Messages

For the devices themselves, perhaps "Interfaces: Neighbors: Automatic Discovery"?

It took a little time, but the camera did show up here. This is what I needed to see, thank you.

There are tools like ntopng or netflow that give you the observability you'd like.

I will take a look at these. Thanks.

As long as you don't have random people connecting devices to your network without you knowing it the risk is pretty low...

Yes I know I've practically zero risk. But that sidestepped my point that it feels like a security hole... I'm thinking of all the home users who have some router and firewall and don't know about devices that *could* be connecting to their network this way. Some elderly relatives come to mind. They're even fairly literate and technical, but without understanding they don't know what they don't know. They wouldn't even think to look. I wouldn't either, except I was curious whether it would show up in Dnsmasq leases since Dnsmasq had nothing to do with handing out the IP. I wasn't surprised it didn't show up, but that lead me to wondering about devices like this in general... it was not hard to put it on my wifi with a prepopulated IP, given I know my wifi's password.

I'm not wondering about risk so much as not having (and not knowing I don't have) an upfront way of seeing everything that is connected, regardless of how it got there. Risk concerns obviously apply more to people who don't secure their routers, gave out the password a lot and never changed it, etc....

This is pretty much what you are looking for in OPNsense :

For the devices themselves, perhaps "Interfaces: Neighbors: Automatic Discovery"?

I didn't find my camera there though. That would be excellent if it were there but it hasn't showed up yet.

And if you happen to use Pi-Hole then you can use a built-in function that does something similar.
There are also projects like this one : https://github.com/netalertx/NetAlertX
Pick the one you like the most :)

I had looked at PiHole some time back and didn't need it. I'll look at it again. And I'll look at NetAlertX, thank you for the reference. Is there anything else that would be very simple for a home user to implement?

Also to find the IP in the ARP table presumes that the traffic is passed through OPNsense.
So for communications between devices within the same subnet no ARP entry is added on the router.

Not always :

A device can ask all other devices on the network "Who is <another device> ?" and in that case it can appear in the ARP/RARP Cache.
Also that Cache expires so maybe there hasn't been any communication in the last 300 seconds :)

The camera has been continually streaming its video to a browser open to its IP, but hasn't shown up in the ARP list.

Also to find the IP in the ARP table presumes that the traffic is passed through OPNsense.
So for communications between devices within the same subnet no ARP entry is added on the router.

See my reply to pfry - I think you are right, since DHCP did not hand out a lease OPNsense is not involved in any LAN only communications for the camera in question.

For the devices themselves, perhaps "Interfaces: Neighbors: Automatic Discovery"? I don't use it myself, but the serious issues should be worked out. Also, "Interfaces: Diagnostics: ARP Table" for more conventionally mapped devices.

I have not visited either one of those areas before so thank you for introducing them to me. However, I did not find my camera in either one, not by IP nor by MAC address.

For firewall logs, you need logging enabled for the matched rule(s). this assumes traffic passing through the firewall, of course.

I'm thinking you're right, OPNsense is not aware of the camera. I don't think it has initiated any internet connection, it is just communicating on the LAN.

I'm using a desktop PC browser to open a web setup page to the camera, and also to view the camera feed. I will be adding it to my local-only camera NVR after I give it a lease through Dnsmasq and remove the hard coded settings from the camera.

Assuming this is what's happening (OPNsense is unaware of LAN-only devices that weren't assigned a lease through OPNsense), what would someone like me use to monitor for devices on my LAN? I'm at virtually no risk, personally, not even from a neighbor - but it feels like security hole so just asking the question. Thank you for your thoughts here.

ETA: It took a little time, but the device did show up in Interfaces -> Neighbors -> Automatic Discovery. Thanks to all for responses.


Original Post:

I set up a camera with a fixed IP address in its settings.

I specified the LAN IP (192.168.1.18), the subnet mask (255.255.255.0), the gateway (192.168.1.1 - OPNsense), and the DNS (192.168.1.1 also OPNsense with DNS servers in System->Settings).

I tested the camera on Ethernet and on Wifi and it's working either way. But I don't see it anywhere in OPNsense, not even in the live firewall logs.

Is there someplace I can see a device that is configured like this?

