Messages

Got it - thx :)

Thx - fixed thanks to you.

So i should consider directions way different, "in" is from my net(into internet) and "out" is to my net(from internet)?

Like this:
Internet -> Out rule of Wan -> Out rule of LAN -> LAN
Internet <- In rule of Wan <- In rule of LAN <- LAN
or like this:
Internet -> In rule of Wan -> Out rule of LAN -> LAN
Internet <- Out rule of Wan <- In rule of LAN <- LAN

??

Hi,

I'm trying to block all traffic from ip range(via alias) but nothing is working - didn't have this problem on my prevoiuse firewall, but with opnsense i can't make it work, maybe i'm missing something.

IP range for block is 192.168.2.50-192.168.2.59 (alias: Cameras, type of alias is Hosts)
You cannot view this attachment.

From desperation i made redundant rules in WAN and LAN interface:
You cannot view this attachment.
You cannot view this attachment.

But - even - after resetting States, opnsense shows me
You cannot view this attachment.

and one of my crap cam is still connected to its cloud.

What i'm doing wrong?

[...]
1. I wonder why there are so many options for DNS and DHCP (in menu i can see at least 3: Dnsmasq DNS & DHCP, ISC DHCPv*, Kea DHCP, Unbound DNS). Which one i should use and how to remove not used to avoid misconfiguration?

Flexibility. Choose one and use it, and simply disable the others (you cannot remove them easily). For instance, I do not use OPNsense for DNS processing, so I use Kea for DHCP.

2. I've tried to make some VLAN-s to isolate some IOT stuff[...]

I understand what you'd like to accomplish, but not how, given your equipment. I isolate traffic using VLANs, using a Netgear MS510TX switch (smart/web managed) that I've broken down into a port expander. That is, ports 1-9 are each assigned a unique VLAN, untagged, and port 10 has all, tagged, and uplinks to a port on my firewall. Clients plugged into the switch do not have to be VLAN-aware. Note that this is not a common configuration, as most folks would prefer that their switch actually switches, and would have fewer VLANs assigned to multiple ports. You can accomplish something similar with basically any switch that offers some sort of management. A cheap example would be the Netgear GS108T, but there are (very) many others (ServeTheHome is a good resource if you'd like to look at quick reviews).

I also cheesily isolate my wi-fi by breaking down my AP (OpenWRT) into two bridges, one for management and one for wi-fi client access. The management bridge acquires an IP via DHCP; the access bridge has no IP. The OpenWRT firewall is broken down such that it only isolates the bridges, and wi-fi clients are isolated from one another. Wi-fi client DHCP is served from the firewall. Oh, the management side is a bridge so that I can assign multiple ports to it, just in case. I could divide the management from access via VLANs and save a port, but I prefer to minimize special port configuration and I have plenty of switch ports.

This is not to say that you can't make VLANs work for you with your current hardware... but I don't think it's what you're looking for. In the short term you might consider foregoing the isolation. Another isolation option would be additional port(s) on your firewall, each serving a different switch.

And, of course, other folks here may have different/better advice.

Thx - so, as far i notice i must have switch that supports tagging and make isolation of VLANs there(and on opnsense too). I don't want to spend more on my net so i think i will stay with one network+dhcp and split subnet addresses among my hardware and isolate them with firewall rules. It will keep my setup simple and ... cheap :). I had that kind of configuration on pfsense and it worked :) - so i stay that way.

One more "Thank you" for fulfilling answer ;)

Hi,
I'm not network administrator, so don't be so cruel if i ask something obvious for you :). I'm still learning ;) and i need firewall for my home setup.

But to the point, few questions:
1. I wonder why there are so many options for DNS and DHCP (in menu i can see at least 3: Dnsmasq DNS & DHCP, ISC DHCPv*, Kea DHCP, Unbound DNS). Which one i should use and how to remove not used to avoid misconfiguration?

2. I've tried to make some VLAN-s to isolate some IOT stuff (smart plugs, ip cameras and so on) but every time i reboot my router (after adding VLANs) my VLAN parent NIC is not giving DHCP addresses for connected devices. Do i need to make some sort of firewall rules tweaking at first (before reboot) to make DHCP working? Without ip address i can't connect to administration GUI :) and cannot configure further. Maybe i don't understand something?
Here is my topology:
- one main gateway (opnsense), here i'm trying to do VLAN-s. Only two NICs, one for ISP(internet access) second for LAN (on this device i would like to have VLAN with dhcp)
- one main switch (not managed) 16 ethernet ports
- one PoE switch for ip cameras (not managed)
- 2 openwrt dump switches and wifi access points (they relay on IP from main gateway for briges for wifi and ethernet), here all devices are connected
- some home computers <- i would like to make them not using VLAN at all, only dhcp on VLAN parent NIC
- plenty of wifi smart plugs and some cleaning robots (all on wifi) <- this should be in VLAN

3. Do you know any Quick Start for noobs(like me :)) that wanted to start playing with OPNSense? Documentation is very good but it is more for advance user who looks for advice and not how to start. I've tried to look something on youtube but... there is more for pfsense than for opnsense.