Messages

Not sure what you are saying here cause I can't access the configuration of the ISP box. It's handled by the ISP company only. If you by that are referring to the Router that is currently connected to the ISP box, well that's a different thing.

Coming to think of it, I could demote the Router, removing dhcp from it and use it only as switch leaving the routing and DHCP to OPNSense.

That would be going a bit off my original plan, but would allow me to keep the PoE and have the EdgeMax6P as a backup router should the OPNSense machine fail somehow.

You are right. I forgot about that. I think I changed that in the firewall, since its a running configuration I also tried a few things on. Maybe I just have to do  a reset for that to get that right.

Yeah, interface igb0 is on Lan.

Turned out to be a more tricky than I thought.

As in the previously posted image, of course, but when you are actually holding the cables and trying to figure out what goes where it is a bit of a challenge for me as a newbie when it comes to actual network configuration with firewall.

The ISP WAN cable goes into igb0 on the OPNSense machine. Then after that I have at least two options. Either I connect the LAN igb1 to the Routers WAN port, or, as Herr Pmhausen might suggest I connect it to the switch port1. Or even to the Routers eth1 port. Since the Router has POE ports and I need those, I am, for the n'th time, keeping it.

What happens when reconfiguring the OPNSense interfaces I am questioned about LAGG ( https://docs.opnsense.org/manual/other-interfaces.html?highlight=lagg#lagg ) and that is a very good question. I have no clue. I manage to give the OPNSense WAN and external IP, but after that it seems I am not able to connect it to the LAN.

There must be a default order to do this. And a default working configuration. I refuse to believe no one has done it.

As it is now I just feel I need to talk this through with someone since posting here with people that are not solution-oriented answering, is not very constructive.

- For the DNS wrong in the xml export, it would be good to know which node you're looking at since there are multiple places where DNS settings can be configured using the UI.
- For the GUI ip address I would have thought the restore will put the backedup one back as long as the interfaces assigments match. Could it be an interface mismatch or change since the backup?

That is true.  It is actually a bit hard to tell from the backup XML

Wrong entries from backup:

Code Select Expand

<language>en_US</language>
    <dnsserver>8.8.8.8</dnsserver>
    <dnsserver>1.1.1.1</dnsserver>
    <thermal_hardware>coretemp</thermal_hardware>

In the GUI it was in the System > Settings > General > DNS Servers

Hmm,
I followed the same path. Installed opnsense from scratch on zfs, then imported the Settings during the installatin.
After that went to Plugins --> autofix which installed all missing plugins and the confug was as before.

That seems of course way easier, but not mentioned in the docs... which I guess is not surprising. Will add it. Ehm, what's it called again, can not seem to find it?


I made a new backup and it took the correct DNS to the XML. Might test a repeat of the whole scenario to see if it works or not. Repeatability is of course essential in any troubleshooting.

So I can see that the DNS addresses are wrong in the xml export. Since I wiped the drives I can not check any other data, nor do I have any other backups available.

The mentioned IP adress is from the basic conf I did, and do, in the setup console, ipv4 networking options, to get connectivity to the OPNSense GUI. Don't know how that would be done otherwise.

I would suggest a complement to the documentation, writing that the backup creates an XML file with "all" data and settings from the current OPNSense installation, including most if not all data needed by plugins (as my example above with the ETPro-Telemetry token) once they have been restored, and will mark missing plugins that needs installation after an import of the backup xml. Restoration will neither install those plugins nor update the system, both of which will have to be done after the imoprt.

Basically, this is what the backup does, this is what it creates and this is what the backup does not do.

I stated what I saw. My configuration is not that advanced. Still a work in progress.

Made one backup before installing. Disks were wiped in the process. Restored the backup to default 100% system but for a custom IP I use to access it.

My DNS is custom to Quad9, and that was one of the settings I checked first. Natural for me since I work with Security and Compliance.

As for the plugins, I already stated that some details were in place, at least for the Telemetry plugin, the plugin it self was not there, which already has an explanation.

