Messages

[Mesh]

Do you have an alternative brand / products to suggest?

Mikrotik.

We are dealing here with a "Beginner" and despite the fact that MikroTik does have such a thing as their WinBox GUI for setting up everything I am not sure if that's a good idea ?

First, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode.

Tapo ?! Are you talking about TP-Link M4 Mesh Sets or something else ?!

It is in AP mode. I also first thought, that the AP only sets up the "bridge" and do not require IPs, but if you take a closer look at my logs you'll see I'm not lying when I'm saying that my TP-Link APs have their own IPs and THEY THEMSELVES send out telemetry.

I think you have misunderstood my reply about Accesspoints and IP Addresses...

What you are describing is pretty much as expected because you need a way to manage them via their webGUI or some kind of app on your Phone/Tablet :)

The APs are connected through the network cables that are in our walls. They don't have to be directly connected.
I'm assuming I'm misunderstanding you wrong?

I think it's time to post a schematic picture of your network setup before we have a lot more misunderstandings...

Either TP-Links specifications are not very clear or idk...
Here is a list of all "Omada Mesh" supported devices on their own website.
The "ceiling" EAP225 is advertised with Omada Mesh support, same as it's outdoor variant.
I'm starting to dislike this company... they do all that telemetry goof, force you into cloud accounts to manage your devices and are just so incredibly confusing with their marketing and specifications IMO.

Everyone does it these days and a lot of it can be disable in a lot of cases...

Take for example the more expensive alternative to the TP-Link Omada system : Ubiquiti UniFi
You need multiple steps to disable everything :
- Two different places in the webGUI of the UniFi Controller.
- And another additional file with the right content in the right directory on your UniFi Controller.
After that you need to manually trigger so called 'Provisioning' for all your devices to apply the changes in that file !!

And don't get me started about TV's and Mobile Devices and all the adware/spyware and horrible EULA's you have to accept so you can use them even tho you have paid a lot of money for them...

EDIT: I just found a big forum post on TP-Links official website, where their customers report the same: The TP-Link APs do infact send out telemetry.
https://community.tp-link.com/en/business/forum/topic/525328
They are too sorry to make firmware updates for their cheaper product lines to opt-out.

That's really a shame...

The M4 units are one of, if not THE cheapest option to have Accesspoints everywhere in the house :)

This was my original idea, but nero355 told me this could go wrong if I were to put them in IOT VLAN.

Please note :
That was based on my understanding at the time that you were going to put one of the M4 units in a certain VLAN and not in combination with Advanced (VLAN Aware) Accesspoints !!

The cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.

Everytime you mention a NIC and Accesspoint it sounds like you are using the Accesspoint as an extension of the NIC in a PC ?!

So like I said above : Please make a scheme/drawing of your network setup!

The scroll bar I marked in red should not exist. The box around the rules should not exist. The rules table should be rendered on the page extending downward as far as necessary and the browser scroll bar should be used to get at the lower ones.

Duplicating a function the browser already brings inside the page is bad, IMHO.

Also it does not automatically use all the width I have available ...

I think you have uploaded the wrong screenshot ?!

I see SNMP stuff and not Firewall Rules ?

Coming back to the general issue of modern UIs - there is a general trend to waste space.

I don't think that is something one should accept as normal and reasonable.

You have no idea how much I agree with you on that one... It's driving me mad sometimes !!! :(

Don't smart switches provide the option of restricting the configuration access to a specified port only anymore? At least HP had that over a decade back.

Ofcourse they do, but not everyone seems to know for whatever reason :)

For any Accesspoint to function it does need any kind of IP Address at all

It does *not* need ... 🙂

Thnx! :)

[EDIT:]

I'm struggling to understand your explanation how access points are set up.

I understand that you can tag SSIDs with specific VLANs. I thought that because my access points act as network devices as well (and surely have their own IP), I should be able to put them in a VLAN as well.

I'm now giving up this idea, I'll just block their Static DHCP Leased IPs from accessing the internet and that's it.

For any Accesspoint to function it does not need any kind of IP Address at all : It's all Layer 2 communication based on the Hardware Address a.k.a. the MAC Address.
It's basically a Switch with Wireless Ports and Cables : The SSIDs :)

I am sure you can find some good documentation about this that explains everything you need to know!

Well I don't necessarily need an access point with NICs. Remember that one ethernet-connected device that needs to be in UNTRUSTED? Currently, it's connected to the NIC my TP-Link M4R offers, but it would be cleaner if I just use a Managed Switch and connect both of them to it.

