Messages

To correct myself, the new rules allow ruleset sharing.

Thanks! I just got the new batteries for my UPS yesterday and will set the OPNsense PC up like this.

I had my LAN connected to igc0, an RJ45 port. Now I use ixl0, an SFP+ port. Works great and fast.

My question is, could I  also assign igc0 as another LAN port and plug in my VOIP adapter? My thought is that if I just have the OPNsense miniPC and the VOIP adapter plugged into the battery backup, with just 2 items, the UPS would have a longer running time if/when needed.

And speaking of emergency use, I have a nice managed switch and access point, but if they are not on battery backup, could the OPNsense PC broadcast an SSID for temporary use?

Thanks.

@viragomann
I wrote my post late last night as I spent 2 afternoons of trying to get this to work. It's morning now and I am seeing your reply. I quickly read your reply and it was written in not too technical way as I requested. Still, it takes some time to digest all of this. I want to thank you very much right now so I can have some time to retry slowly step by step.

I will get back after I try again. I saved a config file of settings with just my reserved static IPs and the actual VPN so if (when) I mess up I can get back to the place where I know it works. It looks like I just have to remove the "route-nopull" and then follow your notes.

Your help is very much appreciated and I didn't want to leave you hanging as I sometimes go slow.

Thanks!

[Thanks!]

Hello,
I successfully created an OpenVpn client with my Nord credentials. Connection Status shows Connected. After that I have been trying to follow web instructions, Youtube videos, and google AI instructions. Basically, I can't get my traffic to go Through the VPN. My test is that I am in the USA and the VPN server is in Canada and I use one of the websites that show your location.

These are the AI instructions I am using without any luck.
    • Instance Configuration (VPN > OpenVPN > Instances):
        ◦ Role: Client.
        ◦ Advanced Mode: Essential for detailed settings.
        ◦ Server Details: Protocol, port, CA, TLS key, credentials.
        ◦ Important Settings: Check "No (no) pull" under Miscellaneous to prevent server-pushed routes from overriding OPNsense's routing, or manage them carefully.
I GOT THIS FAR. Can anyone guide me with the next parts so that my traffic goes through the VPN? At some point I will also need split tunneling as some sites I visit will not allow access from a VPN, but at this point I just want to get it working. :)
Thanks! BTW, my skill level is following instructions, not necessarily understanding some of the technical aspects.

    • Firewall Rules:
        ◦ WAN Rules: Allow incoming VPN connection attempts (e.g., UDP 1194) to your OPNsense box.
        ◦ OpenVPN Interface Rules: Rules on the assigned OpenVPN interface (e.g., OPT1, VPN) control traffic leaving the tunnel towards your local network or the internet.
        ◦ Killswitch: Create a rule on the WAN to block traffic tagged with NO_WAN_EGRESS to prevent leaks if the VPN drops.
    • Traffic Management (Split Tunneling):
        ◦ Client Specific Overrides (CSO): Found under VPN > OpenVPN > Client Specific Overrides, these allow you to define unique routes or behavior for specific VPN users/clients, ideal for per-user split tunneling.
        ◦ Pushed Routes: The server can push routes (e.g., push "route 192.168.1.0 255.255.255.0") to clients, directing traffic to internal networks.

The SSIDs are already setup in the access point.

Is each SSID in it's own subnet (vlan), and you trunk the wifi device to the firewall?

I haven't started yet. Now that the hardware is almost set on the rack, I have to tidy things up and probably take a break until after Christmas. The rack looks good though :)  I've had a lot of setbacks but it is a good feeling when I get past them. I just got to not get too burned out.

Thanks

Is the pi booting with randomized MAC?

https://raspberrypi.stackexchange.com/questions/68513/pi-using-a-random-mac-address-after-every-reboot-how-do-i-stop-this-behavior

that's not it. I just didn't know how to reserve the IPs. I figured it out using Dnsmasq.
Thanks.

to be a workable modem for my needs

And learn what a Modem is. ;)

yea... a typo. It was 3:30 in the morning :(

Take your time, but do try to at least get an IoT network separate from your LAN.  That's the big win, IMO.

YES. I do have a lot of smart devices of different brands. My plan is a general home network, a VPN network, and an IoT network. The SSIDs are already setup in the access point. I have some network housekeeping to do today to clean up all of the temporary cables and such. It makes me crazy working in a mess, but it will clean up quickly and then I can relax and add the vlans at a no rush pace.

Thanks again!

Thanks again. It looks like there were several ways to achieve a static IP for clients devices. I'm glad I got it to work with Dnsmasq and it was not the worst of the methods. Every success means I learned something and I suspect I will revisit this (Kea DHCP) as I get more comfortable with opnsense.

The videos are all over the place as far as the speed of the persons voice and even an accent as my hearing misses a lot at my age. Some are helpful though.

I needed static IPs for my music server and players. Now that I have a basic working router, I will install it permanently and add the other features I want as I go, ...and be sure to look at that documentation. :)

The next steps will be adding an openVPN client and a few vlans. I know the concept of both from other routers and neither will slow me from using opnsense in the meantime.

As I am writing this, there is one thing I also will add, is a way to write a backup to a separate ssd so I can restore it if (when) I mess up. I'm just talking out loud here. The point is there will always be ideas to make MY router better, ....and mine.

Thanks again!!!

@OPNenthu

Great reply and just what i hoped. Thank you so much for the detailed answer and explanation!

I got to the point where I have opnsense setup well enough to be a workable modem for my needs.

I realize that opnsense wouldn't have so many options if it didn't tailor any need, but starting out,....

Is opnsense basically as secure as most mainstream routers with the default settings. I'm not asking for help here. I just want to know if the default settings are relatively safe until I continue to learn.

Thanks!

@passeri

As all of this is new to me I am learning as I go. I just went into the Dnsmasq section and although it's laid out different, it allowed me to set a reserved IP similar to most other routers.

That was my learning goal for today and it was a success!

Thanks again!

thanks for your replies. It takes me awhile to digest new stuff. I am watching youtube videos to help. I think I can get it with time.

i'm not sure what ISC stands for, but from what I understand, I can use either Dnsmasq or Kea DHCP, but not both. I think I need to also make a new interface in Kea DHCP, and I am trying to learn that now.

You are pointing me in the right direction and it matches what youtube has. Luckily I have a backup router in case (when) I screw something up.

Thanks again!

I just noticed this...

Did you mean to write "Services>Kea DHCP>Leases DHCPv4"?

I ask because you see no leases at all, and I lack information on whether Kea is set up correctly, ISC off. Are interfaces set? Are there devices which should have dynamic addresses?

Thanks for your reply. A lot if this stuff has similar wording and abbreviations. It's confusing, so I hope these screen shots explain what I have.

Thanks again!