Messages

I have over a dozen Unifi devices with OPNSense 25.7.2 running 5 VLANs here at home.

I'm using OPNSense's default LAN for management, and running VLANs on top and so I've mixed tagged and untagged as well.

I don't have any of the following activated on any of my 7 switches:
Port Isolation
Storm Control
Loop Protection
Spanning Tree Protocol
Egress Rate Limit
LLDP-MED
Voice VLAN

Not seeing any issues here.

more than that Mark_the_Red,

Cos unlike God, mimugmail has an actual bank account...

Spill the beans mate... wanna donate to your efforts.

Not seeing anything at mimugmail/opn-repo nor https://www.routerperformance.net so... c'mon, you should like receive a boat-load for the homelab guys enjoying your efforts.

My value is at a hundred AUD here for ya and I wish I could afford to hand over a bit more... just tell me where....

Tariff free! LOL

Champion!

Thank you

I have installed os-unifi9-maxit and I see it's running  1.4 / 9.0.114

Is it possible to update to 9.1.120 or do we wait for mimugmail to do it and have it pushed through OPNSense's overall update process?

ta

Hi all,

I incorrectly posted this in 25.1 section and so am hoping someone might see it here who can assist.

I can configure OPNSense for Tailscale using the new plug and is working as expected.
Ether configured as an exit node or to expose whatever is behind it via subnet router option works etc etc.

Massive shout out to Sheridan Computers for writing the plugin too.
https://www.youtube.com/watch?v=VD2oMin_V3M is what I followed along to.

I have a linode linux VPS box already configured as a TS exit point which has been working nicely for a while now, but only being used by a single client behind the OPNSense router.
I would like to "transfer" from a single client using the exit point to my OPNSense router to use the Linode/Tailscale exit point.

So, I don't think the plugin is mature enough for this, but am curious if anyone has done this prior to the plugin release via the command line and are willing to share their success?

There's chatter around having two wan connections:
https://forum.opnsense.org/index.php?topic=36817.msg204377#msg204377

or

modifying outbound NAT with the additional of FW rules
https://forum.opnsense.org/index.php?topic=45530.msg227721#msg227721

but both haven't succeeded.

And so am wondering if anyone has successfully done this and are willing to share.

ta

Hi all,

I can configure OPNSense for Tailscale perfectly fine.
Can also configure as an exit node or to expose whatever is behind it via subnet router option.

Massive shout out to Sheridan Computers for writing the plugin too.
https://www.youtube.com/watch?v=VD2oMin_V3M is what I followed along to.

I have a linode linux already configured as an exit point which has been working nicely for a while now, but only with a single client.
I would like to "transfer" my entire home setup to use this exit point now.

So, I don't think the plugin is mature enough for this, but am curious if anyone has done this prior to the plugin release and are willing to share their success?

There's chatter around having two wan connections:
https://forum.opnsense.org/index.php?topic=36817.msg204377#msg204377

or

modifying outbound NAT with the additional of FW rules
https://forum.opnsense.org/index.php?topic=45530.msg227721#msg227721

but both haven't succeeded.

And so am wondering if anyone has successfully done this and are willing to share.

ta.

Have you considered StarLink?

Or is the cost v speed not there for you?
For me, StarLink is superior for both speed and latency, except that I have so many trees to contend with that the dish has to be on a pole of at least 40mt high before I cease experiencing any "obstruction".

The trees here are so dense and come so close to our house that I don't even need to own a lawn mover. Gives you and idea.

Hope the MTU is all it is for you.

mmm,
So my options are:
1. Run a physical parallel ethernet cable to both the shed and the rest of the house purely for management.
or
2. Change the VLAN management to something other than "VLAN ID 1" on the router and all the Unifi switches.


Both are not fun.
The latter more so as these cheap managed flex mini switches limit their capabilities when not doing it the "UniFi" way. (I can't tag individual ports anymore, it's either all or none if I move management off vlanID 1 on these things) and from what I've read, it's agony if you need to re-adopt anything when not using VlanID 1.


mmm, option $3$ it is then.  :P


Thanks again to everyone helping me with this. I really have learnt heaps and here's what I'm taking away from my homelab endeavours:
1. Keep away from attempting to use OPNSense as a switch with vlans.


2. OPNSense with bridges using physical ports only is simple and works fine, even with 10Gb interfaces. Kind've defeats the purpose of actually using OPNSense (for me), if you're not going to use vlans though.


3. Vendor switch research when used with OPNSense needs more attention than I thought. I like the idea of the UniFi controller but am not keen on the VLANID 1 emphasis so much now.


Thanks again all.