True! :)

Assuming I'm already connecting AP and ethernet-connected device in UNTRUSTED to a switch, I won't need additional NICs that are on the AP. Especially if the switch also offers PoE.
As I've said, I don't really specifically need Wall-Type APs. If there is another AP that is cheaper and offers VLAN-tagging on SSID as well, i'd rather take that one.

You can ofcourse!

It seems to me that Omada products require the products to know / contact each other over my home network. As of right now I can't tell whether (based on my future firewall rules / VLAN configs) this feature could break regarding what I'm trying to achieve.
I'm giving up the idea of "putting AP / switches in VLANs to regulare their telemetry", it seems irritating and complex. I'd rather just assign them Static DHCP Leases and then block those IPs from accessing the internet. I won't bother with on which interface they're chilling or not.

OK, but it's not that hard really :
- Leave their Network Interface in the Default LAN that OPNsense comes with.
This will be your Management Network and connected as Untagged on the Switchport.
- All other VLANs will be transported to the Accesspoint as Tagged on the same Switchport.
- Then you configure a SSID that is Tagged with a VLAN of your choice.
Usually you can create between 4 to 8 SSIDs on one Accesspoint.

I see the potential... Tangled cables? BEGONE!

That too! :)

EDIT:
I've now picked Omada. I want to see how convenient it is:

2x TP-Link Omada ES200 Desktop Gigabit Managed Switch, 8x RJ-45, 64W PoE+
2x TP-Link Omada EAP225

My price comparision site tells me that only EAP225 supports Mesh, which is a MUST in my household.
The other ones - those "Wall" thingies you praise - don't??

https://geizhals.de/tp-link-omada-eap230-wall-a2419233.html
https://geizhals.de/tp-link-omada-eap235-wall-a2451515.html
https://geizhals.de/tp-link-omada-eap225-a1501193.html

Are you saying you can not connect each Accesspoint via it's own UTP cable ?

Always look at the Specifications on the website of the manufacturer :
- https://www.omadanetworks.com/us/business-networking/omada-wifi-ceiling-mount/eap225/ - EAP225 without Mesh.
- https://www.tp-link.com/us/business-networking/omada-sdn-access-point/eap225-outdoor/v1/ - EAP225 Outdoor with Mesh.
- https://www.omadanetworks.com/us/business-networking/omada-wifi-wall-plate/eap235-wall/ - EAP235 Wall without Mesh.

Also sometimes the specifications can change between the different Revisions of a product so watch out for those changes!

I hope it's ok to post links from other sides here. This is not an ad. I only want to show what I mean so please don't ban or delete this message mods if this is against the rules. I'm sorry if it is against the guidelines.

Don´t worry about that : It's OK! :)

It's all a matter of reading

Your comment is not nice and not necessary in a helpful context. Please be kind.

When you cut it off like that then yes, but the whole sentence is simply to steer you to the right place with the right information, because this :

I found videos for setting up KEA with one LAN and one subnet, a few minutes and simple. And while some of them also showed how to set up Unbound to work with KEA, none that I watched stated it (or another DNS solution) was a requirement with KEA.

Is the whole problem these days : YouTubers who think they know everything telling people half the story because they also don't understand what they are doing exactly!

And when something goes wrong no one turns to them : They turn to the forums!
And when they do turn to them then they often get no reply at all...

But the main reason I posted that is because it's simply the truth :
Read.
Read a lot.
Read multiple times even if you have to!

Before I did my first FreeBSD install somewhere in 2004/2005/2006 the FreeBSD Handbook became my best friend after reading all of it three times and then certain sections again after installing FreeBSD :)

- If run locally you can use Kea, ISC (deprecated, but still working) or DNSmasq for that job.

I would mention those three in a different order :

- If run locally you can use ISC (deprecated, but still working) or KEA or DNSmasq for that job.

To avoid people thinking KEA is deprecated too like someone did a while ago here on the forum :)

So familiarise yourself with the fundamental protocols ("jobs") and subsystems on OPNsense and try to pick the best solution.

That's the most important part IMHO for anyone starting out with any kind of software :)

Netflow is a behemoth designed for large ISPs. It will scrub your SSD to death in weeks if you log locally and have some considerable amount of traffic.

The smallest recommended deployment - even for a home lab - for Elastiflow is 4 cores, 16 G of RAM, a couple of hundred G of disk.

They promise the license will be free forever, they just want you to register an account and extend the license once per year. Like e.g. Maxmind, too.
The limit for the free tier is 4000 flow records per second. If you outgrow that, you have bigger fish to fry ;-)

Good to know! Thnx! :)

Did an upgrade to the latest OPNsense version.

