Messages

166

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 10, 2022, 07:17:16 pm »

Sorry that is if you are using VLANs.

For physical interfaces, you need to create routes for each network, so that would be 192.168.2.0/24 to 192.168.2.1 (or IP of interface that maintains the network in question) and 192.168.5.0/24 to 192.168.5.1 and so on

167

22.1 Legacy Series / Re: LAN5 to LAN3 IP

« on: June 10, 2022, 07:01:53 pm »

You need to create routes to be able to allow traffic from 2 different networks to communicate with eachother.

First add your LAN IP 192.168.1.1 to gateways.

After that create rule where network is 192.168.0.0/16 and gateway is 192.168.1.1 (or whatever is LAN IP of any LAN interface your opnsense has. IP MUST BE LAN gateway in use and within same same IP block.)

Voïla, now all traffic between IPs 192.168.0.1 - 192.168.255.254 goes to 192.168.1.1 (or whichever LAN interface you use as route gateway) and can talk with eachother.

Basic network stuff. Deviceses which belong to different networks can't communicate with eachother

168

Virtual private networks / Re: Which VPN to use?

« on: June 07, 2022, 01:00:41 pm »

@Vilhonator you are not being helpful. The OP is trying to come to a decision about how best to connect two sites via VPN. While I did go off-topic, too, I kept it to a single post or two.

Could a moderator please split this thread if the forum software permits?

Yes I went off topic, but answer to the question of OP is this: Best VPN of choice is one of which you are familiar with and have relatively good knowledge on. That is if you want to just get things working without major complications.

169

Virtual private networks / Re: Which VPN to use?

« on: June 07, 2022, 11:21:31 am »

To my knowledge, AP is just device which allows wireless access to network and you need to connect it to a wireless network which allready is password protected, uses RADIUS or Voucher (https://docs.opnsense.org/manual/captiveportal.html) or use app of some sort to secure it with password. Otherwise it's just plain wireless repeater without password protection.

Well, take a look at normal access points like the MSM422 from HP or the later models from Aruba.  The Aruba APs have an access point controller built into the AP so you don't need an extra device, which is cool for redundancy.

I guess I'd be totally disappointed if I had APs from Ubiquity ...

You APs don't have controllers build into it, one that can be managed by connecting to network and typing right ip to browser without having to install controller has a firmware which has webgui.

There are benefits in having to install controller to manage network devices.

Thanks to controllers, you are able to solve network issues when you can't access webgui or SSH/CLI of the device and being able to monitor and manage all devices from the controllers GUI.

Another advantage is that you are able to expand network, monitor and manage all devices from single GUI

Downside is that you pretty much are forced to use single brand and even could be limited to devices of certain series from that brand.

Another downside is that you might actually have to get additional hardware to have full control over your network

So Ubiquity is generally quite decent brand, their devices are more suitable for enterprises, schools and tech savy network geeks.

170

Virtual private networks / Re: Which VPN to use?

« on: June 06, 2022, 06:36:25 pm »

And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?

It does have an USB port, but monitors don't connect to USB ports.  Even if you could find a monitor that does, you wouldn't get an image.

I know that.

To display phone screen on your PC, you would have to use docking station and phone which supports displaying screen via USB (also docking station has to have display port, HDMI port or VGA/DVI port.)
Now you might not be able to use your keyboard and mouse, but you can display your phone screen that way. This is same method how laptop docking stations work (except instead of USB, they connect to thunderbolt port on the Laptop)

2nd way you might be able to display phone screen, is using bluetooth and right software.

3rd way to share your phone display to PC, is using software that came with it and connect the phone to USB port on the PC (mine does that, though I do have a smart phone and don't know what is the case with IP phones or desk phones).

171

Virtual private networks / Re: Which VPN to use?

« on: June 06, 2022, 05:48:06 pm »

But I do have to agree with Ubiqity (used their devices at one of my jobs) and without building your network purely using their products and installing controller to a off site server, their products are just fancy looking toys.

Cisco is usually my choice when it comes to APs and switches pretty much for that reason (though Meraki series is just plain madness).

My personal favourite though, are Buffalo wireless routers <3 LOVED them, but sadly they aren't available in my country if the companny still even makes routers.

172

Virtual private networks / Re: Which VPN to use?

« on: June 06, 2022, 04:56:56 pm »

And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?

