"
My initial thought too was the bogon option being on by default is causing you issues. That article is a good reference for that. When I first set up my Opnsense box, I had it double NATed behind an old Fortigate 90D. I turned off the block private and bogon networks on the WAN port and had no issue completing my setup.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
25.1, 25.4 Production Series / Re: VLAN and untagged traffic primer
June 30, 2025, 09:14:42 PM
pfry, thank you for that link. I must have skipped over that part when going through the documentation. Most networks I set up I do just use a network management vlan as the untagged vlan between switches and firewalls, but I have seen others use vlan 1 as their untagged and then just disable vlan 1 on all the switches. I have not noticed any ill side effects yet. I have my Opnsense server connected to an Alcatel switch. I have just learned to live with the statistics showing ALL traffic combined for every vlan on the management untagged vlan, but I may now go back and redo this based on that recommendation.
Inxsible, that seems reasonable to just modify the xml file and reimport, but I would check to make sure you have your System -> Settings -> Administration "listen on interfaces" set to the appropriate interface / vlan you want to access it from. Also, make sure your firewall policy allows you to access the webUI, though the built-in anti lockout policies may have you covered.
When I mentioned having access to console, it was more for just updating the IP of your main interface just in case you do lose access you can easily change it back. As long as your PC is on the same vlan as your listening interface, you can always set your PC IP manually to match something in the same subnet as that interface.
Inxsible, that seems reasonable to just modify the xml file and reimport, but I would check to make sure you have your System -> Settings -> Administration "listen on interfaces" set to the appropriate interface / vlan you want to access it from. Also, make sure your firewall policy allows you to access the webUI, though the built-in anti lockout policies may have you covered.
When I mentioned having access to console, it was more for just updating the IP of your main interface just in case you do lose access you can easily change it back. As long as your PC is on the same vlan as your listening interface, you can always set your PC IP manually to match something in the same subnet as that interface.
#3
25.1, 25.4 Production Series / Re: VLAN and untagged traffic primer
June 29, 2025, 09:04:04 PM
You are correct in your assessment. With 192.168.40.0 assigned to the physical interface (seen as "lan" under your assignments), that traffic is untagged and will match to whatever your default vlan is on your switchport. Easiest way to change this would be to have console access to your Opnsense server. If that is not possible, put a PC in the same vlan as Opnsense, which sounds like that is already the case. Change the IP on Opnsense interface (assuming 192.168.50.1), then manually set your PC to something in that same subnet (192.168.50.2). You'll be able to reach your firewall now and then complete the vlan 40 setup. Just make sure your switches have an IP in the new vlan 50 and have that vlan 50 set to the default vlan between uplinks.
#4
General Discussion / Re: Please help me re-do my DHCP entries and prepare for VLAN's
June 29, 2025, 06:54:59 PM
This seems like a pretty standard setup that you are proposing. If you ask 10 different network engineers, you'll probably get slightly different nuaunces between them. For me, I like having a dedicated network management vlan. This would be your default or native vlan between switches and firewall. This would be the address range to assign your managed switches and Opnsense. I threw my Aruba cluster APs on the network management scope also since I didn't feel a need to have them on their own AP management vlan. I would also suggest a server vlan since you mentioned having a NAS. I run a couple other servers (like Plex) so I created a vlan for just servers. My old Dell R210 (this runs my Opnsense) only has 2 ethernet ports, so I had to build all vlans under 1 port, but for home use and even small/medium office use 1Gb is plenty of bandwidth. You can get fancy and create a link aggregate (lagg) in Opnsense with eth1 and eth3 using LACP protocol and then create a port-channel (or linkagg depending on what vendor terminology you prefer) on the switch. That will give you 2Gb bandwidth for all vlans to route between one another if you feel like getting fancy. Again, 1Gb would be plenty, but since you have an unused port I threw that out there.
As for address space, your proposed 10.1.x.x as a /24 should suffice, unless you have more than 254 devices going into that vlan. In which case, I would suggest a 10 number like cookiemonster proposed so that you if you needed to extend a vlan's address range you can easily do so without running into the next. For example:
vlan 1 = 10.1.1.0/24
vlan 2 = 10.1.2.0/24
If you ever needed to extend vlan 1 to a /23, that address space would interfere with vlan 2. If you did this:
10.1.10.0/24
10.1.20.0/24
You would be able to extend your vlans subnet without interference. Just thoughts for future proofing.
Also remember that when creating your policies, think of the vlan just like an interface. Traffic coming in on vlan 1 is just like traffic coming in on a physical eth 1 interface.
I set mine up like this:
vlan 10 = network management 10.4.10.0/24
vlan 20 = servers 10.4.20.0/24
vlan 30 = hard wired PCs 10.4.30.0/24
vlan 40 = printers 10.4.40.0/24
vlan 50 = private wifi 10.4.50.0/24
vlan 60 = guest wifi 10.4.60.0/24
I didn't have to create vlan 10 on Opnsense since this is my native/default vlan - I just assigned IP 10.4.10.1 to my LAN facing port. I then created all vlans on the switches and used vlan 10 as the default/native on the uplink to Opnsense server and to each other switch uplink.
Good luck with your new build out!
As for address space, your proposed 10.1.x.x as a /24 should suffice, unless you have more than 254 devices going into that vlan. In which case, I would suggest a 10 number like cookiemonster proposed so that you if you needed to extend a vlan's address range you can easily do so without running into the next. For example:
vlan 1 = 10.1.1.0/24
vlan 2 = 10.1.2.0/24
If you ever needed to extend vlan 1 to a /23, that address space would interfere with vlan 2. If you did this:
10.1.10.0/24
10.1.20.0/24
You would be able to extend your vlans subnet without interference. Just thoughts for future proofing.
Also remember that when creating your policies, think of the vlan just like an interface. Traffic coming in on vlan 1 is just like traffic coming in on a physical eth 1 interface.
I set mine up like this:
vlan 10 = network management 10.4.10.0/24
vlan 20 = servers 10.4.20.0/24
vlan 30 = hard wired PCs 10.4.30.0/24
vlan 40 = printers 10.4.40.0/24
vlan 50 = private wifi 10.4.50.0/24
vlan 60 = guest wifi 10.4.60.0/24
I didn't have to create vlan 10 on Opnsense since this is my native/default vlan - I just assigned IP 10.4.10.1 to my LAN facing port. I then created all vlans on the switches and used vlan 10 as the default/native on the uplink to Opnsense server and to each other switch uplink.
Good luck with your new build out!
#5
Hardware and Performance / Re: Disk Usage Question
June 29, 2025, 06:06:20 PM
I too am new to Opnsense, but not to FreeBSD. A base FreeBSD install is very light on disk usage requirements which it seems they've kept in mind when developing Opnsense. I too have 500GB storage (albeit spinning disks, but that doesn't matter here). If you go to shell prompt, run:
Code Select
df -hThis will show how much space is actually being used. On my system, it is only using 1.3GB out of a formatted 440GB on root, which is less than 1% so it continues to show 0% on the dashboard. I do not have Netflow turned on, but if I did that usage would certainly change.
Pages1
