Messages

[from the Internet]

There's a good chance I am missing the point entirely, but you may be doing something unnecessary.

The RFC1918 addresses are non-routable by design. This system allows you, me and the man behind the tree to all have 192.168.1.1/24 subnets without crashing into each other. The three ranges normally are associated with various sized networks, with the 192.168.x.x ranges for home networks by convention. Nothing prevents a home network from using one of the other ranges.

Find out the app that's sending the videos outside of your home and shut it down.

https://netbeez.net/blog/rfc1918/

I googled this. It seems to be a good definition.

Did you even bother reading the link you posted?  It clearly says,

"These IP addresses compose the majority private networks, which are networks not available, or reachable, from the Internet. The reason these hosts are not reachable from the Internet is due to a fundamental requirement: each host must possess a unique IP address. RFC1918 removes this requirement. Common RFC 1918 addresses, like 192.168.1.1, are available in multiple networks without causing any disruption. The key requirement is that they stay within the boundaries of a network."

You do understand the difference between incoming and outgoing data, correct?  Because this entire conversation has been about data traveling TO THE INTERNET from the local network (via the camera itself), not data FROM THE INTERNET trying to connect to to the camera......

The article goes on to say,

"To isolate RFC1918 address from the Internet, network administrators configure their border routers to discard IP packets with private addresses.  As a result, IP packets carrying private addresses can only flow within internal, or private, networks.

How do network administrators configure their border router to discard UP packets with private addresses?  WITH THE EXACT RULE that meyermu suggested to the OP  and you have continually tried to say that it is not necessary.  Your own link contradicts you assumptions and says that it IS necessary and a normal rule for network administrators to add to their routers.

It's fine to be ignorant on a variety of topics (no one knows everything), but it's not OK when you start trying to teach and correct others (who are 100% correct BTW) when you don't understand the material yourself.  Therefore I would suggest that you stop posting in this thread until you learn a little bit more about how data travels through a network.

[from the Internet]

There's a good chance I am missing the point entirely, but you may be doing something unnecessary.

The RFC1918 addresses are non-routable by design. This system allows you, me and the man behind the tree to all have 192.168.1.1/24 subnets without crashing into each other. The three ranges normally are associated with various sized networks, with the 192.168.x.x ranges for home networks by convention. Nothing prevents a home network from using one of the other ranges.

Find out the app that's sending the videos outside of your home and shut it down.

https://netbeez.net/blog/rfc1918/

I googled this. It seems to be a good definition.

Did you even bother reading the link you posted?  It clearly says,

"These IP addresses compose the majority private networks, which are networks not available, or reachable, from the Internet. The reason these hosts are not reachable from the Internet is due to a fundamental requirement: each host must possess a unique IP address. RFC1918 removes this requirement. Common RFC 1918 addresses, like 192.168.1.1, are available in multiple networks without causing any disruption. The key requirement is that they stay within the boundaries of a network."

You do understand the difference between incoming and outgoing data, correct?  Because this entire conversation has been about data traveling TO THE INTERNET from the local network (via the camera itself), not data FROM THE INTERNET trying to connect to to the camera......

The article goes on to say,

"To isolate RFC1918 address from the Internet, network administrators configure their border routers to discard IP packets with private addresses.  As a result, IP packets carrying private addresses can only flow within internal, or private, networks.

which is exactly the rule that meyergru suggested in his post and you have continually tried to say that it is not necessary.  Your own link contradicts you assumptions and says that it IS necessary and a normal rule for network administrators to add to their routers.

It's fine to be ignorant on a variety of topics (no one knows everything), but it's not OK when you start trying to teach and correct others (who are 100% correct BTW) when you don't understand the material yourself.  Therefore I would suggest that you stop posting in this thread until you learn a little bit more about how data travels through a network.

The ServeTheHome forum has a nice thread about the Edge 620,640,680 devices. They are a little/lot more powerful than the 510.  Just something to consider for anyone looking for hardware ideas.  I personally have a 620 and a 640 and run OPNsense on both of them without any issues. 

PS - do not get the 610 models because no one has found drivers to make them work with third party software like OPNsense.

I would agree with JonM that most consumer grade devices don't come with a static IP address of 192.168.1.1 outside of consumer routers.  If for some reason you are setting up one of these devices, you should really connect to those directly and change the appropriate settings (like turning off DHCP services) before you attempt to connect it to your regular network (perhaps as a WiFi AP point for example). 

Most consumer devices are generally going to be set up to get a DHCP assigned IP address which means they should automatically get a valid address assigned when they connect to the network the first time.  Depending on which VLAN they are connected to will dictate what IP address range they are assigned to.

If you find yourself using a device that has a factory assigned static IP address in the 192.168.1.1/24 range, you can simply connect it to your main network (no VLAN) and you should be able to connect to it that way.  Since the OPNsense firewall is the only device on the 192.168.1.1/24 subnet, there shouldn't be any issue with duplicate addresses.

If you find yourself working with a lot of devices that are factory assigned static IP addresses outside of the 192.168.1.1/24 subnet that your network is already using, you can always create a VLAN specific for that use.  For example, 192.168.0.1/24 seems to be another popular consumer grade subnet, so you could always create a new VLAN using the subnet to connect these devices to initially to change their settings to whatever you want to use long term.  Then unplug them from this "setup" VLAN and connect them to the VLAN they will be associated with long term.   

Personally I'll generally connect directly with a new device using my laptop however and just manually set the device up to function like I want (IP address or otherwise) prior to connecting it to  my home network.  This way I know there aren't going to be any issues.

While I would never set up my router to auto update, I can also understand why someone would. 

I don't do it because there is always a chance that the update will break something and bring my whole network down.  Given that I am away from my house most of the day, this would be very annoying for everyone that is still at home.