Ah just saw what phone is question. You can still purchase cheap tablet to use the app.
Also you might be able to run the app on windows 11

https://www.androidauthority.com/android-apps-on-windows-11-3048569/

Cheap tablets suck, and their screens are also tiny and tend to be of bad quality.  On top of that, they are all about Google here and Google there and don't really work without.  But I have no business with Google and sure don't need them to spy on me, to steal my data and to control me.  Apple isn't any better.  99.999% of all software for Android or IOs doesn't work anyway.  It's funny because it's like what we had like 30 years ago.  People really do like bad soft- and hardware, and I'll never understand why anyone puts up with that.  Now it's even worse because you can't even connect a decent keyboard and a trackball to your device, and the GUI is horrible.

I don't have Windoze, either.  Why would I?  It has always been a security risk, and now it's spying and trying to control you with no way out of that.

Anyway, it doesn't matter.  Ubiquity has made reasonably priced hardware and their customers had to pay for that with bad support and their documentation being a bad joke at best.  They probably still do that (or at least want to), but they have taken a path that has taken them out of consideration.

Well all I can recommend for Ubiqity is running the controller on some machine laying in the corner. Another option is to use plain wireless router in AP mode like Asus RT-AC1900U and use repeaters to extend the signal if needed.

To my knowledge, AP is just device which allows wireless access to network and you need to connect it to a wireless network which allready is password protected, uses RADIUS or Voucher (https://docs.opnsense.org/manual/captiveportal.html) or use app of some sort to secure it with password. Otherwise it's just plain wireless repeater without password protection.

173

Virtual private networks / Re: Which VPN to use?

« on: June 06, 2022, 12:42:45 pm »

And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?

Ah just saw what phone is question. You can still purchase cheap tablet to use the app.
Also you might be able to run the app on windows 11

https://www.androidauthority.com/android-apps-on-windows-11-3048569/

174

Virtual private networks / Re: Which VPN to use?

« on: June 06, 2022, 12:22:16 pm »

You want to use a phone to configure access points?  Seriously?  Do they deliver a phone when you buy an AP so you can try to configure it on a tiny screen where you can't see anything?

Why would they deliver a phone when you buy an AP???
You already have a phone, don't you?

I have a Polycom 1500D on my desk.  I much doubt their software works on that --- and even it did, why would I compromise my phone?  It has a tiny screen, barely large enough to be somewhat useful even, but I have it not for the screen but because I like the design.

It's very easy to configure them with the app. As far as seeing your phone screen... really?

Yes, really.  Have you ever seen the screens phones have?  They are ridiculously tiny and you can't see anything on them.

And your phone doesn't have USB port to which you could dock it or any other method that would enable you to display the phone screen on your monitor?

175

Virtual private networks / Re: Which VPN to use?

« on: June 06, 2022, 11:36:49 am »

What do you mean by having to register the Unifi devices mandatorily? I used those devices for years and never had to do anything like that.

I have been reading that you can not deploy their so-called dream machine without creating an account with them and registering it with them.  Apparently you can turn off the connection to that account later on but should you ever want to sell your hardware, the next buyer won't be able to use it because of that account.

And how else would you configure their access points?

The dream machine is, like their edgemax line, another point. As Tom Lawrence pointed out it his videos, the former really have a vendor lock-in and limited capabilities in trade for useability, the latter are an abandoned product line. Their access points, however, can be configured with a Unifi controller, which is available per Dream Machine, an appliance and also as free self-hosted software implementations for Linux, Windows, Android, iOS, virtual machines, docker images and are also as hosted solutions like Hostify.
 
As to the other point: There are good reasons to segment a network into different broadcast domains. A VPN  almost always serves a need to protect traffic that intermediately passes over the internet. I would not expect it to provide more than routing. More often than not, you will also want to limit traffic to certain machines and/or services between the coupled networks, for example when you VPN to a friend's network. This is even more true for businesses, where you segment departments via VPN even when they are in the same location with no need for a VPN.

P.S.: Reading manuals often helps. I found the relevant section in the HP manual by just googling.

Well when it comes to security, all that VPN does, is using same SSL encryption as HTTPS does, it won't protect you against malware, viruses, snooping or anything really (just check github, there are some scripts available which even decrypt some VPN connections).

