Messages

Thanks for the response.  OPNsense is assigning the VLAN tag to the devices.  The Unifi access point is just passing it along per the AP, but to be honest I am not exactly sure how the access point is doing it.  It specifically says in the unifi interface that the VLAN tagging is being done by the router. 

If ONLY the switch can assign the device to a VLAN, then I guess I have my answer.  I just thought since the unifi access point is making OPNsense do this, there would be a way in OPNsense to say this IP address or MAC address should always be on the VLAN subnet at this IP address.

Need some help.  I exhaustedly tried Claude and ChatGPT to solve this, but I can't seem to figure it out.  I cannot assign a physically ethernet connected device to the VLAN under any circumstances.  VLAN interface is working great.

Topography is as follows

OPNSENSE router -> Switch with POE+ -> Unifi U6E Access point -> no problem assigning devices to VLAN (IoT) via wifi (works chef's kiss perfectly)
                                    |
                                    -> LAN connnected devices -> will not under any circumstance assign to VLAN (IoT) PROBLEM

I followed this helpful guide to get the Unifi set up (NAT, VLAN Interface, etc.).  I confirmed the Unifi device is 100% NOT doing anything with DHCP (even warns me in the controller software its doing nothing) and OPNsense is, and its working perfectly. The switch is passing VLAN tags along perfectly as it works for the AP so its not a switch issue:
https://www.youtube.com/watch?v=CmC_AuoAmvs

All the DHCP VLAN ranges are set up correctly, because the access point is assigning them in that range.

Is there a "MAKE THIS god dam @#$@!#%@# device / MAC address move to this VLAN!!!"  hidden setting somewhere in the DHCP menu?  DHCP lease time has no effect.  I tried assigning static ip addresses (Host) to the devices on the VLAN DHCP range and it never works.  It makes an entry but the device NEVER moves over.  I even disabled the LAN network it is currently assigning these devices to incorrectly, and the devices would rather get NO connection then go to the VLAN one.  I know its a DHCP issue but I looked at every menu setting and nothing seems to be applicable to this.  Do I need to create a distinct Gateway for physically connected devices? 

I am certain I am missing something obvious.  Anyway, appreciate the help.

 

Great thread.  I have an N100 box, and I was somewhat disappointed in its idle power usage.  Hovers around 13-14w.  Its not a money power issue, I just like things efficeint.  Whats your idle power usage with that box?   I followed a lot of the tuneables in the link you mention and this one: https://binaryimpulse.com/2022/11/opnsense-performance-tuning-for-multi-gigabit-internet/   

To be honest, most of this is greek to me.

A strange behaviour I noticed in opnsense is when I run iperf3 tests after an update, I get really slow results.   When I open the Interface->Settings-> HArdware CRC, TSO, etc. I have to change it and change it back then click apply and voila it works great.  Get 10gig iperf3 results.  Weird.

Pretty happy with the system nonetheless, just trying to understand the best settings for my use case.   

Could you share what your settings are for the Interface->Settings->Hardware for the first 4 options?  Mine are are enabled (unchecked), but VLAN hardware is enabled.

THanks again.

You're doing Gods work here mimugmail!  Thank you.

I thought it was sarcasm, but it was true.   Trying to restore from backup bricks the plugin, so I had to reconfigure it from scratch.   Not a big deal.   Thanks for supporting this plugin by the way; fantastic having this on the router itself.

Hello OPNsense team.

I noticed a strange issue that has reproduced itself through the last three updates regarding performance.

24.7.12 -> 25.1 -> 25.1.2 -> 25.1.4

I run an iperf3 test on the 10gig interface and get this result (bad):

Code Select Expand

[SUM]   0.00-10.11  sec  3.68 GBytes  3.12 Gbits/sec   30             sender
[SUM]   0.00-10.11  sec  3.68 GBytes  3.12 Gbits/sec                  receiver

iperf Done.

Previous install instance had results like this (good):

Code Select Expand

[SUM]   0.00-10.01  sec  10.9 GBytes  9.34 Gbits/sec    0             sender
[SUM]   0.00-10.01  sec  10.9 GBytes  9.34 Gbits/sec                  receiver

iperf Done.

And the only way how to get performance is to go to the Interface -> Settings page and click SAVE.   This is without changing ANYTHING.  See attached picture.

Maybe my system is an outlier, I just thought I would post this to share my feedback.   There is something on the interface->settings page that is not auto-enabling these parameters through an OPNSense update.  You have to click the SAVE button to enable these settings. 

I'm OK with doing this, but its worth noting here as there is some "factory setting" preset that is being stealth applied in between patch updates.