Hi FraLem,
I'm also on Cellular and I only wish I had your issue of attaining those speeds in the first place!
I'm surrounded by 4acres of forest right up to the house and it's illegal (not that I'd want to anyway) to cut down the trees.

Strength	17 / 31, dBm : -79
Selected Network	LTENR5G
Sub Network Type	FDD LTE / NR5G-NSA
Band:	5 / 1,450 + "LTE BAND 3",1275
RSRP:	-114 dBm
RSRQ:	-18 dB
SINR:	11 dB
5G RSRP:	-96 dBm
5G RSRQ:	-13 dB
5G SINR:	5 dB

As you can see, lousy at best.
My MTU is 1472 which is the default set by my carrier. That's all that comes to my mind to look at.


Otherwise, save your current config, erase your boot drive and do a quick clean and simple setup to test and see if speeds improve.


Cheers.

okay, after 1am here, so brain is being super challenged,  ???


Q1.
Bridges 1 through to 5 are okay, because none of the VLANs' parents are any of the included physical NICs, and so that's why they all work fine, correct?


Q2.
Bridge 6 though is in error. i.e. both the VLANs are included with their physical parent NICs in this bridge and this is why I seeing the issue, correct?


If so, I'm kind've scratching my head on what I need to do to fix this still.


what I do know is that physical ports ix0 and igb0 are trunked ports and both physically connect to a trunked port of the switches, being the flex 10GB in the shed and the flex mini at the other end of the house.


So that means I have to take the MGMT vlans out of that bridge? if so, how do I configure these VLANs? do I create another trunk?


I'm thinking I'm way off in the weeds now and so am pausing.


Thank you to everyone for the help on this too, I'm finding this topic extremely interesting.

oh...


So the bridges I have atm are:

Code Select Expand


bridge0 phy_igb1_Denon, phy_igb2_LGTV, phy_igb3_ATV, vlan_IoT_igb0, vlan_IoT_ix0, vlan_IoT_ix1 
bridge2 phy_ix1_LRM, vlan_Raywood_igb0, vlan_Raywood_ix0
bridge3 vlan_IPCAM_igb0, vlan_IPCAM_ix0
bridge4 vlan_Neighbour_ix0
bridge5 vlan_Guest_ix1
bridge6 vlan_MGMT_ix0, vlan_MGTM_igb0, phy_ix0, phy_igb0


Yes, I have created vlans for each physical interface individually, and yes, I have then created bridges that only include those vlans where the VLAN ID number matches.


However, you're saying that I cannot add multiple physical NICs to a bridge?


Looking at bridge0 for example then, you're saying that I can only have one physical NIC in that bridge? and not 3 like I do atm? (eg: phy_igb1_Denon, phy_igb2_LGTV and phy_igb3_ATV)


oh dear.


Because I have two physical ethernet cables heading in opposite directions, (shed/homelab & the rest of the house) I'm not able bridge these physical ports in conjunction with a vlan?


mmm.

Hi Visseroth,
I've been seeking advice from our Networks team for my homelab ventures.


They advised me that when using a PC as a router, it's not a bad idea to disable a few things to keep the PC as stable as possible.
eg:  threads, all S sleep/standby states and any applicable CPU boosting of clock speeds for example.
RAM timing can also be set Jedec instead of XMP too.


It's for these reasons I went with an I5 that has 4 cores and 4 threads only, and I keep it at base clock speeds.


You want your router to be as stable/consistent as possible at all times if you can.

Hi bimbar,


Thank you, the flex mini switch is a managed device and does allow vlan assignment to ports.


I'm not convinced my issue is purely with the flex mini switches at this stage, especially considering the setup does work with changes to OPNSense only.

Hello,


Am new to OPNSense (and also UniFi hardware) and have been learning a lot when it comes to bridges, vlan networks, physical networks and vlans bridged with physical networks.



Anyway, it has been fun to tinker, reset, tinker again, reset again and have now come to the point of asking for advice before I continue.
I've attached a PNG of my ideal setup and I'm getting stuck on the management side of things.


What I'm seeing is that if I include the physical ports in the MGMT bridge, the U6Pro WAPs can no longer issue respective IP addresses for any of the vlans/SSIDs. Clients connect to the SSID, give up and self assign. Attempting to statically assign an IP address does not work either and so there is no route/plumbing for any of the vlans back to the OPNSense router.


What I don't understand though, is that I'm able to ping both WAPS (192.168.1.249 & 192.168.1.251) from the Mac Mini, they just don't seem to parse the VLANs onto any WiFi clients. Any endpoint directly patched into the router (TV, MacMini, AppleTV etc etc) all work fine, and so this tells me that the vlans are not able to extend past/through the flex mini switches for some reason?


