Messages

Thanks for your help.

I'm wondering if there is anything I can do to break down the issue into smaller tasks, like... Can I perform a simple test if it works on the opnsense side? Attach my notebook directly to opnsense Eth4, and submit a ping on vlan 10 to test if the opnsense would even respond there? Maybe ping/icmp is blocked for some reason and the switch has been working all the time, but I made a mistake in opnsense?

Hi Eric,

Thanks for the explanation. I think that is exactly what I had set up:

Eth4 is only used by vlan 10 (and in the future hopefully vlan 20). No other traffic there.

My zyxel lists "trunk port" under the pvid category, so I set it to pvid 1 for opnsense and set it to trunk.

The notebook port will be set to pvid 10.

As for vlans, I will set the opnsense port to "forbidden" for vlan 1, and "tagged" for vlan 10.

And the notebook will be "forbidden" for vlan 1 and "untagged" for vlan 10. Right?

I'm trying to be as explicit as I can while I'm trying to understand all these concepts and who is tagging and accepting what ;-)

I will try again with these settings tomorrow evening...

Hi guys,

I'm kinda familiar with the concept of VLANs and wanted to dive into this for my home setup.

I have two OPNsense on two small, low-power 4-port NUCs, working in high availability and quite smoothly for more than a year. My home lan is 192.168.0.0/21 and I intend to have my guest network via VLAN in something like 192.168.100.0/24.

So I read the OPNsense tutorial (https://docs.opnsense.org/manual/how-tos/vlan_and_lagg.html) and created another device/VLAN in OPNsense, set VLAN to 10, attached it to the 4th LAN port that is otherwise unused. (1 is LAN, 2 is CARP, 3 is internet)
I assigned the VLAN-device in "assignments" (not much else to do there, right?)
I also set the IP address of that device to 192.168.100.1/24 and all other settings similar to my current LAN interface (i.e. not configured anything).

I also, for troubleshooting purposes, added a firewall rule that allows anything inbound and outbound of that guest VLAN.

That was about it in the OPNsense.

Then I went to my Zyxel switch, a GS1900-24E (which I plan to upgrade to 48 ports, but not yet sure which brand), and I kinda tried everything, but nothing worked.
I attached my notebook to port 19, and the OPNsense VLAN port to port 2 on the Zyxel.

• I added my notebook (port 19) to PVID 10, untagged, accept all, no ingress check, no vlan trunk. As far as I understood, that is meant to be used by computers who don't tag packets
• I did not add the OPNsense (port 2) to a PVID
• I set VLAN1 to "forbidden" on the two ports
• I set VLAN10 to "untagged" on ports 2 and 19

So what I now see in Wireshark is that the Zyxel sends some tree spanning protocol or something on VLAN10 to my notebook. So I know that incoming, the port uses VLAN tags.
I do not see any other traffic in Wireshark, so I am in fact isolated. I cannot even tell if outgoing traffic of the notebook will be tagged as VLAN10 (and not sure if that mattered).

When I manually set my IP to 192.168.100.2 on my notebook, I cannot ping 192.168.100.1.

All other, ordinary devices in 192.168.0.0/21 can ping that OPNsense VLAN interface IP 192.168.100.1.

I fumbled around a lot with the forbidden/tagged/untagged stuff and learnt a few things about VLANs and so, but I must admit I'm really a beginner who wants to learn something new here.

I would be really grateful if someone could provide some advice what I might be doing wrong here :-/

Thanks a lot in advance <3

[It is imperative that you do not add a password to your key, or your backups will fail with authentication errors]

Hi,

this is 2025 replying. I just wanted to say: I did everything as described above, but it did not work. I read the mentioned docs and found this:

Next, create a new SSH key specifically for git-backup (only generate the private / public keys per that document and skip the rest). It is imperative that you do not add a password to your key, or your backups will fail with authentication errors.


Well, what shall I say ... now it works ... Just don't set a password for the SSH key (man, how would opnsense know the password anyway, yuk)

Hi everyone,

this topic has become a bit too much for me and I have found the limits of my understanding here.

The short version is that I have two OPNsense firewalls with CARP, which I "accidentally" found out is working properly ;-) I also have two internet routers, one with fiber internet, one with LTE/4G as backup internet.

The backup internet connection worked properly until I configured the HA system. Now, I cannot ping the backup LTE router from my internal network or from the OPNsense. This draws the conclusion that something is wrong with the NATing, seeing also that I had to perform changes there during the HA setup and that there needs to be NAT happening because the LTE router is in a different network.

