Messages

106

General Discussion / Re: UDP Broadcast Relay

« on: February 19, 2021, 01:45:12 pm »

Hi all, thanks.

I did not expect that within my lifetime I'll be able to get my cross VLAN DLNA streaming working.
Thanks to that it works now

My setup

Enabled	Interfaces	Multicast Addresses	Source Address	Listen Port	ID	Description	Use ID as TTL
X	VLAN10,VLAN15	239.255.255.250	empty	1900	1	SSDP multicast	X

Firewall rule for the Multicast on VLAN where the server is located.
Firewall rule from Clients to Server.

br

107

German - Deutsch / Re: Upgrade von 20.7.8 auf 21.1 – best practice?

« on: January 31, 2021, 02:17:40 pm »

Hallo,

gestern upgrade durchgeführt, Dauer ca. 15min.

Meine "best practise -> regelmässig Backup der Config dann kann sorgenfrei das Upgrade durchgeführt werden. Im Worst case installiert man es neu und spielt die Konfig zurück (noch nie vorgekommen).

fg

108

German - Deutsch / Re: Upgrade von 20.7.8 auf 21.1 – best practice?

« on: January 28, 2021, 09:44:47 pm »

Hi, zu deiner Frage zu den Custom Configs in Unbound:

https://docs.opnsense.org/manual/unbound.html#advanced-configurations

fg

109

German - Deutsch / Re: Erfahrung 20.7.8 oder auf 21.1 warten :)

« on: January 23, 2021, 04:41:29 pm »

Hallo,

meine Empfehlung wäre immer auf aktuellem Stand bleiben und keine Versionen überspringen.
Update läuft problemlos

lg

110

Zenarmor (Sensei) / Sensei Internet traffic only?

« on: January 11, 2021, 03:03:56 pm »

Dear all.

Is it possible to control only Internet based traffic (from/to)?

I want to follow a strict whitelist approach regarding Sensei but only for Internet (NON-RFC1918) related traffic.
Internal local traffic should not be affected.

I tried the Whitelist but this does not really cover everything local or needs a lot of maintanence.

br

111

German - Deutsch / Re: Zwei Gateways über DHCP ausliefern?

« on: January 09, 2021, 08:41:19 pm »

Vielleicht über die Option " Additional Options " ?

Ja genau, probier es aus. Such dir die Optionssnummer aus dem Netz und teste, sollte funktionieren.

lg

112

General Discussion / Re: Separate Wifi SSIDs via VLAN & Wifi AP recommendations

« on: January 06, 2021, 05:37:25 pm »

We're talking about extending the Wifi range by about 6m (maybe less if the new AP is better, and better positioned). If this is not a case for a repeater, I don't know what is.

Try those Long Range APs, may this will fix your issue.
Personal opinion, avoid whenever possible the repeater.

Trouble is, existing cabling limits my positioning options for the second AP. So what's better: An ideally positioned repeater, or a non-optimally positioned AP?

Only god knows ,

Is an AP with a "controller" mode the same as having a separate controller and two APs?

Usually all the APs can also be configured without controller. The controller just reduces the effort when it comes to managing multiple APs. There are some additional feature like captive portal etc ... but this is another story.

br

113

General Discussion / Re: Separate Wifi SSIDs via VLAN & Wifi AP recommendations

« on: January 06, 2021, 04:06:46 pm »

Hi,

So my plan is the following:

    Deciso 3-port Firewall running OPNsense
    Wifi-AP with PoE injector connected directly to firewall ("trunk" port)
    Wifi-Repeater to improve coverage
    Unmanaged switch connected directly to firewall ("internal VLAN" port, so all devices connected to it belong to the internal VLAN)

I've never heard anything positive when it comes to WIFI-Repeater.
I would rather go for 2xAP configured via dedicated controller. So my recommendation for your (home) setup is:

• Firewall at least with 3 ports
• 8 port managed Switch (VLAN capable) with 4 PoE ports
• WIFI controller software or small appliance with PoE
• 2xAP connected to the Switch (no configuration needed this is done with the controller

br

114

German - Deutsch / Re: OPenSense Einrichtung und Netzwerkhilfe

« on: January 06, 2021, 02:03:42 pm »

