Messages

@meyergru and @OPNenthu - thank you for educating me. I always learn new things from this forum. I didn't consider the dependency on the native port in the case of a switch failure. Fortunately, I keep an old 8 port Unifi switch around as a cold spare for my main switch. In the event of my switch failing, I can at least get my 4 APs back online. I should be able to provision a new switch by setting one of the ports to a full trunk. Like @meyergru, I never experienced a problem when I had my OPNsense router (Protectli with Intel NICs) plugged into a full trunk port.

Why is a native network needed for Unifi gear? I have VLAN 90 set as my management VLAN. My Unifi switch and APs are all in VLAN 90. The UniFi Network Application is sitting in a server VLAN. When I provision a new Unifi AP, I set the new AP's port on the switch to tagged VLAN 90. This gets the new AP on the network with an IP in VLAN 90. I then adopt the AP, set the management VLAN to 90 in the device's settings and then change the switch port to a "trunk" (all VLANs without a native).

I changed my MGMT VLAN in Unifi to 90 and that avoids the whole native/VLAN1 issue.

I've been running AdGuard Home from mimugmail for years. It works great.

@benix, the utility recommends the commands to run. You'll need to run those commands to do the update. Or you can run the utility with the "shoot-me" option and it will prompt/run each command for you.

Thanks @Patrick for the helpful information. I've been using OPNsense for 3 years and did not know about this.

Thanks @Slashing for posting that utility. The utility can also be used to update the boot loaders. It worked great for me.

Confirmed. Created date is blank for me too. I opened a bug report:

https://github.com/opnsense/plugins/issues/4837

I upgraded to 25.7 on 7/23. I just checked my google drive and I see backup files from 7/24 and 7/25. Was it working correctly for you under 25.1 or is this a brand new installation?

I use a similar same configuration and do not need a gateway. First thing to check is under the DHCP options settings (Services->DNSmasq->DHCP options), did you set the "router [3]" option for VLAN 20 to your router's IP for that vlan and did you set the "dns-server[6]" option to the IP of AdGuard? If you are running AdGuard on OPNsense the IP address for the dns-server will be the same as the router IP for that vlan.

Also, confirm that you have firewall rules on VLAN 20 to allow port 53 traffic to pass to the AdGuard server.

Upgraded from 25.1.12 without incident. Google backups migrated to plug in during the upgrade. My other plug-ins (Ad-Guard, crowdsec, acme, ddclient, mdns repeater and nut) all seem to be working normally. DNSmasq and Unbound (only v4) are working fine too.

Thank you to the OPNsense team! It's like I get to have 2 additional birthdays every year.

KEA, ISC and DNSMasq can all be used. Pick the one the that works best for your requirements.

I am not familiar with your switch but looking at the configuration, I think vlan 1 should include ports 1 and 8 with tagged traffic. The devices on port 1 and 8 speak vlan and therefore their traffic is being tagged. Since you've set port 8 in your switch as untagged for vlan 1 and the PVID of port 8 is 1, the traffic from port 8 is likely being tagged as vlan 1 even though some of it is vlan 3.

Mixing tagged and untagged traffic on the trunk to OPNsense is not recommended. See here https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html

Consider creating another VLAN for management. You will need to configure your switches and AP to use this VLAN.

I am not sure if it matters, but my GeoBlock for inbound connections is setup as an allow list. Ireland is not one of the countries I allow. I am not doing any GeoIP blocking for outbound.

As another data point, I upgraded to 25.1.8_1 without incident. I am running CrowdSec and using a GeoIP blocklist. I am in the U.S.

I use Clients->AdGuard->Unbound for DNS lookups and Unbound->DNSmasq for local queries. I followed the docs to implement it and changed the ports to keep AdGuard using port 53. I am only using IP v4 and my setup has some VLANs.

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration