Messages

@pfry honestly I never understood your bridging setup nor the motivation for it. I avoid layer 2 "tricks" at all costs. Routing is always better than bridging.

It's how many US Internet services are delivered, particularly static IPs over most DOCSIS and fiber. You're either going to use a bridge or some layer 3 tricks (e.g. proxy ARP or NAT). Choose your poison. I have to say, I prefer it over PPPoE.

In the end, if we use Ethernet (or any other IEEE 802 network), we use bridges. I just shift them a step into the firewall.

My old cable setup was a Lucent (Xedia) AP1000 (router/firewall/CBQ shaper) providing shaping and proxy ARP routing to a Juniper (Netscreen) SSG 550. My OPNsense setup is nice by comparison (the need for shaping is kinda gone in these days of multi-Gb Internet links).

That's why IP was invented.

Heh. Timeline.

When Ethernet went from a bus to a star topology we should have abandoned broadcast domains and let the switches use IP instead. Even Radia Perlman who invented bridging and spanning tree says so nowadays. Bridging was a mistake. [...]

I'll see your Perlman (actually never read any of her material that I recall) and raise you one Rich Seifert (he used to hang out on comp.dcom.lans.ethernet). But bridging predated common use of IP in business, and practical routing silicon essentially arrived with gigabit Ethernet (some years after 10BASE-T, much less LattisNet). Considering how well Ethernet works, the viewpoint that bridging was a mistake seems a bit odd.

But you do you 🙂

I think that's the message for fbeye as well. "Practical" is what works for you - once you get there. Well, unless you're a complete nut.

Most all my questions on any forum aren't can I, but should I. And even that really stems from a security standpoint. Does my setup, though works "flawlessly" cause any bottlenecks. Does it expose my LAN to the internet in ways I am not imagining. I totally get it it's a preference thing I just wanna make sure not doing it wrong.
I can eat McDonald's every day, my choice. But should I.

Fair enough. Makes sense. Thank you.

Well let me ask ya this. If you had a block of 8 static IP's, for fun would you assign different WAN IP's for different vlan usage?
Meaning like your LAN for home can use its own WAN IP and then APP vlan to a different WAN IP that you have let's say a FQDN?
My meaning is this, being that I DO have the static IPs, I wanna have fun and utilize them. Would their utilization be separate Networks for each WAN or 1 Network NAT to a WAN it would need to use based on the application.

But you answered a lot of questions and I thank you.
And I am curious... maybe I am lucky but in my Cisco FTD I indeed to have a NAT associating WAN IP to LAN (Network) Dynamic. I then have that LAN Network associated with vlan1. Interface 1 is associated to VLAN 1 and Inhave a DHCP Server running on vlan 1. Anything I plug into that Interface grabs a LAN ip that is associated with the correct WAN from my NAT rule associating 192.168.1.0/24 Network with WAN .182. I did this 6 times, and if I plug into Interface 5, it grabs a 192.168.5.0 and anything 5.0 will use .177. Anything 6.0 grabs .176 and so on.
Or did I explain it originally incorrectly?

Yeah I seem to have misused my meanings.
I mean NAT association meaning "WAN IP to LAN Network, WAN x.x.182 would be the WAN IP and LAN 192.168.1.0/24 would be the LAN Network. I just mean vlan 1 192.168.1.0, vlan 2 192.168.2.0 and so on, and WAN 1 would go to 1.0/24 WAN 2 would go to 2.0/24 and so on.

Morning

I know, a lot of it is unnecessary. Really it only is like this because I've had the block of 8 static ips for 20 years and my isp does not sell static ipv4 IPs anymore, not even sure many places do either, so I don't wanna cancel them. I do have 4 domains registered to 4 of the 6 IPs and I do use those for email servers (each 1 on a VM) and a web server etc. so the different WAN IP's are legit.
I just was having fun by making a vlan for each WAN to LAN (Network), no reason.
I was just sitting one day thinking, is this practical or better yet, is this the legitimate way this would be done. Would there be a vlan for each WAN/LAN or would it be 1 LAN and NAT to whichever WAN/LAN ip needed specific association.

As far as can these networks be trusted together? I mean, yeah, they are all at home. Why not.
But then there is "well it is an email servers, would I want any of my friends with accounts some sort of access to my other servers?" So then I made different networks. It just got big and bigger.

