Messages

Am I correct in concluding it isn't possible to create a schedule that is more crontab like, like "every day from 09:00-17:00" or "every Sunday from 10:00-12:00"?

You can do it, the interface is just quite confusing.

You select the header of the column(s) (not the days) in a month (any month), 'Mon', 'Tue', ... that is the way to say every <whatever days you selected>.

If you then change to another month, you'll see that the days are already selected. Additionally you select the time and voila.

You cannot view this attachment.

Hope you are doing ok, health wise.

Here is a screenshot of the PVID Setting for the switch

The settings are correct on the switch.

Your OPNsense router is a physical device, not a VM, yes? Do you have an unused port on it where you can move the VLAN tagged traffic?

Right now you have VLAN50 traffic on LAN and that should not happen.

From what you have set the following should happen: on your VM the traffic leaves the hypervisor (btw: what hypervisor?) untagged, gets tagged with VLAN tag 50 on entering port 6 of your switch and leaves port 1, still tagged with VLAN50. On the OPNsense on port igb0 it is still tagged with VLAN50 and traffic is handled by OPNsense interface 'vlan04'.

But as your very first screenshot shows, VLAN50 traffic arrives on the 'LAN' interfaces, sometimes, and that should not be possible with your configuration. And it indicates an issue on L2, e.g. switch.

You wrote that the VM has a static IP configuration of 192.168.50.202. Is it a static DHCP mapping or did you set it on the VM itself?

habe ich mir im Wireguard-Abschnitt der OPNsense einen Client erstellt

Am einfachsten ist es, wenn Du für jedes Endgerät eine eigene WG Client-Konfig erstellst. Mit einer Konfig kann nur immer ein Client gleichzeitig aktiv sein.

Anschließend versuchte ich, mit aktiviertem VPN auf die OPNsense via 192.168.1.1:8443 zuzugreifen.

Welche IP Bereich/Netzwerk hast Du am zweiten Standard? Sollte er auch 192.168.1.1 sein, dann hast Du ein Subnetz Konflikt und damit wird es nicht klappen. Der zweite Standort hätte dann schon Routen für z.B. 192.168.1.1/24 und mit aktiem WG plötzlich zwei Routen für das gleiche Subnet aber über verschiedene Gateways.

I read somewhere in the thread AVX is needed and I am pretty sure the Celeron has no avi.
Could this be the reason?

To extend on what Patrick wrote: The MongoDB (from version 5 on) which is used by the Unifi Controller needs AVX and the J3425 seems not to have it (the same is true for e.g. Intel N5105/N6005). Check with 'dmesg' on your machine to be sure.

There are ways to run it (on Linux), people have compiled MongoDB with AVX support or run it in docker with a static qemu with AVX enabled, none of it is very easy nor fast. I used it on my previous fanless server based on the N5105 cpu (for Graylog 6).

But above all: not for the OPNsense plugin.

Then leave your two rules as they are just add the DNS before the two. I may have confused you with mine.

This would be the current configuration, but I haven't tested it yet to prevent the computers from losing Internet.

As mentioned, you can consolitate the first and last rule into the one I wrote (a pass rule with destination everything-except-the-alias-network), but you don't have to. And the DNS would come before your block-the-aliases.

Per default the rules are first-match: the first rule that is matching is executed and no further rules are evaluated.

but I haven't tested it yet to prevent the computers from losing Internet

If your computer on MQL can access the internet, including DNS, then don't change anything.

I assume you have added 9.9.9.9 (and their second IP 149.112.112.112?) to 'DNS over TLS'?

To check the TLS connection and see if there is an issue, in the OPNsense console, run:

Code Select Expand

openssl s_client -connnect 9.9.9.9:853 | more
On a test VM I do use 9.9.9.9/149.112.112.112 I don't see any issues. But then I don't use it for hour every day.

Yes, OPNsense itself resolves DNS requests. I previously had external DNS servers, but reading posts here on the forum, I found the most private and secure way was the default OPNsense configuration. Thank you for your answers!

Since the OPNsense IP is part of the 'MQL net' you need to add a rule for DNS. And you can make one rule out of the two you have:

# Allow clients to access router for DNS queries
Action: pass
Interface: MQL
Direction: in
Protocol: udp, port 53
Source: MQL net
Destination: MQL address

# Allow access to everything except 192.168.1.0/24 - 192.168.2.0/24 - 192.168.18.0/24 from the MQL network:
Action: pass
Interface: MQL
Direction: in
Protocol: any
Source: MQL net
Destination: ! (not) "aliases"

I only have these two rules.

What about the other questions of mine? As I wrote, your clients won't be able to resolve any DNS request if the DNS is set to a MQL network IP.

I would switch to another port if you have any unused ones. Or if none unused are available, switch two ports. If the issue moves to the new port, then it would indicate an issue with the cable or the switch port. Changing the switch port could help, too. Or set the speed from automatic to a fixed speed. If the issue stays with the physical port then it the port may have an issue.

Can you post the full ruleset for MQL net?

In general, devices on the same network can directly access each other. The traffic won't pass through the router and therefore your rule won't prevent the devices on the same network to talk to eath other.

Is the client DNS set to the MQL router IP? I would assume that the clients can't resolve anything with that rules, since access to the DNS is blocked.

In my OPNsense, I use Ubound.
If I add a specific domain to be resolved by a particular DNS in Query Forwarding, it works.
However, adding DNS over TLS doesn't work.

Why?

Provide more details, which domain and which DNS did you use for Query Forwading and for DoT? What is the failure behavior in the DoT case, is the domain not resolved, the wrong IP?

In "System: Settings: General", uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN" and OPNsense won't use the ISP DNS any longer.

https://docs.opnsense.org/manual/settingsmenu.html#web-gui

So VLAN1 isn't really a tag of 1 but untagged?

Yes, VLAN 1 means untagged on the ports with 'Default/Native LAN' set (about VLAN1: https://netseccloud.com/what-is-vlan-1-and-how-does-it-work). @meyegru's explains it well.
Having the default VLAN 1 as untagged does make life a lot easier with UniFi. I'd move your VLAN 1 from igc0.1 to igc0.

And in the UniFi Controller, for the Network you would have to set the 'router' to 'Third-party Gatway'

is all prosumer networking gear as finnicky about the "controller" as Unifi?

I haven't used any other software that uses a controller like UniFi. UniFi is unique in what I have used so far.

Code Select Expand

https://imgur.com/a/v5JAav1Could you include the pictures directly in the post?

I have a trunk port setup with 4 VLANS. A MGMT(VLAN1), TRUSTED(20), IOT(30), and GUEST(50).

How have you setup the VLANs in OPNsense and UniFi (screenshots)? Is VLAN 1 also tagged or untagged (called "Native VLAN" in UniFi)?