For easier understanding, I tried to visualize this - see the attached screenshot.

I thought that maybe I just needed to add the LTE WAN in outbound NAT like the Fiber WAN, but that did not help - screenshot attached.

Now I'm lost where to look or what to do ... I'm unconscious of changes that would be necessary in regards to firewall rules, so although I have not attached a screenshot, you can expect that I haven't changed anything there.

I used this guide to setup my high availability system: https://www.thomas-krenn.com/en/wiki/OPNsense_HA_Cluster_configuration

I really hope someone out there can help me. During my miserable attempts, I killed the main firewall's config (thereby finding out that the aväilability part works).

Thanks a lot in advance. Your help is highly appreciated!

Hi guys,

Quick question: I have several allowlisted domains in my unbound blocklist config, eg WhatsApp and YouTube which otherwise won't work with some lists.

The allowlist becomes kinda cluttered and I'm wondering if there's a chance I could set up my own list somewhere, eg github, where unbound can retrieve the list.

I googled for unbound feature request, but didn't find anything suitable. Any idea where I could forward this to?

Thanks a lot in advance!

When I connect via the official Wireguard client on my Mac Book it appears to be working. However I am unable to access any ressources, neither internal ones (10.0.1.0/24) nor any public ones like 9.9.9.9 for DNS or any URLs.

Hi Tom,

I found that this might be a false-positive. My Windows app always shows "connected" even when I enter completely wrong IPs and credentials. Have a try at that, too, to see if something changes when you enter wrong credentials.

I'll be happy to jump in on this topic. I just did the same today in my home network.

I read this guide: https://www.zenarmor.com/docs/network-security-tutorials/how-to-setup-wireguard-on-opnsense#8-enabling-wireguard-server-on-opnsense
and ofc the official OPNsense documentation, which I found of limited use as it's 90% the same as the configuration pages with a bit more text to it: https://docs.opnsense.org/manual/vpnet.html#id4

Things I don't understand:

* Inside the instance in OPNsense and Wireguard, I'm supposed to enter a tunnel address. Is this the network of the VPN? So I shouldn't use the normal LAN netwerk, but a different CIDR range? So my LAN is 192.168.0.0/21, but for the VPN I must use something else, like 10.0.0.1/24 or 192.168.10.0/24 ? Or can it be the same if I'm not depending on network isolation?

* In the peers, I must configure a PSK, but neither in the Android app nor the Windows app, there's anywhere where I should have to enter such key. I understand that the pub/priv key is kinda PKI-like, so why add a PSK as well?

* Why do peers need an allowed IP? Is this because I can set the IP address in the wireguard client, too, and they must be the same network? What is the enpoint address and the endpoint port that I need to set in the peer? "Set public IP address the endpoint listens to" - Why would the endpoint/client listen to a public address? It should be the one it connects to, but not "listen"?

* I configured a firewall rule that allows simply every traffic coming from the WireGuard group/net. (see screenshot). According to internet resources, the WireGuard (Group) interface applies simply to all WireGuard instances.

* When I do an nmap scan on OPNsense port 51820, nothing appears or at least it says "open/filtered", but does not show any service (nmap -p 51820 192.168.0.1 -sUV - yes, I did a service scan because it's UDP). It also does not work when I scan the VPN IP 10.0.0.1 of OPNsense. That seems odd. I don't see anywhere in OPNsense where I would configure that the VPN should *not* be accessible from the LAN, so it should show, I think?

If anyone cares, the OPNsense is running very smoothly at ~42°C outside the rack.

It's basically configured with unbound, ISC DHCP (which has dropped support for sometime soon ... ugh), Gateway failover ... works like a charm. I'll probably order another cheap PC as a backup machine for high availability :D

Hi,

I edited the topic post to reflect more clearly that the dns service is not reachable.

I will delete the gateway group and see if that helps or changes anything.

Bro, what the heck ... I deleted the group, disabled the LTE WAN, and it works instantly.

I guess I gotta inspect that grouping a bit more and learn about it more <3

Hi,

I edited the topic post to reflect more clearly that the dns service is not reachable.

I will delete the gateway group and see if that helps or changes anything.

Intro: I took a lot of screenshots as proof, but I can only upload 4 with a max. of 256kb. I hadn't thought such restrictions might exist here ...

Hi all,

I am experiencing some weird behaviour in my newly set up opnsense and need some help.

