Messages

Hello Franco,

thanks for the reply.

That means the actually present rules in > Rules can be safely all deleted?


Cheers,
ks

Hello all,

I'm running few OPNsense 26.1.8_5 firewalls, and one of these is getting me nuts.

In details the (in)famous bTicino Classe 100X16E intercom system is struggling to connect to Wi-Fi and thus internet.

After days of tests (and other devices connected to same Wi-Fi 2.4 GHz network working properly) I narrowed the issue to the specific ports this intercom system needs.

They are:
-5061 SIP
-5228 SIP
-0 to 65000 UDP
-80/ 443 HTTP/HTTPS
-8883 MQTTS

Now my question and request to help/hints is: where should I create new firewall rules in OPNsense? In the new Rules [new] tab, or in the older Rules tab?
Are they still working togheter, so I need to create rules in both?

Can someone shed some light on this?

Thanks

Hello all,

I'm posting here an help request to properly configure VLANs.

The network is something like this

You cannot view this attachment.

The WAN connection enters the OPNSense firewall and exit to LAN side (two separate NICs).
LAN backbone is 10G fiber, that connect the main central switch (the Mikrotik) and from there to the EdgeSwitch 16 (the EdgeSwitch 8 isn't important now).
From the EdgeSwitch 16 the backbone continues to another switch (the TPlink) where finally we find the AP Ruckus R710.

My goal is to have a wireless device e.g. doorbell or thermostat connected to AP via its own VLAN to segregate that traffic from LAN.

Is there anyone willing to help me understand, step by step, how to properly configure the VLANs across these multiple brands switches up to the AP?

Step 1) from OPNsense firewall to Mikrotik switch

Step 2) from Mikrotik switch to EdgeSwitch 16

and so on...


Any help will be greatly appreciated.

Thank you.

Hello there.

I do have a pretty standard OPNsense installation, 25.7.4, and I'm posting here a weird issue I'm having looking for some hints to figure it out.

All my LAN traffic is passing through a VPN (this will be subject to a future modification, but so far is it) managed by OPNsense router/firewall and I do no have issues browsing the 'net except for some website that are returning this error:

Access Denied
You don't have permission to access "http://www.subito.it/" on this server.

Reference #18.8d4f2417.1759419363.417b068

https://errors.edgesuite.net/18.8d4f2417.1759419363.417b068

The weird is that trying to troubleshoot this, I enabled the VPN on my laptop, so we have a VPN tunnel inside a VPN managed by the OPNsense and the unavailable website magically is available.


Can someone enlight me with some hints how to not have this kind of issue?
Is this related to a bad or improper OPNsense firewall/ports configuration from my side?

Thank you in advance for any help!

As a reminder: OpnSense/FreeBSD is known to cause trouble mixing tagged and untagged traffic on the same interface.

Thanks, I'll keep in mind.
For now I'm focusing on the correct network topology

I see.

So the best is the approach using VLANs separation.

Such as VLAN10 192.168.10.x/16 for e.g the office, VLAN20 192.168.20.x/16 for e.g IP cameras and so on.

Is there any other suggestion you'd like give to me? They'll be appreciated

Hello guys,

I do have LAN like the one in the attachment, a 10.0.0.0/24 metwork with all devices connected to same network subnet.
Actually all the traffic is routed by a VPN, also the non necessary one, and I'd like to segment a bit to increase the LAN security, e.g.:

the 2 NAS and printer and workstations on same network;
the IP cameras on its own network but able to write only on NAS;
the PS5 and TVs on its own (play network)
the IoT network (door bell, thermostat, etc)

routing the non necessary traffic (games and TV) outside the VPN.

What would be the best approach to do this?
Can I do it with VLANs?
Is is better instead to create separate LAN subnets?

Thank you!

Change destination to "LAN net" with "destination invert" activated.

It worked.

Thanks a lot Patrick for the quick and fast resolution.

There is one floating rule

Hello there.

I setup a bare metal OPNsense firewall/router for my home lab LAN, and is running fine with no particular issues.
The box is acting also as NTP server for the whole LAN, until the dedicated NTP+PTP and DHCP IPv4+IPv6 Kea servers will be operational.


All my outbound traffic, no exceptions, need to be routed through my VPN provider, so I enabled WireGuard and configured with Mullvad. It seems working correctly, according the Mullvad check leaks website.

