Messages

Hi, what part is not working?

If you want two subnets on your single LAN interface using the same vlan (no vlans), then you need a virtual IP to act as the second gateway. Set it as an IP address within a network i.e. with a subnet mask other than /32. e.g. 192.168.5.1/24 would mean the VIP was the gateway 192.168.5.1 on network 192.168.5.0/24
Drop the idea of two DHCP on the same vlan.
You will still need firewall rules to pass/route traffic via the VIP, i.e. your second subnet.
Something like
Interface:LAN, Source PrivateNetworks, Destination PrivateNetworks, port any, PASS
That should allow traffic in both directions between your two subnets.

Good that you got it going in the end.
What WAN IP settings did you use in the end?

.

It looks like you are using IPv4 only. This is good as it is easier for me and the older generation to understand.
I am not familiar with Shield devices, but assume they are linux based and good for streaming etc. As a precaution you could try turning IPv6 off on the Shield.

I use a very similar vlan/DMZ for my smart devices.
Your rules to destination "any" port should work.
I would suggest that you combine them into one rule that does both functions.
Source ANY (as this is from a vlan so all traffic entering this vlan will be from from VLAN30_SmartDevices net).
Destination INVERT PrivateRanges (!Private Ranges)
It reads as pass anything that enters from vlan30 > going to the internet.
No need for block/reject.

My suspicion is with the DNS rules that you have.
Maybe the Shield has some built in DNS settings that it must use. Or something else.
I don't know the reason you need to block general DNS requests so this is a bit of guess work.
Try changing the allow DNS rule to pass both UDP and TCP. Some times TCP has to be used.
Can you try disabling the DNS block rule as a test to see if that is the issue?

If you need to enforce specific DNS, why not try redirecting all DNS queries?
https://forum.opnsense.org/index.php?topic=9245.0

I've included a screen grab of my rule(s) that works for my Smart Device subnet.

Is there any reason you are trying to use a static  IP on your WAN side?
Most home ISP should provide the WAN addressing by DHCP. If you set static you will not get all the information that you need from whatismyip.com. You will need the IP assigned to you, the subnet mask, and the gateway. "whatismyip.com" won't give you all those, you could ask your ISP.
Also your ISP may not provide the public IP directly to the device that plugs in to their modem. They may provide the internal devices with private IP addresses and NAT to the outside world on their modem/router.

I suggest you start with automatic/DHCP addressing on the WAN interface, then once that is working look at static if you really have a need.

You should be able to use the FW rules to do this.
I presume you have a rule on your LAN interface that states some thing like
Source LAN, Destination any, Gateway Wireguard

Place a rule in front of that which states
Source HTPC, Destination any, Gateway WAN

Thanks for the replies. I do like Monit as a solution.

I have enabled Monit and the inbuilt "gateway_alert" service setting. For the moment this does what I need - reporting if one of the gateways is down.
From that I can action start/stop etc.

What I now need is a command to stop (disable) and one to start (enable) DHCP on a specific interface.
From GUI it would be
Services: DHCPv4: [WAN2_Incoming]
Toggle enable/disbale "Enable DHCP server on the WAN2_Incoming interface"

I don't want to turn off DHCP for for all interfaces, just this one.

Can some one help with scripts for the above enable/disable?



Where is the best place to store scripts used by Monit? Somewhere that won't be overwritten during an upgrade.

Without vlans you can define two subnets using a virtual IP for the second subnet, but you cannot run two DHCP servers.
Your client devices will broadcast/DHCPDISCOVER across the single vlan and receive replies from both DHCP servers (quickest to reply wins). I see your idea of specifically setting up some reservations on one DHCP, and denying them on the other, but I don't think Opnsense DHCP would be able to deny or place two DHCP on the same interface. You may need to use separate non-Opnsense DHCP servers for that functionality.

If some devices need to be on the predefined subnet, is there a reason that the other devices cannot also use the same predefined subnet?

Hi,
I have WAN connection, broadband and a 4G router.
dpinger monitors the gateway on the broadband WAN very well and shows online/offline.

I have separate inbound and outbound connections from Opnsense to the 4G router.
For technical Telco reasons, when the broadband is down I need to disable DHCP on the Opnsnese inbound interface connected to the 4G router. I can't get around this.

I need to setup a job/task that is basically

If Gateway Monitor (broadband) is down then disable DHCP on opnssnese [Net_4G_inbound]
If Gateway Monitor (broadband) is up then enable DHCP on opnssnese [Net_4G_inbound]

Any ideas?

Can you set up two LAN? Either using vlans or just two subnets on the same vlan (a bit uglier and not perfect, but do the job for you).

That way the two vlans would have to route between each other and so could use the Layer3 Opnsense FW.

The source can be individual IP addresses or subnets. Use FW Aliases to set

Two outbound firewall rules that use the two different WAN Gateway.

FW rule on Internal Interface(s), I have assumed a single internal interface.
Source:Network1,Destination:*,Gateway:WAN1
Source:Network2,Destination:*,Gateway:WAN2

(Gateways can be setup in System/Gateways/Single, but auto-populate when WAN provides DHCP)