Background:
I have a lot of experience in networking, coming from an IT Security background and many years of penetration testing.
I want to say of myself that I understand how networking and routes work on layers 2 and 3 and 4.

My home network consists of:

• Telekom fiber modem
• My own fritz box that connects through the fiber modem. As far as I understood Telekom's documentation, the modem simply converts ethernet into fiber. The fritz box does the dial in.
• I have an lte router as fall back Internet gateway.
• I use a tp link omada infrastructure at the moment. It contains a router, which is currently the main router in my network. I also have some WiFi APs and a switch from tp link, but that's unnecessary for my issue.
• I also use a pihole for dns, installed on an ordinary raspberry pi.
• My network is 192.168.0.0/21, because I wanted some more space in my lan for all different kinds of devices.
  
• I bought a mini computer and installed opnsense on it, and want to swap, at some point in the future, the omada infrastructure to opnsense (and a different WiFi vendor).

What I have done so far:

I installed opnsense, configured the two gateways, formed a group for fail over, imported DHCP from omada, enabled dhcp. Up to that point, everything works nicely.

The IP addresses look like this:

• Fritz box, WAN: 192.168.178.1
• Omada router, WAN port: 192.168.178.2
• Omada router, lan port: 192.168.0.1
• Pihole: 192.168.0.253
• Opnsense, WAN: 192.168.178.3
• Opnsense, LAN: 192.168.4.254

The ipconfig on my computer looks like this, nothing manually set, everything comes from DHCP.

(image missing)

Now I wanted to remove the raspberry pi from the equation and enable dns in the opnsense. Here, I got stuck and the oddities begin, or became obvious:

When I do tracert 192.168.4.254, I see three hops:

• 192.168.4.254
• 192.168.0.1
• Some entry point at my ISP

When I do tracert on any other address, I get 1 hop straight to the target.
It is the same in a linux machine, by the way.

See attachment "tracert.png"


Second weird thing: the DNS port appears as filtered/unavailable in nmap.
(image missing)

Other ports on the firewall are open, e.g. 80.
(image missing)



If port 80 wasn't available, I couldn't configure the opnsense, anyway.
(image missing)


Third strange thing: When I try to manually set the DNS server in Windows via nslookup (nslookup google.com 192.168.4.254), I see this result in the firewall logs of opnsense.
(image missing)

I have no clue why it would show the WAN network IP, 192.168.178.3, as outgoing, and the LAN network IP, 192.168.4.254, as incoming, because the request never should have left the LAN network at all.

Now, you might be wondering if I made a mistake in the firewall rules, but I in fact did not do anything there yet. When I got stuck, I added the rule to allow port 53/UDP from anywhere, but I just added this because it didn't work.

See attachment "firewall rules.png".


Unbound does listen on port 53, I did not change anything in the config there.

(image missing)

When I go to the diagnostics, I see that the opnsense can itself perform DNS requests "to the internet" and get information.

(image missing)

The service is also running, it's not stopped or anything.

(image missing)

I have asked two colleagues whom I appreciate as keen IT experts, but none found an immediate error here of what I'm doing wrong, so I'm really looking forward to your replies! :-(

Thanks a lot in advance <3

Edit: so, the problem is: dns is not accessible from the LAN network. Dns does work, as the diagnostics show that the opnsense can resolve external domains, but the service is not reachable from other devices.

I would advice before you do anything start to do with the device to check the BIOS for P1 & P2 values, and set the accordingly to the CPU W values. I have N5105 and its P1 P2 were over the moon had to set them correctly, got much more better thermals.

Also in regards of Patrick's advice of the fan. I did yesterday Install a 140mm low profile FAN from Arctic (ARCTIC P14 SLIM PWM PST - basically put it on top of the chassis finstack). You see my FW is in a small rack, which doesn't have much clearance thus temperature in the rack tents to keep constantly high. The FAN decreased the Temps on the Device around 20C. See the picture.



Regards,
S.

That's kinda insane brother! I have a small rack, too, so will Definitely do that, too. Heat is an issue in there anyway, but the case had cost 150€ and the vendor's proprietary fan costs 180€, so...

Interesting additional information. You guys are awesome! I've added one such fan to my amazon cart and will look for temp rise! I don't expect I can underclock the CPU? It's probably doing that on its own anyway these days?

Missed the LTE part, sorry. Then buying used is probably the only option to meet your price limit.

Hihi, ok, no problem! Thanks anyway!

I've ordered that aliexpress device for the 140$. Let's see what it does 🤣