And here the fun starts: after implementing WG the LAN clients cannot access anymore the OPNsense NTP server.
I wish all LAN clients NTP requests remain in the local LAN, no NTP requests should go outside, but I do not understand why this behaviour from WG.

All other LAN service are functional, just NTP is having issues.

Probably is a matter to set a rule in the firewall, but it shouldn't be done by WG?

Any help would be greatly appreciated.

Hello,

I'm quite an OPNsense newbie and I'd like ask some help with the firewall.

I installed OPNsense 24.7 on a bare metal, with one dual SFP+ NIC. On this NIC are attached the LAN (10G module) and a Ethernet 1G module for the WAN connection.
The ethernet cable is connected to the provider' ONU in bridge mode that translate fiber connection into ethernet to the OPNsense firewall. OPNsense handle the PPPoE connection.

LAN side is a 10.0.0.0/24 network, and WAN side is a 192.168.1.0/24 network.

I can browse internet, do normal stuffs with the connection and I set a firewall Outbound rule to reach the provider ONU (it works). So basically everything works.

When I try to eliminate the external provider ONU and use the Leox LXT-010S-H GPON module directly attached to my bare metal OPNsense NIC, I cannot reach the GPON web interface, despite my attempt to properly set the firewall rules.

The GPON module is perfectly working, that I tested with an external media converter, and I guess the issue is in my firewalling settings.
I tried also to change the GPON IP setting (while in the external media converter) to match the provider' ONU (192.168.1.1/24) but cannot get the GPON web page.

Does somebody has suggestions how to properly setup the firewall rules in order to reach the GPON web and telnet interfaces, or any other hint to help me?

Many thanks in advance!

That's correct, as I discovered by myself: A combination of MSI X470 Gaming Plus Max and Ryzen 5 5600G simply doesn't work at all.
During boot the system lists a lot of MCA errors.

Early Ryzen CPUs (ZEN/ZEN+) had some issues running Linux OS, though it typically manifests as system lock up vs rebooting.  Later CPUs seem to work much better, as there are many data centers running the same processor die (EPYC).

I questioned AMD about the MCA errors and the answer was: you're on yourself since you're using an unsopported OS.  :-X

Then MSI, that I questioned too, sent me unofficial BIOS to try.
But at that point the rig destiny was decided: I took it apart ans sold in pieces since I had no more time to spent for MSI as beta tester for their BIOS firmware.

Thanks all for supporting, and try to avoid MSI mobo + Ryzen APUs combo, unless you've time and resources for testing.

Something something disable power states in the BIOS. Don't remember from the top of my head, please search the forum or google.

Thanks fore the hint! I found something on net and here in forums related to PBO, that I disabled without any change.

What NICs are you using? Could it be a Realtek NIC problem?

After that, can't help.

The only Realtek NIC present is the motherboard one, that I never used.
I have 3 PCI 10Gtek SFP+ cards with some RJ45 and 10G fiber modules, all the traffic pass throught them. The controller card's is Intel 82599

I prefer and use AMD everytime I can. No problems here.
Any clues in the logs? If not because it crashes hard, one option could be if you have another machine running is to send logs to it. Windows machines need not apply :)

Never reached the logs unfortunately. I could set up a spare machine for receiving the logs eventually, but at this point not sure it worth continue this way.


Thanks all!

Hello,

I'm experiencing a strange issue that is driving me nuts, and I'll appreciate any help you might throw here before I nuke'all with napalm...

I had an OPNsense baremetal running like a charm with an old i3 5th series, no issues on that.

First rule: don't repair what isn't broken... yep I know

Then the upgrade time come, so I had to move the OPN sense installation (or better I'm trying to...) to better hw to handle 2x 10G fiber parallel connections, Wireguard VPN and side sw like suricata etc.
My choice was an x470 mobo with a Ryzen 5600G and 32GB RAM, NVME for installation.

The first - and main - issue is that OPNsense reboot at random, so I first think about:
- a fault PSU (changed three),
- RAM (tested with MemTest),
- NVME support (changed),
- motherboard (changed with different model) and
- CPU too (changed with a Ryzen 2400G)

but it seems that, despite the tests I've done, OPNsense 24.1 and 23.7 with AMD hardware reboot at random.

Anyone else has experienced these kind of issues?

Thanks in advance