Messages

Maybe wait for the 26.1.6 Release and check again after a reboot ?

Just did the above and the error seems to be gone!

I consider this fixed now :)

Question 1: is there an easier way (set once and forget) to make sure that the IPv6 addresses of (all, or this one) devices get a permanent status in NDP and are updated automatically if/when the IPv6 prefix changes?

I think that's why this year they have added https://docs.opnsense.org/manual/neighbors.html#automatic-discovery to OPNsense together with some Captive Portal related features, but I am not entirely sure to be honest...

with approximately a gen 4 series of processor (it's a Xeon e 1200 series).

Xeon E3 models from the 1200 Series (1230/1240/etc.) have v1/v2/v3/v4/v5 after their model name IIRC, so : 1230v3/1230v4/1230v5/etc.

That should tell you the exact generation :)

Examples :
- https://www.intel.com/content/www/us/en/products/sku/75054/intel-xeon-processor-e31230-v3-8m-cache-3-30-ghz/specifications.html
- https://www.intel.com/content/www/us/en/products/sku/88182/intel-xeon-processor-e31230-v5-8m-cache-3-40-ghz/specifications.html


The same goes for their E5 family members like the E5-2650 :
- https://www.intel.com/content/www/us/en/products/sku/64590/intel-xeon-processor-e52650-20m-cache-2-00-ghz-8-00-gts-intel-qpi/specifications.html
- https://www.intel.com/content/www/us/en/products/sku/75269/intel-xeon-processor-e52650-v2-20m-cache-2-60-ghz/specifications.html
- https://www.intel.com/content/www/us/en/products/sku/81705/intel-xeon-processor-e52650-v3-25m-cache-2-30-ghz/specifications.html

[Switchport]

Hence, the office is arguably the most "complex" rooms of all to configure.

Not really : The way you did it on your drawing is just fine! :)

My "Other" TP-Link M4R is connected to the wall outlet, but as you know the M4R has a NIC (yes this time I mean NIC as in NIC, not a wall outlet) to which my TV is connected to.

AFAIK that "NIC" is simply a Switchport that is part of a very small integrated Switch ;)

As I understand it, Managed Switches are configurable to have access/untagged ports (every packet that goes through a specific port is tagged the same way, the tag disappears once it leaves the switch) or trunk/tagged ports (packets going through a NIC Switchport can have multiple tags assigned to them, which can be relayed to a different trunk port on a different managed switch).

;)

I'm assuming that in my case I'd be only working with tagged ports as everything is supposed to run through by Opnsense, which controls through the firewall rules the VLAN-access, am I right?

It depends how you like to setup things :

Let's say you use the Default LAN NIC Port as it is.
This would be considered as an Untagged/Access Mode Port.

But then you need to add more networks and have the following options :
- Use another LAN NIC Port without configuring any IP Address and Assign VLAN Interfaces to it.
This would be considered as a Tagged/Trunk Mode Port.
- Use all other LAN NIC Ports with their own IP Address configured for each network.
These would all be considered as Untagged/Access Mode Ports.

Now continuing with my planned network upgrade (sketch_planned.png): I've colored the wires based on the following:
Red means trunk connection.
Yellow means connection of IOT interface.
Purple means connection of UNTRUSTED interface.

&

Because the AP's do SSID to VLAN Mapping and you guys made it clear that APs can infact be set on a VLAN as well, I have a specific question in mind:

When the VLAN-aware AP receives a connection from a specific device from a specific SSID, it'll tag it accordingly.
Then the AP would relay the tagged packets through the trunk port.
But now that those are tagged I also want to make sure that the packages of the AP are tagged as well so that I can get them to be placed in IOT.

How can I achieve this or isn't this possible after all?

By using Untagged/Tagged settings of the Switchport correctly :
- The VLAN that carries the Network you want the Accesspoint to get/use the IP Address from = Untagged.
- Everything else = Tagged.

I'm assuming I'd have to configure the switch-software in a way that the specific trunk port tags Untagged packages with IOT

;)

but this theory leaves me with another question:
Would the VLAN tags from the SSIDs be overwritten in this setup, or does the software distinguish between the ethernet-connected device and those connected through other means? Specifically, does it only tag packets from the IP address it knows is associated with the Ethernet connection?

See above!

This theory is why I've colored the connections to the APs so that they are to be placed in IOT.
But as I've also made clear: I could also live without them being in a seperate VLAN, because after all I can just deny any telemetry based off their IPs.

Now that I see the drawing I feel like we should have started with that, because it looks like a very straightforward setup that you can achieve very easily!

Oh well... Oops! ^_^

So my "theory" that the APs would join IOT is realizable?

Yes, you can put their Management Interface Untagged in IoT and all other Networks would be Tagged for regular useage.

I hope you guys aren't colorblind.

LOL! Good thinking!

I often forget that there are people out there with that issue :)

[FYI :]

- Or you could use Pi-Hole + Unbound the way it's explained here : https://docs.pi-hole.net/guides/dns/unbound/

Their main website (https://pi-hole.net/) get blocked on my end by a DoH IP list.  Looks like a CDN domain (*.b-cdn.net) according to uBlock origin and it has a high abuse score to boot:

https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/37.19.207.37

I've used Pi-Hole in the past and wanted to experiment with it again in a Proxmox container, but I don't want to whitelist these IPs.
Not a good look for a privacy-focused DNS project :-/

In all of the years that I have used Pi-Hole and helped people on various forums with all sorts of questions this is the first time that I read something like that : Are you sure it's not a False Positive ?!

No issue with their GitHub repo, though.

What does https://discourse.pi-hole.net/ do for you ?

AFAIK it's hosted on the official Discourse CDN so it should not show you any issues and you could post the above results there and see what they say :)

As I haven't used Pi-Hole in years and haven't followed the project, do you still find them trustworthy now in 2026?
Any concerning developments or money ties?

It's a small team of about 8 people and some do the development and some do the support on a couple of places : That's it! ;)

Sometimes other people contribute too and the code only gets added after approval by the other developers ofcourse.

There is no Spyware/Adware/Telemetry/Ads/Subscriptions or any kind of company involved !!


FYI :
I can't remember what I have started using using Pi-Hole but it has got to be more than 10 years by now and there wasn't any moment of doubt or reason to reconsider their trust during that period ;)

In fact when Pi-hole v6.x.x got released somewhere around February 2025 I was seriously 'STOKED!' as they say :
- No more LigHTTPd.
- No more PHP.
- CivetWeb does almost everything now and is part of the whole FTLDNS package.
- C++ is now the way forward.
- DNSmasqd is ofcourse still part of FTLDNS.
- The API is also still available.
- Super Sweet New webGUI that's a 1:1 translation of the pihole.toml config file which is in a league of it's own when you see how nicely commented it is via SSH when you edit it via nano or vi :)

Basically while a lot of software and websites are getting seriously bloated they made the whole thing a lot more compact and removed some dependencies.
Not just to avoid issues, but now the whole thing also runs on a wider range of Linux distros as a bonus !!

[Mesh]

Do you have an alternative brand / products to suggest?

Mikrotik.

We are dealing here with a "Beginner" and despite the fact that MikroTik does have such a thing as their WinBox GUI for setting up everything I am not sure if that's a good idea ?

First, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode.

Tapo ?! Are you talking about TP-Link M4 Mesh Sets or something else ?!

It is in AP mode. I also first thought, that the AP only sets up the "bridge" and do not require IPs, but if you take a closer look at my logs you'll see I'm not lying when I'm saying that my TP-Link APs have their own IPs and THEY THEMSELVES send out telemetry.

I think you have misunderstood my reply about Accesspoints and IP Addresses...

What you are describing is pretty much as expected because you need a way to manage them via their webGUI or some kind of app on your Phone/Tablet :)

The APs are connected through the network cables that are in our walls. They don't have to be directly connected.
I'm assuming I'm misunderstanding you wrong?

I think it's time to post a schematic picture of your network setup before we have a lot more misunderstandings...

Either TP-Links specifications are not very clear or idk...
Here is a list of all "Omada Mesh" supported devices on their own website.
The "ceiling" EAP225 is advertised with Omada Mesh support, same as it's outdoor variant.
I'm starting to dislike this company... they do all that telemetry goof, force you into cloud accounts to manage your devices and are just so incredibly confusing with their marketing and specifications IMO.

Everyone does it these days and a lot of it can be disable in a lot of cases...

Take for example the more expensive alternative to the TP-Link Omada system : Ubiquiti UniFi
You need multiple steps to disable everything :
- Two different places in the webGUI of the UniFi Controller.
- And another additional file with the right content in the right directory on your UniFi Controller.
After that you need to manually trigger so called 'Provisioning' for all your devices to apply the changes in that file !!

And don't get me started about TV's and Mobile Devices and all the adware/spyware and horrible EULA's you have to accept so you can use them even tho you have paid a lot of money for them...

EDIT: I just found a big forum post on TP-Links official website, where their customers report the same: The TP-Link APs do infact send out telemetry.
https://community.tp-link.com/en/business/forum/topic/525328
They are too sorry to make firmware updates for their cheaper product lines to opt-out.

That's really a shame...