Everything works, I'm just wanting to more streamline. And a lot of is is theory. Just wanting to know how it would be done in a legitimate network model.

Would 1 device (be it Opnsense or a Cisco firewall) all host the vlans and dhcp and NAT and acls onboard or would each network be on its own switch's and the firewall simply directs.
A lot I know... not trying to be a pill. Just curious I guess.

Hello!
So I wanted to run this by some peoples and see what your advice is.

What I have is 6 Static WAN IP's.
What I have configured is 6 vlans w/ 6 DHCP Servers and 6 Interfaces in Switch Mode associated to its respective vlan.
Each Interface is running with a DHCP Servers to its respective vlan.
I have NAT and ACL's doing all what I need.
My question is, is this practical?

Should I have 1 Network and just NAT whatever WAN IP to whatever LAN IP would utilize it?
Should I have 1 Interface TRUNK 6 vlans to a Switch?

I just don't know how to do this practically. Would in theory each interface be ROUTED mode and have a switch at the end and run its own DHCP Servers?

Yeah it's a lot for home user but a lot of it is to experiment with. I have 6 switches to play with so wanted to kinda have fun. But also kinda stuck with vlan SVI interfaces or Routed interfaces and then 6 separate networks or 1 network using WAN to LAN IP on a need basis.

That is interesting, because in "my" mind

Lets say I have 40/5 DSL [Ok, I do] and I wanna guarantee that my PS5 or XBS-X always has enough bandwidth to um not lag? I.E 50-80 ms Ping, so I wanna make sure that no matter what happens elsewhere that my consoles are always guaranteed their minimum let's say 10/2 Mb for at least smooth playing. Is this not what qos does?

Hi so I am running everything through cloudflare and when I create a new letsencrypt cert I have to first disable cloudflare, create, then restart the cloudflare.

Does this too mean in renewals that I'd need to drop cloudflare each time It wants to renew? Can I set my letsencrypt to like yearly renewal?

Hey

So, I know that having access to this is a huge no no and I agree, but my thought process is to quickly enable my wireguard vpn from my phone, enable the caddy/ opnsense access and then from laptop I can access the opnsense dashboard and do what I need and then go back and disable it and use only when needed, that way it is not just open to the world.
I have done this.. But it will not ever load anything DASHBOARD, only sub categories [firewall, interfaces] etc which is fine, but was wondering if maybe something like opnsense would need a special setting in caddy.

Well my goal is this;

In my Server room my OpnSense running VM and 10Gbps NIC. I want to connect to this new Switch Mikrotik and unless I change my 10Gbps RJ45 NIC to a Fiber NIC I will need to utilize a SPF+ RJ45 to connect from Switch to Opnsense. Then, I will run a fiber through my ducts across house to a 2nd Mikrotik [the 4 port] and then from there I would do the same, either change my NIC from SPF+/RJ45 to a Fiber, essentially making all things Fiber. The issue is I also would connect my TV and XBOX/PS5 to that switch, so regardless I will need SPF+ RJ45 connectors. I have a pack of 10 Cisco SPF Fiber connectors. I know a lot of this is "really, do you really need this" and half yes, I have several physical servers around the house [why cause its fun] and I like my NFS and SMB transfers to be fast. :)
But also the other half is I got my tax returns and I wanna have fun with stuff.

Oh no this is fine. I have fiber spf+ connectors

That actually looks fantastic. I am assuming the SPF+ Fiber could take the SPF+ RJ45 connectors as well.

Hello

I am looking for a 10Gb Switch. 8-10 Ports (10 GB). All my important devices have 10GB NIC's.
I have a Cisco SG350XG but it's so loud I wanna get something quieter. My only "need" in terms of management is I wanna create 6 vlans (6 networks and 6 dhcp servers).
Suggestions?

Hi all, so I been searching and what I found is either correct or I am implementing it incorrect.
I just wanna specify the folder where the reverse proxy can be reached.. Usually the simple IP Address and Port is sufficient but I need to specify /ubooquity/ directory. Nothing I do works.

http://<your-ip>:2202/ubooquity/

Great article.

I was curious; In my VM under Proxmox, I have 32GB RAM [Ballooning off] and in Proxmox it shows 31/32 RAM Used in RED but in OPNSense GUI shows 1.4% 900M/3200M. Is this a concern or just Proxmox not registering it correctly?