Hallo,

wenn du Proxmox und Unraid im Einsatz hast sollte sich mit etwas einlesen in OpnSense auch das von dir selbst betreiben lassen.
Für die Basics die du beschreibst gibt es viele Tutorials usw. einfach etwas suchen.
Dann kannst du es in Zukunft auch selbst adaptieren und bist nicht auf andere angewiesen.

lg

115

German - Deutsch / Re: HTTPS GUI "ERR_SSL_PROTOCOL_ERROR" - kein Zugriff mehr

« on: January 06, 2021, 09:20:44 am »

Hallo,

schau mal hier

https://forum.opnsense.org/index.php?topic=20514.msg96588#msg96588

fg

116

General Discussion / Re: Separate Wifi SSIDs via VLAN & Wifi AP recommendations

« on: January 06, 2021, 09:08:30 am »

I aim for Wifi-5 (ac) at least, and I would like to have WPA3.

My recommendation. If you go for controller based solutions (central controller which provision APs) like from TP-Link Omada or Ubiquity, buy now cheap WPA2 APs and replace them once WPA3 is cheaper. WIFI 5,6 + WPA3 is still quite new and the APs are expensive.

So I found a suitable switch (unmanaged) which has some PoE ports, and enough ports in total. I would connect the Wifi AP on a PoE port, and my other devices on the remaining ports.

If you want to use VLANs, the switch must support it. There are a lot of SOHO switches available with PoE and VLAN. You could also use PoE Injectors, but then you need a power plug at each AP.

However, what does this mean for the VLAN configuration? It would mean that I have to configure the port on the firewall which connects to the whole switch as "trunk" (as Mks posted, although I'm not familiar with the term).

The VLAN IDs must be transferred to the switch, this is done via the trunk.
On the switch you configure the VLAN assignment to the ports. As you want to have multiple VLANs on the AP the connection to the AP must also be configured as trunk. On the AP controller you define the VLAN to SSID assignment.

br

117

General Discussion / Re: Separate Wifi SSIDs via VLAN & Wifi AP recommendations

« on: January 05, 2021, 04:28:52 pm »

choose an access point that allows guest access and isolates the LAN from the guest, i.e. only allows traffic to the gateway, there are plenty around if you look.

Good hint. This will be the easiest solution.
The more flexibel one (e.g VLANs for IoT, Kids, ..., Firewall rules, ...) is VLAN based. But if you just need one guest WIFI the solution from marjohn56 is sufficient.

br

118

General Discussion / Re: Separate Wifi SSIDs via VLAN & Wifi AP recommendations

« on: January 05, 2021, 04:21:09 pm »

Does this mean that I have to assign two VLANs to the port which connects to the AP, then configure the AP to use each VLAN with the correct SSID (internal/guest)?

Yes right, the port must be configured as trunk and you assign the VLAN ID to the different SSIDs on the AP.

There are several ways to perform the VLAN assignment (with Radius) but his is how I've implemented it.

br

119

General Discussion / Re: Separate Wifi SSIDs via VLAN & Wifi AP recommendations

« on: January 05, 2021, 03:56:46 pm »

Hi,

I've a similar setup up and running since years (personal non-business use).
I'm using TP-Link Omada Controller and APs and SmartManaged Switches (with PoE).

VLANs (802.1Q) is a standardized protocol, so any Vendor which implements the standard should work.

br

120

Zenarmor (Sensei) / Re: Whitelist only

« on: January 04, 2021, 04:16:45 pm »

Hi @Mks

Yes it is possible to block everything and allow only specific domains via Whitelist.

Hi, thanks for the information.
Just to be clear, I only refer to Sensei.
How can I achieve an whitelist approach (URL and/or Domains) with Sensei?
Add a wildcard "*" to "Auto Blocklist Hosts" and the approved Domains into "Auto Whitelist Hosts"?

br

br