The M4 units are one of, if not THE cheapest option to have Accesspoints everywhere in the house :)

This was my original idea, but nero355 told me this could go wrong if I were to put them in IOT VLAN.

Please note :
That was based on my understanding at the time that you were going to put one of the M4 units in a certain VLAN and not in combination with Advanced (VLAN Aware) Accesspoints !!

The cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.

Everytime you mention a NIC and Accesspoint it sounds like you are using the Accesspoint as an extension of the NIC in a PC ?!

So like I said above : Please make a scheme/drawing of your network setup!

The scroll bar I marked in red should not exist. The box around the rules should not exist. The rules table should be rendered on the page extending downward as far as necessary and the browser scroll bar should be used to get at the lower ones.

Duplicating a function the browser already brings inside the page is bad, IMHO.

Also it does not automatically use all the width I have available ...

I think you have uploaded the wrong screenshot ?!

I see SNMP stuff and not Firewall Rules ?

Coming back to the general issue of modern UIs - there is a general trend to waste space.

I don't think that is something one should accept as normal and reasonable.

You have no idea how much I agree with you on that one... It's driving me mad sometimes !!! :(

Don't smart switches provide the option of restricting the configuration access to a specified port only anymore? At least HP had that over a decade back.

Ofcourse they do, but not everyone seems to know for whatever reason :)

For any Accesspoint to function it does need any kind of IP Address at all

It does *not* need ... 🙂

Thnx! :)

[EDIT:]

I'm struggling to understand your explanation how access points are set up.

I understand that you can tag SSIDs with specific VLANs. I thought that because my access points act as network devices as well (and surely have their own IP), I should be able to put them in a VLAN as well.

I'm now giving up this idea, I'll just block their Static DHCP Leased IPs from accessing the internet and that's it.

For any Accesspoint to function it does not need any kind of IP Address at all : It's all Layer 2 communication based on the Hardware Address a.k.a. the MAC Address.
It's basically a Switch with Wireless Ports and Cables : The SSIDs :)

I am sure you can find some good documentation about this that explains everything you need to know!

Well I don't necessarily need an access point with NICs. Remember that one ethernet-connected device that needs to be in UNTRUSTED? Currently, it's connected to the NIC my TP-Link M4R offers, but it would be cleaner if I just use a Managed Switch and connect both of them to it.

True! :)

Assuming I'm already connecting AP and ethernet-connected device in UNTRUSTED to a switch, I won't need additional NICs that are on the AP. Especially if the switch also offers PoE.
As I've said, I don't really specifically need Wall-Type APs. If there is another AP that is cheaper and offers VLAN-tagging on SSID as well, i'd rather take that one.

You can ofcourse!

It seems to me that Omada products require the products to know / contact each other over my home network. As of right now I can't tell whether (based on my future firewall rules / VLAN configs) this feature could break regarding what I'm trying to achieve.
I'm giving up the idea of "putting AP / switches in VLANs to regulare their telemetry", it seems irritating and complex. I'd rather just assign them Static DHCP Leases and then block those IPs from accessing the internet. I won't bother with on which interface they're chilling or not.

OK, but it's not that hard really :
- Leave their Network Interface in the Default LAN that OPNsense comes with.
This will be your Management Network and connected as Untagged on the Switchport.
- All other VLANs will be transported to the Accesspoint as Tagged on the same Switchport.
- Then you configure a SSID that is Tagged with a VLAN of your choice.
Usually you can create between 4 to 8 SSIDs on one Accesspoint.

I see the potential... Tangled cables? BEGONE!

That too! :)

EDIT:
I've now picked Omada. I want to see how convenient it is:

2x TP-Link Omada ES200 Desktop Gigabit Managed Switch, 8x RJ-45, 64W PoE+
2x TP-Link Omada EAP225

My price comparision site tells me that only EAP225 supports Mesh, which is a MUST in my household.
The other ones - those "Wall" thingies you praise - don't??

https://geizhals.de/tp-link-omada-eap230-wall-a2419233.html
https://geizhals.de/tp-link-omada-eap235-wall-a2451515.html
https://geizhals.de/tp-link-omada-eap225-a1501193.html

Are you saying you can not connect each Accesspoint via it's own UTP cable ?

Always look at the Specifications on the website of the manufacturer :
- https://www.omadanetworks.com/us/business-networking/omada-wifi-ceiling-mount/eap225/ - EAP225 without Mesh.
- https://www.tp-link.com/us/business-networking/omada-sdn-access-point/eap225-outdoor/v1/ - EAP225 Outdoor with Mesh.
- https://www.omadanetworks.com/us/business-networking/omada-wifi-wall-plate/eap235-wall/ - EAP235 Wall without Mesh.

