Messages

its not so straightforward doing this :P

Your ISP/TV will require specific configuration, google your provider name + pfsense or opnsense etc and hopefully you can find it. If not you look for a guide for another provider and adopt it to yours. Check your service provider support page for the IPTV configuration.

Here is an example for KPN netherlands (just translate the page), your config will end up similar.
https://j4me.synology.me/ - scroll down to iptv settings
Basically need specific interface config, igmp proxy, specific dhcp settings for tvbox so it pulls info from TVprovider, open up broadcasting, block the TV vlan from spamming your LAN etc

In my case i couldnt get it working nicely, it worked but after an hour or so it gave an error and stop working.

I got tired of it and in the end the simple solution for me was to install the android app from the TV provider on my smartTV or GoogleTV dongle. This takes 5mins of your time and works just as well.

[explicit-exit-notify]

As a long time user and having seen OPNsense grow; it certainly shows a level excellence and quality from the team(s) and everyone contributing; thank you - keep up the good work.

Time to time though its frustrating when things get simplified to a point its confusing/ less usable. The UI is keeping up with the times but removing configurability doesnt make it polished, i expect many rely on some of the lesser used functions...  As a backup we had the 'insecure' option in some places that have too many options to cover but it continues to gets phased out and this is one of them; imo an authentic 'advanced' feature for those that needed it. Its been asked too frequently over the years to keep it and it makes sense in certain places.

My earlier experience with instances was successful but finicky; anyway its looks better now and I tried to setup a client vpn and i am missing the following few things:

explicit-exit-notify - please add; my provider requires it to close session
bind address - option to select interface instead of specifying an address
fast-io - not sure if still relevant
key-direction - useful for vpn in some countries
data-ciphers / data-ciphers-fallback / tls-cipher - option to select
pull-filter

10.29.251.10 is a device on the LAN of OPNsense (OPNsense is the DHCP server providing this IP address)
I could try to ping 8.8.8.8 with the source being the LAN bound address (In this case, it is 10.29.251.203)
• OPNsense CANNOT ping 8.8.8.8 with source set to 10.29.251.10"

I repeat... 10.29.251.10 isnt bound on an OPNsense interface you cannot simply spoof a LAN ip. Why dont you ping from 10.29.251.1 (your opnsense gw??) or use that host 10.29.251.10 to ping?

I'm not familiar with ESXI but i use proxmox on many devices.
I just finished fresh VM installation of OPNsense, 24.7 didnt workout thus went back to 24.1.10 for now.

Your setup is simple, there's no reason it wouldnt work. You're missing something obvious.. 
By default any host on OPNsense's LAN that got its dhcp from OPNsense, will be able to access WAN/internet if its up.

Since your WAN gives a local IP range, disable block private networks.
With VMXnet3 you can build your VMs on top of that interface, which I assume its for lab testing if you want to do failover. You may have read, ideally should use vt-d and dedicate LAN/WAN NICs to the firewall for best the performance and least overhead.
Add 3rd NIC using VMXnet3 as your DMZ or VM network, just a bridge without anyvirtual port and doesnt bind to any physical port.

For lab testing failover etc, VMXnet3 as configured should work as well.. Is your RTR using VLAN to access its internet? I think you need to manually set NAT rules as the default on WAN wouldnt work. Instead do it on the wanVLAN.

Let OPNsense do the DHCP to avoid complications.
- On a fresh install there is a LAN to any rule
- Add NAT onto the correct WAN interface.

I originally wrote something about using ASNs, its can be more work to build up but just as effective with a smaller footprint.

Another option is to cook up a nice ip table list and using sources from emergingthreats etc, you can find lists for almost anything. It should be able to keep most of the riffraff off your servers without the necessary load of large geoip lists.

Here is my default blocklist, compiled from PRI1 Feed collections from pfB.

https://feodotracker.abuse.ch/downloads/ipblocklist_recommended.txt
https://sslbl.abuse.ch/blacklist/sslipblacklist.txt
https://cinsarmy.com/list/ci-badguys.txt
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
https://www.spamhaus.org/drop/drop.txt
https://www.spamhaus.org/drop/edrop.txt
set a 24hr refresh.. 

OP wasnt very specific in what he wanted to block other than certain countries..

Misread... nvm

GeoIP route tables get large, no way around this especially for large countries.

I just build a new minipc fw, and did the install on proxmox with NICs pci mapped directly.
The most obvious was traceroute not working through the firewall,  opnsense-update -zkr 24.7.1-icmp2  fixes it.
Im currently lurking the forums to see what else is up.

Overall it seems to work...  but here and there with routing, gateways (running vpns etc) there's some weird behavior that i cant pinpoint. It could be proxmox but i'm thinking opnsense. I could go barebones but i doubt it'll help my situation seeing the chatter on the forums.
I'll probably try install a fresh 24.1 on a VM before going barebones.

I need a couple of extra's on this host if possible ..  and working more reliable than where its at now.

I'm holding off the upgrade on my main fw's until we hit 24.7.2 at least.

10.29.251.10 isnt bound to any interface on opnsense, thus why would that work.
assuming 10.29.251.1 is bound to the LAN interface you can use that