Messages

The only reason I said PoE was because I was thinking I'd mount the WAP's on the wall's or ceiling and would save hassle of mains supply for them. So do you take ethernet from managed non-PoE switch to unmanaged PoE switch and connect your WAP's to that? I didn't know you could do that.

Is the management interface good enough for what most home users would need? Do you think it's worth paying more for something more refined in this area? and do you think the concern about dodgy Chinese firmware is justified? Seeing as I'm a beginner I'd like to take the cheap route to begin with but not at the expense of network security and privacy.

Thanks, I was thinking Mullvad + Wireguard. At the moment I was just considering if it would make sense to setup unbound with public DNS provider if I will be using a VPN with either Wireguard or OpenVPN in the near future.

Hello,

Thanks, so basically you mean just use VPN permanently for all network traffic and use their DNS always?

I suppose the implied question here is "Is my understanding correct?". I believe that it is. Basic managed switches are cheap nowadays, so I'd probably recommend doing VLANs from the beginning - it'll give you more flexibility going forward - but you could use physical separation while you have enough physical NICs on your firewall to support it.

Layer 3 switches implement routing between subnets on the the switch. In this case, OPNsense is not in the path between subnets, and so it can't enforce policy on traffic from one subnet to another. You probably don't want that.

Thankyou these are very clear and simple answers - I appreciate that!

Would you go out on a limb to recommend me a 2.5gb PoE managed switch (I assume layer 2 based on what you said above) to support VLAN tagging which is fairly priced but reliable for home use? Netgear? MikroTik? Unify? Other? I guess you'd advise to steer away from cheap Chinese switches?

Hi All,

I've been doing a bit of research to understand DNS and about how to use unbound recursive DNS in conjunction with a public DNS resolver such as Quad9 / Cloudflare. Seems like a far better choice than to use the ISP's DNS and also allows me to encrypt the connection between unbound and the public DNS service using DoT or DoH.

The question I have is, can I / should I still implement this if I plan on using a VPN connection sometimes (either on the router or on the clients)? I've read that this can actually degrade security and privacy by making DNS leaks more likely.

If I did implement this would OPNsense use unbound>Q9/CF when not using the VPN and then switch to the VPN's DNS service when connected to the VPN? Would that be the best approach? And..would that depend on if the VPN service was hosted on the router or not?

How should DNS be handled both when using a VPN and when not?

Any help is much appreciated!

Hi all, thanks for your replies.

If you have no ports or services intentionally exposed to the internet then all is sweet.

I don't have any ports or services intentionally exposed, whether I have any unintentionally exposed is another question. What's the best way to check?
If that reveals that no ports or services are exposed, to confirm, does that mean that the double NAT concern is a non-issue?

Do not bridge your ISP router until you have placed it 'inside' Opnsense else your wireless devices will be fully exposed.

I don't want to bridge the ISP router anyway because the rest of the family use it for the wireless functionality and as far as I'm aware, if I put it in bridge mode then that is disabled. Have I understood you correctly that the edge router (ISP router in this case) has to perform NAT to keep the wireless devices secure and by enabling bridge mode you are disabling NAT?

It's not too important anyway because I'm either leaving it set up as it is now or ditching the ISP modem/router to replace with dedicated modem going directly to OPNSense box, it's just I'm still a bit overwhelmed by all the options and settings, and I wanted to be sure I can understand OPNSense well enough before putting it as the whole house router and then getting grief from the family when I can't administer it with confidence!

===

Another question I have which is completely unrelated to the thread title (sorry) is whether I need managed switch(es) or not if I want to separate my network into categories. My understanding so far is this:

My OPNsense box has 4 ports, 1 WAN, 3 LAN. If I wanted to segregate network connections into 3 categories: My Network / Wireless Devices / Work Devices, Then I could use 3x unmanaged switches connected to each LAN interface port, wire devices / WAP's from these switches and then use firewall rules to block access between each port.

If I wanted to segregate my network into six categories: My Network / IOT devices / Work Devices / Guest Devices / Security Devices / VPN, Then I would need a managed switch because I would need to setup VLAN's. In this case I could in theory do everything from only one LAN port on the OPNsense box if I bought a switch with enough ports.

And lastly about the difference between a L2 and L3 switch and what would be the factors in deciding which type to get.

Probably way of the mark with most of this, but would be grateful for any corrections / advice.

Many Thanks

Hi All,

I know ideally the OPNSense box should be the only router, but I'm using it locally for my personal devices at the moment rather than for the whole house.

