. Is this the range of addresses that will be handed out to clients connecting to the VLAN? If I would like it to be something else (I was planning similar to my LAN but with the same octet as the VLAN number), how do I set this? Do I specify "DHCP" in "IPv4 configuration type" under the interface settings, and/or set up a range under Services > ISC DHCPv4?

I am trying to set up so that all traffic on a VLAN gets routed out via a VPN client. I have read lots of tutorials and many posts, tried many different settings but with the instructions all being of different age they are intended for different versions of OPNSense and I am never sure which steps have changed or become redundant.

I have a OpenVPN client instance that is showing as connected, and I would like to link this to a VLAN I have already created. I get a bit lost in which steps are required manually and which are done by OPNSense automatically when it comes to

-interfaces
-devices
-gateways
-firewall aliases
-firewall NAT
-firewall rules
-DHCP

Is there a howto/tutorial based on the latest OPNSence describing how to do this? I run 25.7.2.

For ISP reasons, I am forced to connect my OPNSense router behind my ISP's fibre router, set to DMZ. When I compare the bandwidth I get directly from the fibre router to what I get through OPNSense, there is a significant reduction (although an improvement in bufferbloat). What could be the different contributing factors to this? In terms of hardware, the OPNSense router has:
CPU: AMD Embedded G series GX-412TC, 1 GHz quad Jaguar core with 64 bit and AES-NI support, 32K data + 32K instruction cache per core, shared 2MB L2 cache, 4GB DRAM
NICs: i210AT 1Gb/s

Fibre router:
You cannot view this attachment.

OPNSense behind fibre router:
You cannot view this attachment.

Are there specific OPNSense configuration tweaks I should try to reduce the bandwidth reduction?

OK, so that is what I don't have - the graph time is UTC while the system time is CEST:

You cannot view this attachment.You cannot view this attachment.

Does your System Information gadget show the same time as the latest time in the graph?

I have been annoyed for some time that the graphs in the Reporting module use UTC time rather than the system time that is shown elsewhere, e.g. in the System Information gadget on the dashboard. Is there no way to get the Reporting module to respect the system time zone?

I searched for previous posts about this but only found this old thread from 2020.

If this needs to be an enhancement request, where do I post it?

[Kudos and thanks]

Successfully upgraded from 25.1.11 to 25.7.1_1 without a hitch on my APU2E4 with i210AT LAN, AMD GX-412TC CPU and 4 GB DRAM. Unifi, Adguard, os-acme and a few other plugins all work as before the upgrade.
Kudos and thanks to all that help improve this system for all of us!

Are your mirror and flavour settings (in System > Settings) set to default? What does it say in "Mirror" and "Repositories" on your System > Status page?

@beneix may I ask when you installed your system?

The system was purchased in 2022 and I installed UFS. Then in 2024 I decided to take the leap and re-install with ZFS - I think it was when 24.7.1 was out. I don't recall giving any particular input to sizing, I think I just let the installer set the defaults, but I could be wrong.

Plan some time for a reinstallation with ZFS and a reasonably large EFI partition ;-)

First of all, thanks for all your help! Just a question for the future - do I understand you correctly that if the boot partition is 512K it would be a good idea to plan for a repartitioning followed by a reinstall at some convenient point in the future? I run ZFS and my gpart output looks like this:

Code Select Expand

# gpart show -l
=>       40  234441568  ada0  GPT  (112G)
         40     532480     1  efiboot0  (260M)
     532520       1024     2  gptboot0  (512K)
     533544        984        - free -  (492K)
     534528   16777216     3  swap0  (8.0G)
   17311744  217128960     4  zfs0  (104G)
  234440704        904        - free -  (452K)(I realise that the boot partition size is not a current issue but a theoretical future one.) I don't suppose there is a way to do a repartitioning in situ without a full reinstall?

No compilation required, it's just a script. Download it, chmod +x it and run it as root.

Doh! Thanks

So there is a general recommendation to keep your bootloader up-to-date, but I am not sure I understand how this utility achieves this. Am I to understand that there is updated code in one place on the disk but this has not been copied to the right place? My output from the utility is:

Code Select Expand

One or more efi partition(s) have been found.

Examining ada0p1...
Efi partition ada0p1 is already mounted in /boot/efi.
Would run: cp /boot/loader.efi /boot/efi/efi/freebsd/loader.efi
Would run: cp /boot/loader.efi /boot/efi/efi/boot/bootx64.efi

One or more freebsd-boot partition(s) have been found.
The root file system is zfs.

Examining ada0...
Would run: gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 2 ada0

-------------------------------
Your current boot method is BIOS.
Updatable EFI loader: 2
Updatable BIOS loader: 1
-------------------------------