Messages

1

General Discussion / DNS over TLS Setup help

« on: December 09, 2022, 12:48:16 am »

Trying to setup DNS over TLS with cloud flare but the unbound DNS service won't start.

Kids are doing a lot of school work online and I'm trying to setup parental controls (CloudFlare 1.0.0.3) and would appreciate the help

2

Zenarmor (Sensei) / Re: ZenAmor LAN port Policies in Bridged mode

« on: November 29, 2022, 04:47:37 pm »

Hi,

Are you planning to bridge interfaces in OPNsense first? You can only select 2 interfaces on Zenarmor GUi in bridge configuration.

Yes, I bridged three LAN ports.  Are you saying I can only apply a policy to two of these ports?

3

General Discussion / Re: Network Discovery across lan ports

« on: November 28, 2022, 02:37:34 pm »

I was thinking that. I'll try it tonight, thanks.

So I created two pipes, both at full bandwidth (300Mbps) and two queues; one with a weight of 100 and the other with the weight of 50. 

For rules, I made a rule for my PC IP address (for the 100 weight queue) and the second rule I used the inverted function "Not the PC IP".

Seems to be working.

4

General Discussion / Re: Network Discovery across lan ports

« on: November 24, 2022, 09:25:32 pm »

I was thinking that. I'll try it tonight, thanks.

5

General Discussion / Re: Network Discovery across lan ports

« on: November 24, 2022, 03:52:30 pm »

No. If you build a LAN bridge you have only a single LAN interface. You turn all ports that are memberd of the bridge into a switch. Switch is just a fancy word for bridge.

So you can either use static assignments  in your DHCP config and the IP addresses to identify clients or the clients' MAC addresses where possible. Firewall rules for example permit this.

Shaper rules don't have the ability to use MAC as destination or source.  I don't see how I can create a policy for just one PC.

6

General Discussion / Re: Network Discovery across lan ports

« on: November 24, 2022, 07:55:43 am »

Correct. You csn use MAC addresses to identify the clients.

Are you just mocking me now?

7

General Discussion / Re: Network Discovery across lan ports

« on: November 23, 2022, 07:52:00 pm »

Thinking out loud here...

In bridged mode, I can't assign an IP address to the individual LAN ports, correct?  So for flow control, I would have to set policies off the IP address of the client which would require static IP addresses.

8

Zenarmor (Sensei) / ZenAmor LAN port Policies in Bridged mode

« on: November 23, 2022, 06:23:51 pm »

Quick question:

I currently a filter policy for LAN Port 2 but I'm planning on bridging Lan Port 1, 2, and 3.

When I create the bridge, how do I create a Zenarmor policy for just Lan port 2? 

9

General Discussion / Re: Network Discovery across lan ports

« on: November 23, 2022, 01:59:48 am »

Do you have "permit all in" rules on all your LAN ports? If yes, what's the point of not using a LAN bridge? If no, you need to explicitly permit all traffic you want to relay via UDP Broadcast Relay. Simply enabling the function does not change the firewall rules.

Yes, I have the Permit all rule for all ports.  No other firewall rules for the lan ports.

I'm not against a LAN bridge, I just want to try the UDP Broadcast first. 

I don't know how to configure QoS via MAC (yet, I'm looking) and I'd rather not load the CPU unnecessarily.  But yes, if I can't get the UDP Broadcast to work, I'll go ahead and bridge the ports. 

10

General Discussion / Re: Network Discovery across lan ports

« on: November 22, 2022, 10:06:49 pm »

If you setup the LAN bridge the devices will be able to communicate with each other as if they were connected with a switch. The OPNsense does not have any say in that part of the communication.

As soon as any device communicates with something that is on another interface (WAN probably) of the OPNsense you can of course apply QoS, Zenarmor, etc. based on the devices IP address or MAC address. You cannot setup policy per port because you have only one LAN "port" (the bridge).

But that's how it's supposed to work.

Zenarmor is easy enough to configure based on MAC.  Its pretty user friendly.  Opnsense is not.  Even their tutorial does not show to to configure QoS via MAC / IP.  I'll look it over when I get home tonight.

I'm still stumped on the UDP Broadcast Relay and why thats not working.  Everywhere I've read says that its just enable and go.  I'll post a screen shot of how I have it enabled tonight.

11

General Discussion / Re: Network Discovery across lan ports

« on: November 22, 2022, 08:55:47 pm »

Ok, I'm reading through a lot of things and my eyes are crossing.  Its hard to read "tutorails" for Opnsense when they assume you have an advanced working knowledge of what you're doing.

Option A (UDP Broadcast)

This looks like the best option (and easiest - I don't want to give up on this yet) as I can keep my traffic shaping / Zen armor policies.  Once enabled, are there other policies / firewall rules that I need to set to make it work? 

Option B (LAN bridge): I need to create a bridge for LAN port 1, 2, and 3.

Once I setup the bridge, how do I setup QoS / traffic shaping to prioritize LAN port 2 (PC) first, followed by LAN Port 3 (OMV NAS), and lastly LAN Port 1 (Wifi Access point).

I have two separate Zenarmor policies for LAN Port 1 and 2.  When I make a bridge, will these policies still be valid or will I have to reconfigure? 


Option C (Network Switch): Similar issues:  How do I setup QoS and Zenarmor policies?



Is there a Opnsense Discord where I can talk through some of these concerns?

Thanks again for the help!

12

General Discussion / Re: Network Discovery across lan ports

« on: November 22, 2022, 04:26:13 pm »

Just create a LAN bridge then following the documentation.

I'll look it over tonight.  That will be plan B but I'd like to try UDP Broadcase Relay a little more.  Plan C would be a switch.

13

General Discussion / Re: Network Discovery across lan ports

« on: November 22, 2022, 05:46:48 am »

mDNS didn't work and UDP Broadcast Relay didn't work (port 445).  I'd really like to avoid purchasing a $120 switch.

14

General Discussion / Re: Network Discovery across lan ports

« on: November 22, 2022, 02:34:06 am »

If you do not want to isolate your PCs from each other but simply have a "flat" network, then yes, a LAN bridge is the way to go. Don't expect too much performance-wise, though. OPNSense is not a switch and you might be better off getting a cheap but reliable gigabit switch and only connect one OPNsense LAN port.

The LAN bridge is documented here:
https://docs.opnsense.org/manual/how-tos/lan_bridge.html

Ahh, thanks!  I'm trying to keep it to the firewall 2.5Gbps ports (both PC and NAS are 2.5). 

I'll see if I can snag a cheap 2.5Gbps port this black Friday.  If not, I'll give my hand at bridging the ports.  It's an i7 1165G7 so it's not a slow PC as far firewall standards go.

Will the MDNS plug-in work?

15

General Discussion / Re: Network Discovery across lan ports

« on: November 21, 2022, 06:19:13 pm »

Here's what I'm looking at for switches:

I'm leaning towards the TP-link
https://www.amazon.com/gp/product/B08ZHGT2ZP/ref=ox_sc_act_title_3?smid=ATVPDKIKX0DER&th=1


The Netgear is another option:
https://www.amazon.com/gp/product/B0BGYS9BKY/ref=ox_sc_act_title_2?smid=ATVPDKIKX0DER&th=1

TRENDnet budget option (as "budget" as I want to go)
https://www.amazon.com/gp/product/B08XWK4HNT/ref=ox_sc_act_title_1?smid=ATVPDKIKX0DER&th=1