Thank you.

think there is much valuable information for other/new users in this thread that should not be deleted.

If all the noise could be deleted, I'd agree. But it's a mess of misunderstandings.

I only joined in late

And help would be appreciated, if it were needed. But it wasn't. My question was already answered with the first comment and I was done. Now I've spent all my time counteracting misunderstandings when none of it was necessary. I wonder if the mods can just delete this entire thread.

I cannot read your mind. I do not know that switching to Kea is entirely disposable for you

But I said it multiple times - even in reply to you.

To sum everything I've already written here:

1. I use Dnsmasq, which isn't getting a delete lease button for good reasons. The old implementations had it and I miss having it. I have a script that works well enough for my purposes. It's just not as convenient as a button.

2. Someone suggested if I wanted a delete lease button, to try KEA, it has one that is and will be supported.

3. I attempted to swap KEA for Dnsmasq in my configuration and ran into trouble. I searched the 'net, read the documentation, looked at more videos, and eventually posted here to find out what I overlooked.

4. The answer is at no time did I understand it isn't a 1-for-1 swap, not even from the official documentation.

5. I simply don't need it, I was just following a suggestion. It isn't designed to work as I wanted. So I said I will stay with Dnsmasq in my very first reply, yet we've gone to two pages and counting. *mind boggled*

6. End-of-line.

Then stick to DNSmasq for DHCP and DNS. But then, what is the problem at hand?

There is no problem here except everyone bashing me for not reading everything and understanding it all, when they didn't take the time to understand what I have been writing.

In that case if you want to run Kea for DHCP y

I *don't* want to run KEA. I'm not sure why that's not clear. In any event, it doesn't matter. I wish I could delete everything here but my post and the one comment that helped.

Kea by default gives clients the OPNsense IP address in the respective network as their DNS server. If you do not run a DNS service, you need to instead send the same servers you configured in "General" to your clients. Open the subnet configuration in Kea, activate the advanced settings, set DNS servers.

I have OPNsense handling all DNS (and NTP, FWIW) for all of my clients. I do want them to get 192.168.1.1 for DNS server and not do their own thing.

It's really not necessary for me to move to KEA. It was a suggestion in another thread so I could have the supported delete lease button. I have a script to do that in Dnsmasq. Yes it's not the recommended approach but so far I haven't seen any side effects in my little house. It's just a bit more effort to SSH in and run the script compared to having a nice delete button that does it the correct way.

I *do* have my DNS servers in System->Settings->General. See 5th line of my OP. And it didn't work. It appears all DNS queries are headed out through OPNsense as they had been, but nothing was grabbing the reply. At least, that's how it appears from my observation. I have no way of knowing what is actually happening.

I appreciate the help, but honestly I asked a question, I got the (I presume) right answer. Not sure why the bashing is continuing. Because I was honest and said "I had no idea" I guess.

Thanks. At a high level I understand the practical functions of each- as they apply to my practical use of the internet.

I do realize I grabbed OPNsense, an appliance meant for large enterprises, as my choice for a small no make that tiny home network. I did that because I'm disgusted with the direction consumer routers have gone and taking all control of what comes in and goes out. I ran DD-WRT for years (and Dnsmasq) and quite comfortable with how it functions for me, without knowing specific components or what does what. (Including a delete lease option which I'm aware can't be ported to OPNsense which prompted the entire suggestion for me to consider KEA.)

I had trouble with Unbound and disabled it, moved my DNS servers into System Settings, and voila it's all good. I thought that was enough no matter what I used for DHCP. Quite honestly, at almost 85 years old, I'm not likely to get much more knowledgable nor am I really interested. If it's no longer allowed to post here for help because of that, then I'll find something else.

It's all a matter of reading

Your comment is not nice and not necessary in a helpful context. Please be kind.

FWIW I do read the docs, and I absolutely don't understand everything there. There's a lot that doesn't apply to me, and it's possible I won't understand there's something there that does. I thought this forum exists to provide help when needed and so I asked and got my answer.

I found videos for setting up KEA with one LAN and one subnet, a few minutes and simple. And while some of them also showed how to set up Unbound to work with KEA, none that I watched stated it (or another DNS solution) was a requirement with KEA.