Messages

@viragomann
I wrote my post late last night as I spent 2 afternoons of trying to get this to work. It's morning now and I am seeing your reply. I quickly read your reply and it was written in not too technical way as I requested. Still, it takes some time to digest all of this. I want to thank you very much right now so I can have some time to retry slowly step by step.

I will get back after I try again. I saved a config file of settings with just my reserved static IPs and the actual VPN so if (when) I mess up I can get back to the place where I know it works. It looks like I just have to remove the "route-nopull" and then follow your notes.

Your help is very much appreciated and I didn't want to leave you hanging as I sometimes go slow.

Thanks!

[Thanks!]

Hello,
I successfully created an OpenVpn client with my Nord credentials. Connection Status shows Connected. After that I have been trying to follow web instructions, Youtube videos, and google AI instructions. Basically, I can't get my traffic to go Through the VPN. My test is that I am in the USA and the VPN server is in Canada and I use one of the websites that show your location.

These are the AI instructions I am using without any luck.
    • Instance Configuration (VPN > OpenVPN > Instances):
        ◦ Role: Client.
        ◦ Advanced Mode: Essential for detailed settings.
        ◦ Server Details: Protocol, port, CA, TLS key, credentials.
        ◦ Important Settings: Check "No (no) pull" under Miscellaneous to prevent server-pushed routes from overriding OPNsense's routing, or manage them carefully.
I GOT THIS FAR. Can anyone guide me with the next parts so that my traffic goes through the VPN? At some point I will also need split tunneling as some sites I visit will not allow access from a VPN, but at this point I just want to get it working. :)
Thanks! BTW, my skill level is following instructions, not necessarily understanding some of the technical aspects.

    • Firewall Rules:
        ◦ WAN Rules: Allow incoming VPN connection attempts (e.g., UDP 1194) to your OPNsense box.
        ◦ OpenVPN Interface Rules: Rules on the assigned OpenVPN interface (e.g., OPT1, VPN) control traffic leaving the tunnel towards your local network or the internet.
        ◦ Killswitch: Create a rule on the WAN to block traffic tagged with NO_WAN_EGRESS to prevent leaks if the VPN drops.
    • Traffic Management (Split Tunneling):
        ◦ Client Specific Overrides (CSO): Found under VPN > OpenVPN > Client Specific Overrides, these allow you to define unique routes or behavior for specific VPN users/clients, ideal for per-user split tunneling.
        ◦ Pushed Routes: The server can push routes (e.g., push "route 192.168.1.0 255.255.255.0") to clients, directing traffic to internal networks.

The SSIDs are already setup in the access point.

Is each SSID in it's own subnet (vlan), and you trunk the wifi device to the firewall?

I haven't started yet. Now that the hardware is almost set on the rack, I have to tidy things up and probably take a break until after Christmas. The rack looks good though :)  I've had a lot of setbacks but it is a good feeling when I get past them. I just got to not get too burned out.

Thanks

Is the pi booting with randomized MAC?

https://raspberrypi.stackexchange.com/questions/68513/pi-using-a-random-mac-address-after-every-reboot-how-do-i-stop-this-behavior

that's not it. I just didn't know how to reserve the IPs. I figured it out using Dnsmasq.
Thanks.

to be a workable modem for my needs

And learn what a Modem is. ;)

yea... a typo. It was 3:30 in the morning :(

Take your time, but do try to at least get an IoT network separate from your LAN.  That's the big win, IMO.

YES. I do have a lot of smart devices of different brands. My plan is a general home network, a VPN network, and an IoT network. The SSIDs are already setup in the access point. I have some network housekeeping to do today to clean up all of the temporary cables and such. It makes me crazy working in a mess, but it will clean up quickly and then I can relax and add the vlans at a no rush pace.

Thanks again!

Thanks again. It looks like there were several ways to achieve a static IP for clients devices. I'm glad I got it to work with Dnsmasq and it was not the worst of the methods. Every success means I learned something and I suspect I will revisit this (Kea DHCP) as I get more comfortable with opnsense.

The videos are all over the place as far as the speed of the persons voice and even an accent as my hearing misses a lot at my age. Some are helpful though.