However, the odds that a bug would bring down the network are relatively low, and if someone worked from home or was otherwise around to fix issues when they arose, having updates automatically applied would be convenient. 

Are you sure the different LANs are set up correctly with regard to IP addresses.  You say only one of the three is set up to use DHCP.  I would suggest that you turn DHCP "on" on all three LAN segments.  I suspect there is an issue either in your network segmentation address scheme (your LANs are overlapping addresses for example), or with IP address assigned (or not assigned) to the NIC of your computer you are tying to connect.  By turning on DHCP, this will correct both issues. 

You need to simplify things to ensure they work correctly.  If you later want to "complicate" things by turning off DHCP on some of the network segments, at least you know why it stops functioning.

If you don't use VLANs, then all of your "routing" is handled at the switch level.  This means the only traffic that should be crossing through the firewall is data going to/from the internet connection.  Since your internet connection is slower than a 2.5gb connection, the difference between using a 10gb and 2.5gb between the firewall and switch is really not going to make a difference.

If you decide to switch to using VLANs (managed by OPNsense), traffic on the same VLAN will continue to be routed at the switch level.  Only traffic that needs to cross over from one VLAN to another will have to traverse to the firewall.  So even if you decide to add VLANs in the future, if you just take some time to ensure that data will travel on the same VLAN as much as possible and only cross over to another VLAN in rare occasions, you will likely still be fine using the 2.5gb connection between switch and firewall.

That being said, you don't mention the speeds of the normal ports on your network switch, but I suspect they are 10/100/1000.  This means that the real speed limitation on your network is currently with your switch, not the connection between the firewall and switch.  My recommendations above are assuming that all of your network devices are connected to the switch and nothing else is connected to the firewall (other than WAN and switch connections).

If you do have devices that can connect at faster speeds, you might want to connect those devices directly to the firewall's 2.5gb ports and then connect the firewall to the switch using the 10gb connection to ensure the fastest possible speeds should there be max throughput on several firewall ports at the same time.  In that case, using the 10gb connection between the firewall and switch could make a difference in overall network speed.

Hopefully that makes sense!

Tom,

You seem to be just beginning your network journey.  As such, I would like to know why you think you need a DMZ?  While DMZs are not unheard of, they are kind of out of the ordinary for a typical home network.  I just want to get some clarity on your use case because it might be something you think you need, but really don't.

Any particular reason you feel the need to run two DHCP servers (one in OPNsense and one in the Wireless AP)?  To keep it simple, you should really just run one on the OPNsense device.  Any device connecting to the wireless AP will still be issued a DHCP address from the firewall.  Hopefully the two current servers are handing out addresses in different subnets, but that still raises complexity to the system that really isn't needed.  If the two servers are handing out addresses that can overlap with each other, then you will really have problems.

Thanks for everyone's help with this.  I utilized the stacking capability of the Brocade switches and it works great. Being a non-professional and having zero experience with stacking, I thought it was going to be a challenge for me to accomplish because I was expecting to have to do a lot of the switch configuration manually.  In the end, all I really had to do was connect the two switches together correctly and then initiate the stacking setup on the "primary" switch.  It found the second switch and set both switches up in the stack automatically.  It couldn't have been easier to do!

I would suggest that you change the "from LAN network" to "any" in both of your rules, making it a true Allow All type of rule.

I think trying to stack the switches is going to be the best option.  I currently run an Aruba S2500-48p in my current network.  I also have a second Aruba S2500-24-p at my parents house that I could "swap" and use at my house if needed.

I have purchased a Brocade ICX6610-48 and a ICX6450-48p as well.  I have come to learn that those two units will "stack" to some degree, but apparently there are some limitations in the way Brocade handles the stacking of these two models.  Honestly I wasn't even sure they would stack together at all due to being different models.

I am currently only using LVANs (L2) on my Aruba switch and I have no idea the advanced capabilities of that switch, although I do know it supports stacking with like models so I should have no problem stacking the S2500s together.

Any suggestions as to which set of switches I should use?  I guess I am leaning towards the Brocade since it is the easiest to try out without disrupting my current network.

I have set up OPNsense in a lab environment to try out.  I have a situation I need to figure out before I can roll it out to my home network.  I have two network switches - both managed.  I have multiple VLANs set up.  I have three different wireless access points spread around my home that run multiple SSIDs for most of the VLANs.  All of the APs will be plugged into one switch.  I have some wireless networks that are assigned to VLANs that will be handled by the second switch.  Therefore I need to be able to access some of the VLANs on both switches.

I'd like to attach each switch directly to my OPNsense device via 10gb SFP+ ports (the firewall has two of those ports available).  Since OPNsense assigns VLANs to interfaces, and it doesn't seem possible to assign an interface to more than one network port, what are my options?  Is it possible through some sort of aggregation option?

I realize one answer is to run the firewall to the first switch and then the first switch to the second switch, but that seems to waste bandwidth of the 1st switch unnecessarily.  A second answer is to use the layer 3 functionality of my switches and take the VLAN assignment away from OPNsense.  I may go this route but will need to set up a DHCP server on the network as well as set up rules in the switches.  That's certainly possible (and probably the most "professional" answer), but I'm hoping for a simpler solution.

Hopefully this question makes sense.  I'm not an IT professional, so I might not be using the correct terminology to describe my situation.  Thanks for the help!

I just wanted to say thank you for posting this information.  I just installed one of these cards in my OPNsense device and it saved me a lot of headaches!

Neither.  Right now I would look at some of the many Brocade switches being sold on EBay.  Check this thread out for more information.  https://forums.servethehome.com/index.php?threads/brocade-icx-series-cheap-powerful-10gbe-40gbe-switching.21107/