That does not mean you had to do this too :

Migrated to NEW firewall rules.

Because it does bring some changes along you might not like and the migration is not something you must do for now !!

Migrated from ISC to KEA.

That's something you could have done in 25.7 too first and then upgrade afterwards once you were sure everything is still working as it should ;)


But for now my best guess is that some Firewall Rule does not do what you want it to do...

Don't save netflow data on OPNsense. Export to a netflow collector like Elastiflow and save your SSD 🙂

Looks seriously sweet as far as I can tell from your other recent post : https://forum.opnsense.org/index.php?msg=264974

Should I need something like that I will definitely consider it! :)


For now I have got almost all logging disabled in OPNsense since I barely need any of it.

Sorry, I should have been clearer in my writing. This is not the setting I have, this is the setting my ISP recommends.

Here ist the link: https://www.init7.net/en/support/faq/mit-welchen-uebertragungsarten-funktionieren-die-tv-streams/

On the buttom left, you have to activate nerdmode. That shows you the "Rules for multicast streaming" which are the rules I posted.
But it could very well be that these settings are just some old leftovers. I contacted support and asked them exactly this.
Maybe they are long gone to IGMPv3. I would also assume that the mentioned old servers are no longer running, but they are still described there.

I see now :)

Then I would just wait for their reply and double check everything with them first!

I even tried something similar like you linked. I created a whole seperate VLAN just for the AppleTV Box, but still no luck.

My current setting is this:

Code Select Expand

##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint cxl1 upstream ratelimit 0 threshold 1
altnet 77.109.129.0/24

phyint vlan0.51 downstream ratelimit 0 threshold 1

phyint wg0 disabled
phyint cxl0 disabled
phyint vlan0.25 disabled
phyint vlan0.50 disabled
phyint vlan0.52 disabled
...
...
...
As you can see, this is not exactly what my ISP recommends, since it has quickleave enabled.

AFAIK most modern IPTV setups require Quickleave anyway so I don't see that as being wrong to be honest.

But this was something I forgot to ask :

There's a reasonably active init7 sub on Reddit, it may be worth also asking your question there?

Aren't there any "German Tech Community Forums" that talk about this stuff very often ?

Should give you the right information if there are any IMHO :)

Did you also check the German sub-forum : https://forum.opnsense.org/index.php?board=6.0 ??

[First confusion:]

However, DNS is confusing me in several ways.

First confusion:  I don't know what DNS servers it is using, but it doesn't appear to be anything I set.

As far as I understand, I'm using Dnsmasq and Unbound, though I don't really understand the relationship between the two.

I even migrated to KEA DNS for a bit and moved back when it didn't solve anything.

All a matter of reading : https://docs.opnsense.org/manual/dhcp.html

HINT : There is no such thing as KEA DNS and in OPNsense everything is basically built around Unbound DNS-wise !!

I have a wireguard set up to another OPNSense 900km away.  They each have their own domain;  ie, mg.home.arpa and dy.home.arpa.

I can't seem to resolve clients in the other domain.  I've cheated for the time being by adding my Emby box as a static.  On my new box I set a 'Query Forwarding' domain to the OPNSense private IP address in the 2nd location, but resolution doesn't work. 
nslookup <client name> <2nd location OPNsense IP> does resolve successfully, so DNS traffic through the tunnel works ok.

My guess is you told DNSmasqd about it instead of Unbound but again : Read the documentation and go through everything step-by-step ;)

That's a deal breaker for me then, for unknown reason Unbound isn't stable in my config and that's why it's disabled. (Have whole thread here about it.)

Just fix this bug :

Unbound, PiHole... and I'm not using any of those.

By using this : https://docs.pi-hole.net/guides/dns/unbound/

;)


A life without Pi-Hole combined with Unbound on my network is not worth living at all !!! :P

Thank you, had no idea.

It's all a matter of reading https://docs.opnsense.org/manual/dhcp.html before making any huge changes to your OPNsense.

We should give that to a certain someone whose opnsense is always getting hacked.

LOL! NICE! ^_^

But I would rather have an option to block his posts/topics/account to be honest...

I went ahead and enabled those options but i get an error message.

Because the account that posted it is SPAMming the web with "Machine Learning Chatbot" nonsense that is either false or outdated !!!

If I wanted/needed lower wattage I would consider Lenovos m920x tiny.

You don't need Thin Clients or Mini PCs/NUCs for low power consumption setups : It can be done with DIY PC builds too! :)