What I felt needed correction was OPNSense's description of the backup functionality in the documentation.

I went ahead and reinstalled OPNSense on my server, this time using ZFS drive mirroring.

After initial configuration of IP via prompt, I logged on to the interface, went to System > Configuration > Backups and restored a backup file that was made just before the new setup.

In that backup restore the following was NOT restored, that I have noticed so far:
- DNS adressess
- Interface plugins - like api-backup and etpro-telemetry (it did actually keep the Telemetry token)

Several other settings were restored, but what is the purpose of the backup xml if it does not backup all the settings? Ok, it does not contain the plugin files, but it should tell the system to get them? And the DNS, is that not a kinda important setting? In all fairness it does list the relevant plugins as missing but makes no effort to get them.

Seems to me the backup documentation, that is tiny, should include information about what is not backed up, why, and relevant workarounds.

I will need PoE. Which is on the Router. So I am keeping the Router. I also have a network inventory via Ubiquiti UNMS that I use on the Router,  with the Switch, not sure that can be done in OPNSense.

@pmhausen

As I stated above my ISP is DHCP. My EdgeMAX Router handles that, but it will of course have to be handled by OPNSense once connected. No fixed IP. IPv4 only that I am aware of, they probably have support for IPv6, I just don't use it.

The connection to ISP is currently done via a Bridge to Gateway, from my current OPNSense to my Router. [System: Gateways: Single] pointing to 192.168.1.1. That will obviously have to be revised.

So I guess I will be implementing what you call a transparent bridge then?

As for what consumers do, I don't have any stats, and I don't care. To me it is rather simple: Can I add security to my SOHO? How would I do that? The inbuilt FW in the Ubiquiti EdgeMAX is probably usable for most, but implementing IDS and Firewall on a Router, if even possible, comes with a performance hit on CPU and RAM. That is why I put OPNSense on a SuperServer instead, to handle that (8 Atom Cores, 32GB DDR3 RAM, . Quad GbE LAN ports).

I do not understand why this scenario seems so unusual...

Yes it does, which is only rudimentary and will be disabled if not needed. Maybe keep a rule about local admin logon to the EdgeMAX but hardly anything else.

So what is the second router supposed to do? I see only one connection coming from OPNsense and one going into the switch. An additional internal router only makes sense if it connects more separate networks/switches.

I am placing the FW between my Router and my ISP. Is that not how it is supposed to to work? Filtering the internet traffic...logging, stats, probably DNS.

I know I can use OPNSense as Router as well, but I am not doing that now. My EdgeMAX Router handles DHCP, Static addressing and PoE, if needed, something that can not be done on the OPNSense machine. (In fact, my AP is PoE but currently connected to the Switch, I should connect it to the Router and bridge it, later.)

Something like this I pushed together in 5 minutes in draw.io



In my opinion it is a simple basic lan.

Not sure about that thing about adding 2nd router, I guess if OPNSense is the 1st router then my EdgeMax is the second. .

I have decided to keep the router for routing, and use OPNsense exclusively as firewall.  In an earlier post I implied using OPNsense both for routing and fw, but that will not be the case.  Some argued against it: https://forum.opnsense.org/index.php?topic=29199.0

The basic setup is done, have OPNsense running on a temporary IP on a Supermicro Superserver and will move it between LAN and WAN in a few days.(I have all my network equipment in a dedicated rack). Got all the NIC's i could ever need for channelling the network through the fw.

What is the correct configuration for that once I do it? ISP is DHCP. DNS is Quad9.

Any easy basic opnsense fw setup guides? 

(Every guide I have seen so far includes stuff I don't have, don't need, don't use, don't want to get, don't understand).

1 ISP Modem <> 1 FW <> 1 Router <> 1 Switch/AP <> 1 LAN <> Devices. Simple as that.

[no vlans, no vpn's, no dmz, no dsl, no ipv6, no ldap, no radius, etc..]

I have a couple of recent books, I have read the docs, both has loads of extra confs I don't intend on using, and since it uses that in all examples, it's pretty much useless..