Hope this is helpful to some.

 

Reading your message with the  "pray" comment.  Are you advising against updating to os-unifi9-maxit?   Currently using the one from your repository 8.6.9.  Just trying to understand the pray comment.  Thanks!

Not to necro an old thread.

I scratched my irrational impulse to upgrade to the latest OPNsense version  25.1->25.1.3 and this packet drop issue resurfaced.   Consistent loss of around 30% in iperf3 tests.

sysctl net.inet.ip.intr_queue_drops = 34112

I didn't set a backup point and realized I cannot roll back now.  Might have to fresh install again.

Something in the kernel from 25.1 is different from 25.1.3  I 'm not smart enough to figure out what it is.



 

I appreciate the help.  I am fairly new to OPNSense and came from Ubiquiti, so please excuse my dumb questions sometimes.   My reason for this thread was to see if I was missing something obvious to OPNsense and Plex because I know these are very popular applications for people with this type of enthusiast equipment equipment.

It appears my firewall is not the problem so I am missing creeping the topic a bit.  My reason for the follow up is "you don't know what you don't know", so if what I was doing was crazy, I pride myself on not being stubborn with tec, so I am more than willing to change.

Learned from you guys that I wasn't enabling the logging, and per your email what you wrote is correct:

Wrt rule #2, I stand with what I wrote if TRUSTED_RIG (2.x) is not on the IOT network (1.x).
Traffic originating from TRUSTED_RIG will get IN the FW on the 2.x interface.

As you wrote, it was a useless rule, so i deleted it.  I thought (incorrectly) that I needed to give the interface IoT an opening for my trusted rig to access those devices. Not sure  what I was thinking.  This is my first real firewall setup on OPNsense.


On that note, I am trying to enable some kind of DoH blocklis.  I had this enabled on my edgerouter and it was great; I couldn't believe how much nefarious stuff out there is daily trying to probe your router.  Wasnt sure how to implement something similar on OPNSense.  Not asking you to do my research for me, but since you are a security specialist, you might share a link to someone implementing this on OPNsense.  Or do I use Adguard Home as the platform for this?

https://github.com/dibdot/DoH-IP-blocklists


Appreciate the help BTW.

Here's how I read these:
Rule #1: Allow IOT Net to access the DNS server at IOT address (OPN hosted, Unbound or AGH or whatever). Very typical.
Rule #2: That's an IN (from the perspective of the FW) rule on the IOT interface and your TRUSTED RIG is probably not on that network so it won't be a source. This rule likely never fires.
Rule #3: Same? I'm not sure why your "work" devices would be on the IOT network. These devices are not depicted in your OP.
Rule #4: Allow access to the internet from the IOT interface (the source might as well be IOT_net. exceptions exists but unlikely in your case).
It's not blocking anything BTW.

The last rule is not enabled so I ignore it.

None of these rules are logging anything... the i is grey. If you want to see artifacts in the logs or live view, you need to enable logging.

Appreciate the help.  I enabled logging and did not see anything on either server or IoT interfaces.  I can pretty much conclude that it is 100% the kubernetes truenas application that is blocking this connection as the attempt to connect / discover the device is not even making it to the firewall.  I'm going to have to put on my big boy pants and learn how to docker compose a proper Plex Media Server.yml via jailmaker if I ever want to get this working.  So far I've failed miserably at doing this due to various bugs I can't discern.

I don't want to sidetrack the thread, as to the firewall rules.  But to your questions:

Rule #3: Same? I'm not sure why your "work" devices would be on the IOT network. These devices are not depicted in your OP.

I have one access point in the house on a single SSID (you are right its not on the flow chart but basically anything wifi is connecting via IoT network subnet).

My laptop and my wifes laptop are static IP's assigned to this TRUSTED_LAPTOPS alias that can basically go anywhere in my local network.  I have my reasons for doing this, but mainly has to do with 4 teenage or teenage children in my house with infinite devices all connecting, their friends,etc.  My main goal is to block porn/dark internet bad shit access from my Wifi for them via Adguard home.  Yes I know some people can get around this using cell networks (not my kids due to MDM on their phones) but thats another parents problem, not mine as far as I am concerned. 

I have my reasons for setting it up like this, in that I trust firewall rules over my knowledge of implementing VLANS (total noob).  Basically any device on my wifi that isn't manually assigned to Trusted Laptops (Alias) can only use the DNS server (adguard) to get to the internet.