If I remove the physical ports from the MGMT vlan, everything works!
WiFi devices receive the correct IP on the respective SSID and able to route out to internet fine.


But


All UniFi hardware is no longer able to talk to the controller (192.168.1.1) and the UniFi controller shows them all as offline. They're clearly working though.


And so here I am with the situation of either a), having a working network with no way to manage the UniFi hardware.
Or
b), a broken network where the Waps don't see the vlans and thus don't assign IPs, but I can see all the UniFi hardware in the Controller.


I hope the above makes sense.

Because the Flex Mini switches are somewhat less configurable, I was wanting to use the Primary VLAN ID 1 to manage all the UniFi hardware. The reason for this is that using VLAN ID 1 enables me to choose ports on the Flex Mini switches to be individually tagged or not.
If I choose not to use the primary VLAN ID 1 and use a different VLAN to manage all the UniFi hardware, I loose this ability and can only allow all Vlans or only Allow none per port which will deny me tagging ports as IPCAM vlan and IoT vlan only for endpoint devices.


The reason for using bridges with OPNSense in the first place was to save some money on having to purchase another 10Gb switch. After tinkering with this setup, I'm not honestly sure if this will even make a difference with respect to the issue I'm seeing, because note that ix0 is running out to the shed (to a UniFi switch), and also igb0 is running to the rest of the house (i.e. another UniFi switch).
The OPNSense Router is in the living room behaving as another 10Gb switch.
The router is  a PC with:
Intel i5 7500 @3.40GHz
16GB RAM
ZFS Mirror SSD Boot
1 x 1GB onboard (em0) onboard
4 x 1GB Intel PCIe (igb)
2 x 10GB Intel PCIe (ix)
2 x 10GB SFP+ Chelsio PCIe  (cxgb) ← yet to install


As for firewalls, every bridge is "wide open", in that I've created a rule that says pass on each bridge interface while setting this up:

Code Select Expand


Action: Pass
Interface: Bridge_xyz
Direction: In
TCP/IP: IPv4
Protocol: Any
Source: Any
Destination/Invert: unchecked
Destination: Any


No firewall rules exist nor ip addresses assigned to any vlan or physical interfaces. (i.e. all done on the bridges)
The LAN interface is not presently assigned to anything (it was on interface re0 and assigned)
No IPv6 configured.


Well, I think that is everything, everything that I can think of in terms of information for anyone to explain to me what I'm doing wrong with the MGMT bridge.
All the other bridges work wonderfully well with vlans and physical networks ports and so I'm just not sure why I'm seeing the issue I'm seeing.
I'm fairly sure it's got something to do with how UniFi uses that VLAN ID 1 as I understand it to be somewhat a unique approach compared to other smart switches.


Anyway, if anyone is able to assist, I'd be very grateful to learn more. ;)


(updated: changed attachment to vector so is clearer to read)

I just recently got OPNSense up and running on an PC.
I like to keep my networking on one box and services on another so I can bring down either independently when/if needed.
Router hardware:
i5-7500 CPU @ 3.40GHz
16GB RAM
9 network ports using 4 x PCIe adapters:
builtin is 1GB Intel Copper (WAN)
1 x PCIe with 2 x SFP+ Chelsio Fibre
2 x PCIe with 2 x 1Gb Intel Copper
1 x PCIe with 2 x 10GB Chelsio Copper

Using mimugmail's plugins for OPNSense, I have the UniFi controller and AdGuardHome running on the same IP as the router. (ports 8443 & 3000)
UniFi hardware:
USW-Flex-Mini-01
USW-Flex-Mini-02
USW-Flex-Mini-03
U6-Pro-02-Library
U6-Pro-01-Living
USW-Flex-XG
I have 5 vlans on top of the default untagged "LAN" that gets created which I only use for management.
vlans are for:
IoT
Guest
IPCAM
Neighbours
Raywood
IoT, Guest and Raywood are the three vlans having SSIDs broadcasted via the 2 x U6Pros. This works well and I don't see any issues so far when using both together.

AdGuardHome works well! I'm using it to also block my LGC9 TV so I don't get Firmware reminders for example.
Just have to work out how to allow it to get ntp and not the update from the same domain which will likely require me to learn more about wireshark.

I've learnt heaps, stuffed up just as much along the way, mainly because I've bridged spare ethernet ports in the router so I don't have to buy another smart 10Gig switch for the shed/homelab.

Certainly would not have managed all of the above if it weren't for the great people here in the forums so this is just as important for me.


I'm really happy with what OPNSense can do and so will be donating once I finish my setup.