I have my ISP modem/router as edge router that serves wireless to the rest of the house. It is not in bridge mode because I need the wireless functionality.
My OPNSense box WAN port receives IP via DHCP connected to the LAN port of the ISP router.

If the ISP router is not in bridge mode, I assume it is performing NAT. Does OPNSense also perform NAT by default? Is that a double NAT situation?
If yes, what should I do to avoid double NAT until such a time when the OPNSense box (+switch(es)+WAP's) becomes the whole house router? Is there an option to disable NAT on the OPNSense box and would that be the correct approach?

Or am I just worrying about a non-issue?

Many Thanks
P195

Ok I've got it to work now.

I'm sure I followed all the same steps as before, but I obviously missed something. I think it was possibly because I forgot to enable the igc1 assignment as you suggested.

In the console I now see:

LAN Bridge (bridge0)  ->  v4:  192.168.49.1
Mint (igc3)                 ->
Unraid (igc2)              ->
W11 (igc1)                 ->
WAN (igc0)                 -> v4/DHCP4:  192.168.1.207/24

Also In Services > ISC DHCP > leases I see three leases for W11 / Mint / Unraid.

When typing http://tower.local in the address bar as suggested in the unraid documentation it wont resolve, but if I type the DHCP lease IP address in the address bar it does.

So it looks the bridge is now working as expected.

I got there in the end and I appreciate your support!

I've got a switch coming in the next week or so, so this will probably be irrelevant and I expect I'll have new challenges getting that configuration working too! Nevertheless, it's all good exposure and learning. At least now I can have a play with the Unraid GUI.

P195 

Thanks. This is going to save me many times in the future, no doubt.

I changed my naming from before. My LAN is now set to Bridge0 (now named LAN Bridge). The new assignment (igc3 - the one that was unassigned after step 3) is OPT3 (now named W11).

So I've gone through the whole guide again from scratch and followed to the letter.

Interfaces end up as:

[WAN]              WAN       igc0

[LAN Bridge]      LAN       Bridge0

[Win11]            OPT3      igc1

[Unraid]            OPT1      igc2

[Mint]               OPT2      igc3

Restarted all devices. Plugged in WAN cable to igc0, W11 to igc1, unraid server to igc2, left mint disconnected.

Once at console I see:

LAN Bridge (bridge0)  ->  v4:  192.168.49.1
Mint (igc3)                 ->
Unraid (igc2)              ->
WAN (igc0)                 -> v4/DHCP4:  192.168.1.207/24

I noticed W11 is not on that list, is that expected? On the W11 PC, there is no network access. Properties of adapter are set to "obtain an IP address automatically".

I assume then to capture the full state, you need a settings backup (.xml) and a snapshot, so it makes sense to create them both at the same time before fiddling / making changes?

Sorry spoke too soon before reading the whole document.


    If the WebGUI is unavailable:

            Boot the OPNsense, at the start of the boot sequence the Boot Menu will show up
            Press the Space Bar to pause it
            Press 8 to choose 8. Boot Environments which displays the current Snapshots
            Press 2 to select a different active Snapshot, it should now display zfs:zroot/ROOT/known-good
            Press 1 to go back to the main menu
            Press ENTER to select 1. Boot Multi user [ENTER]

Tip

If there are more Snapshots, press 2 repeatedly to cycle through them.

Cool, I haven't used the snapshots feature before but sounds useful.

Only thing is, don't you have to login to get to the menu to select option 8? I'm pretty sure yesterday the reason I couldn't restore with option 13 was because I couldn't get to the menu because my login and password was not working.   

Hi All,

If you change settings which end up locking you out where you can no longer access the web GUI, or login at the console, what is the easiest way to restore a backup or to regain access?

This has happened to me several times now by fiddling about, and yesterday I found myself in this scenario again where I think I changed from static IP to DHCP (I can't quite remember what I did) but I couldn't access web GUI and when in console my login and password was not allowing me to login. I tried various things for several hours but to no avail so I ended up reinstalling back to fresh install and loading a saved .xml config, but this also caused headaches due to missing plugins and their settings etc.

I've now managed to reconfigure everything again, but if I find myself in this scenario again, rather than having to reinstall, what's the easiest solution?

I know you can restore from console which I have done several times before, but this time I was unable to login to do that.
Is it possible to put a saved .xml config file on a usb pen drive and restore settings like that?
Can I backup the whole install including plugins (image?) rather than just the settings and restore like that?
Or is there a better way that I've overlooked?

Many Thanks
P195