I assume you think I am nuts.  From reading the how to's here and reddit, everyone is saying to have multiple SSID's for wifi, multiple VLANs, etc and manage all the cross talk via the VLAN permissions?  I just think policing the TRUSTED ALIAS firewall rule is easier and fits my needs just fine (its only 4 devices tops).  I checked it from multiple devices not on the TRUSTED_LAPTOPS alias on my wifi and they cannot access my server (unless through plex).

Managing multiple VLANS over trunk interfaces, multiple SSID's, etc. seems like way more work and overhead, and nightmare fuel for me to debug if something breaks with a future Windows 11 update, etc.  Probably childs play for a guy like you, but I like this way because its easier (for me) and the youtube (Home Network Guy) video convinced me it works.  It does work now as far as I can see.

Rule #4: Allow access to the internet from the IOT interface (the source might as well be IOT_net. exceptions exists but unlikely in your case).
It's not blocking anything BTW.

Do I have to define which networks it has to block?  Basically I don't want anything on that IOT (192.168.3.x) subnet being able to connect to my main rig (192.168.2.x) and server (192.168.1.x) subnets.    IT appeared to me the Private Networks alias is an industry standard term for anything with a 127, 192, 10, subnet.  I don't care what I have to type here but is an alias I make called 192.168.2.0, 192.168.3.0 better?

THanks guys.  I was away this weekend at my sons hockey tournament.  My original post has the metwork mapped out so these are PHYSICAL interfaces controlling the subnets.  Logging is set to whatver the Vanilla OPNsense factory settings are.

Interface 1:  Server (Plex Media SErver is IP address 192.168.1.48:32400)
Interface 2:  IoT (HDHomerun is ip address 192.168.3.77)

Pic related is my IoT rules.  Don't bully me if I cannot keep NSA glowies out of my system like you guys can with special elaborate rules; I followed this guys firewall rules system to a letter https://www.youtube.com/watch?v=TjXkWSjYqlM&t=1s   Seemed logical and correct.

Just as an update, some super helpful guy over on Plex explained the problem pretty well and how what I am experiencing is expected.
https://forums.plex.tv/t/live-dvr-plex-media-server-cant-detect-hd-homerun-over-different-subnet-to-server/906937/2

Neither him nor I could explain why my firewall doesn't show ANY traffic between subnets for this process when watching the live view.   I am just not qualified at this time to delve into the why or how within OPNsense over a relatively peripheral network need right now.   I am sure its some obscure Linux permission issue on Truenas or the k3s environment regarding ports.

Just thought I would share this here as the Plex expert explained in good detail the network protocols plex / hdhomerun use to communicate to each other.

"There was evidence.."?  I don't understand the post.  Tell me what else I need to install to make mDNS "installed".  Pic related is what downloading the plugin creates on 25.7 appears to look like.   

I tried every possible permutation of the ip4 subnet argument point.   Leaving it blank does nothing else.   My truenas server is 192.168.1.48 with PLex on port 32400.  The HD Homerun is on 192.168.3.77 (different subnet) no idea on the port it uses. 

I did install it and it appeared to install fine.  It didn't solve the problem, but this is not an OPNsense problem at this point.  Sorry to waste your time. 

Its a Kubernetes problem / Truenas  problem that fights you tooth and nail whenever you try to do simple basic networking stuff. 

I cannot understand why I can access my HDhomerun from EVERY device in the house via its IPaddress but Plex cannot and will not do so even when I enter it manually.   

I then started down trying to install plexmediaserver within dockge, which resoundedly defeated me in trying to mount network media via docker compose.  Sigh.
 Chatgpt is clueless and incorrect.

This is a (me) / Truenas problem gentlemen.  Us normies just can't have nice things.   Appreciate the help.  OPNsense is working great.

Before I replied, I had done a quick search. There's apparently plenty of people that have Plex and the tuner in separate VLANs.
It's apparently more difficult with the SiliconDust DVR because this one relies entirely on discovery via broadcast.
At least Plex lets you enter an IP for the tuner... So tuner discovery is out of the way.
Figuring out the rest should be simpler.

I think my local situation is probably making this more complicated than it needs to be.  I am using the AdguardDNS plugin so I have to look into how the mdns solution can play nice with both operating right now.   The mimugmail version of adguard on opnsense is extremely simple to install and get working, but  how it plays with mdns will have to be trial and error.   To be clear manually entering the ip address of my HDhomerun works for all devices (even IoT devices with no trust status), except the stupid plexmediaserver plugin on Truenas.  Its got to be that k3s setup.  I will try Plexmediaserver as a docker and see if that solves it first.  THe mdns rule I tried did not work, but I will admit I'm a total noob with mdns as of 5 minutes ago learning about it.