Also sometimes the specifications can change between the different Revisions of a product so watch out for those changes!

I hope it's ok to post links from other sides here. This is not an ad. I only want to show what I mean so please don't ban or delete this message mods if this is against the rules. I'm sorry if it is against the guidelines.

Don´t worry about that : It's OK! :)

It's all a matter of reading

Your comment is not nice and not necessary in a helpful context. Please be kind.

When you cut it off like that then yes, but the whole sentence is simply to steer you to the right place with the right information, because this :

I found videos for setting up KEA with one LAN and one subnet, a few minutes and simple. And while some of them also showed how to set up Unbound to work with KEA, none that I watched stated it (or another DNS solution) was a requirement with KEA.

Is the whole problem these days : YouTubers who think they know everything telling people half the story because they also don't understand what they are doing exactly!

And when something goes wrong no one turns to them : They turn to the forums!
And when they do turn to them then they often get no reply at all...

But the main reason I posted that is because it's simply the truth :
Read.
Read a lot.
Read multiple times even if you have to!

Before I did my first FreeBSD install somewhere in 2004/2005/2006 the FreeBSD Handbook became my best friend after reading all of it three times and then certain sections again after installing FreeBSD :)

- If run locally you can use Kea, ISC (deprecated, but still working) or DNSmasq for that job.

I would mention those three in a different order :

- If run locally you can use ISC (deprecated, but still working) or KEA or DNSmasq for that job.

To avoid people thinking KEA is deprecated too like someone did a while ago here on the forum :)

So familiarise yourself with the fundamental protocols ("jobs") and subsystems on OPNsense and try to pick the best solution.

That's the most important part IMHO for anyone starting out with any kind of software :)

Netflow is a behemoth designed for large ISPs. It will scrub your SSD to death in weeks if you log locally and have some considerable amount of traffic.

The smallest recommended deployment - even for a home lab - for Elastiflow is 4 cores, 16 G of RAM, a couple of hundred G of disk.

They promise the license will be free forever, they just want you to register an account and extend the license once per year. Like e.g. Maxmind, too.
The limit for the free tier is 4000 flow records per second. If you outgrow that, you have bigger fish to fry ;-)

Good to know! Thnx! :)

Did an upgrade to the latest OPNsense version.

That does not mean you had to do this too :

Migrated to NEW firewall rules.

Because it does bring some changes along you might not like and the migration is not something you must do for now !!

Migrated from ISC to KEA.

That's something you could have done in 25.7 too first and then upgrade afterwards once you were sure everything is still working as it should ;)


But for now my best guess is that some Firewall Rule does not do what you want it to do...

Don't save netflow data on OPNsense. Export to a netflow collector like Elastiflow and save your SSD 🙂

Looks seriously sweet as far as I can tell from your other recent post : https://forum.opnsense.org/index.php?msg=264974

Should I need something like that I will definitely consider it! :)


For now I have got almost all logging disabled in OPNsense since I barely need any of it.

Sorry, I should have been clearer in my writing. This is not the setting I have, this is the setting my ISP recommends.

Here ist the link: https://www.init7.net/en/support/faq/mit-welchen-uebertragungsarten-funktionieren-die-tv-streams/

On the buttom left, you have to activate nerdmode. That shows you the "Rules for multicast streaming" which are the rules I posted.
But it could very well be that these settings are just some old leftovers. I contacted support and asked them exactly this.
Maybe they are long gone to IGMPv3. I would also assume that the mentioned old servers are no longer running, but they are still described there.

I see now :)

Then I would just wait for their reply and double check everything with them first!

I even tried something similar like you linked. I created a whole seperate VLAN just for the AppleTV Box, but still no luck.

My current setting is this:

Code Select Expand

##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint cxl1 upstream ratelimit 0 threshold 1
altnet 77.109.129.0/24

phyint vlan0.51 downstream ratelimit 0 threshold 1

phyint wg0 disabled
phyint cxl0 disabled
phyint vlan0.25 disabled
phyint vlan0.50 disabled
phyint vlan0.52 disabled
...
...
...
As you can see, this is not exactly what my ISP recommends, since it has quickleave enabled.

AFAIK most modern IPTV setups require Quickleave anyway so I don't see that as being wrong to be honest.

But this was something I forgot to ask :

There's a reasonably active init7 sub on Reddit, it may be worth also asking your question there?

Aren't there any "German Tech Community Forums" that talk about this stuff very often ?

Should give you the right information if there are any IMHO :)

Did you also check the German sub-forum : https://forum.opnsense.org/index.php?board=6.0 ??