I needed static IPs for my music server and players. Now that I have a basic working router, I will install it permanently and add the other features I want as I go, ...and be sure to look at that documentation. :)

The next steps will be adding an openVPN client and a few vlans. I know the concept of both from other routers and neither will slow me from using opnsense in the meantime.

As I am writing this, there is one thing I also will add, is a way to write a backup to a separate ssd so I can restore it if (when) I mess up. I'm just talking out loud here. The point is there will always be ideas to make MY router better, ....and mine.

Thanks again!!!

@OPNenthu

Great reply and just what i hoped. Thank you so much for the detailed answer and explanation!

I got to the point where I have opnsense setup well enough to be a workable modem for my needs.

I realize that opnsense wouldn't have so many options if it didn't tailor any need, but starting out,....

Is opnsense basically as secure as most mainstream routers with the default settings. I'm not asking for help here. I just want to know if the default settings are relatively safe until I continue to learn.

Thanks!

@passeri

As all of this is new to me I am learning as I go. I just went into the Dnsmasq section and although it's laid out different, it allowed me to set a reserved IP similar to most other routers.

That was my learning goal for today and it was a success!

Thanks again!

thanks for your replies. It takes me awhile to digest new stuff. I am watching youtube videos to help. I think I can get it with time.

i'm not sure what ISC stands for, but from what I understand, I can use either Dnsmasq or Kea DHCP, but not both. I think I need to also make a new interface in Kea DHCP, and I am trying to learn that now.

You are pointing me in the right direction and it matches what youtube has. Luckily I have a backup router in case (when) I screw something up.

Thanks again!

I just noticed this...

Did you mean to write "Services>Kea DHCP>Leases DHCPv4"?

I ask because you see no leases at all, and I lack information on whether Kea is set up correctly, ISC off. Are interfaces set? Are there devices which should have dynamic addresses?

Thanks for your reply. A lot if this stuff has similar wording and abbreviations. It's confusing, so I hope these screen shots explain what I have.

Thanks again!

Hello again,

2nd post here.

I set up my opnsense computer to be my router connected to a Zyxel managed switch. So far I have internet and can lists the connected clients via Interfaces>Diagnostics>ARP Table. My question for help here is with reserving a static IP for some of those devices. On some of the devices I was able to set the IP in the device itself and opnsense shows those properly. I would like to setup other devices at router level.

I *tried* some things. I may be missing something or be completely of track, but here is what I have so far.

Under Services>Kea DHCP>Kea DHCPv4,
under the tab Settings I clicked Enable.
under the tab Subnets I created 192.168.1.1/24 with a pool of 192.168.1.100 - 192.168.1.254
under the tab Reservations I chose that above Subnet, entered (pasted) the MAC address, and assigned 192.168.1.24 to be the IP and applied.

After rebooting both the router and the device (a Raspberry pI), it still gets assigned a random dynamic IP.

I searched Google and it said to go to

Go to Services > DHCPv4 > Leases .
Find your device: in the list of current leases (look for its MAC address) or click the + button to add a new entry.

Under Services > DHCPv4 > Leases I do not have anything listed. I think that might be a clue as to the problem, but at this point I need help.

Am I completely off? Can anyone tell me what I need to do to assign static IPs?

Thanks!

The WAN is now 192.168.10.72 and the LAN is 192.168.10.71.

You cannot use the same subnet for WAN and LAN. Just keep the default settings - WAN as DHCP client (so it'll get an address from your Asus router) and LAN as static IPv4 192.168.1.1/24.

Maurice,
Everything you helped with was spot on! Some of it I knew, some I was just trying because I was guessing. I did another opnsense reset so that there would be no old settings confusing things. On a hunch, I swapped the LAN and WAN cables on the opnsense PC as auto-configuring the WAN IP was taking so long. It turned out to be the solution/problem.

Now my desktop PC sees the opnsense PC on the ethernet port and I have internet and could logon to opnsense (without being on that wifi network).

I would also like to thank you for not bashing me for writing DCHP instead of DHCP :)  It actually may have let you know my (lack of) skill level. Anyway, the opnsense PC is now a basic router and I can install it in my rack, and do the rest as I have time and watch some youtube videos.

Your help and hints where to look solved this and is greatly appreciated!

THANK YOU!