VPN won't protect your data anymore than HTTPS does, difference is that it also encrypts HTTP connections (and nowadays 90% of internet is encrypted, heck you might not be able to even connect to any HTTP website, without your browser warning about it)

If you want truly secure connections, create proxy network, only downside of proxies that I can think of, is having to add things like windows update, game and website servers to whitelist, which is a lot of work.

176

Virtual private networks / Re: Which VPN to use?

« on: June 06, 2022, 11:22:23 am »

There are 3 modes VLANs have and 1 is available mostly on switches.

1. Trunk mode, which is used to connect switch to another switch or gateway port with tagged VLANs, traffic for each VLAN goes thru that and switch will route it to correct VLAN.

2. Tagged mode, means your computers NIC must support VLAN tagging, otherwise it won't connect to any network.

3. Untagged mode. Any computer, AP, router or gateway can be connected to this, it is used to connect devices which don't have VLAN tagg support to specific VLAN, which is why you can sign only single VLAN as untagged on that port.

Switches might add your domain name to different VLANs, because that happens to any device you connect to a network with certain domains. You might get confused because of it, due to fact that most consumer routers and modems don't have DNS nor even let you assign a domain to them, but that's pretty common for enterprise level network devices.

177

Virtual private networks / Re: Which VPN to use?

« on: June 06, 2022, 10:54:02 am »

VLANs are generally used by schools and corporates to separate networks (1 example would be 1 VLAN to manage your network including having SSH and Webgui access to switch and firewall, 2nd which has access to only internet and 3rd which has access to intranet stuff like IP phones and internet)

You certainly can setup VLAN for VPN, but unless you have speciffic requirement (for example you would have to allow internet and / or intranet access, but blog web and SSH access to firewall etc.), it's pretty pointless.

If you are trying to achieve something on home network and instructions won't make any sense to you, then just leave it there, read more documents about things in question, so that you have general knowledge of things and try again.

VPN doesn't require much knowledge, but VLANs require NIC that supports 802.1q Tagging (IEE 802.1q) and switches with VLAN tagg support and quite a bit knowledge to get them up and runnign well.

I don't think you understand vlan's very well. You do realize they are just Virtual LAN's, right??
If you have a switch on any network, you're using a vlan. Not just schools and corporations, any network with a switch. Now you can segment a switch with multiple vlans and this is the equivalent of adding another switch, it becomes 2 broadcast domains instead of 1. Doesn't really take a lot of knowledge compared to VPN's.

No. Switches don't add domains and you would need one anyway to properly setup a VLAN.

Way how VLANs work, is that you use some form of detection (802.1q tagging being most common). Opnsense only supports tagged VLANs, meaning you can assign multiple VLANs on single physical interface port.

Proper switch supports both, tagged and untagged VLANs (untagged means you can sign 1 vlan per physical port).

Let's say you have to setup 3 VLANs for school classrooms (1 each) which have 10 computers each and have gateway with just 2 ports of which 1 is connected to firewall like opnsense. You will need at least 3 16 port switches to accomplish this. Way I would do this, is assign VLANs to gateway and setup DHCP for each, then put ports 0-2 on switches to trunk mode for VLANs and assign ports 3-14 for respective VLANs and setup ports 13-15 for spanning tree protocol, impliment ports 0-2 and 13-15 to accept only specific MAC address and configure QoS, blacklists and rest on opnsense.

That way all VLANs have internet access and receive their IPs from gateway and each switch handles internal network stuff and so on.

I have my work computer, PS4, TrueNAS and Personal computer all connected to different VLANs.

I use 2 Cisco SG-300 - 16 switches and only way I can access my TrueNAS, switches or Opnsense via SSH or Webgui, is physically connecting my computer to Opnsense.

TrueNAS shares work on all VLANs except where my work computer is connected to, but none of the VLANs have access to eachother or firewall, TrueNAS and switches remote management, which is how it should be done, if security is your concern.

You don't need VPN for anything else other than connecting to a network, which is restricted (for example connecting to your work network from home or watching movies on Netflix, which aren't available in your country).

178

Intrusion Detection and Prevention / Re: Suricata IPS Mode Ruleset

« on: June 05, 2022, 09:37:10 pm »

You get oinkcode for SNORT by registerring and choosing your plan at https://www.snort.org

For Free telemetry edition of Surricata, you need to go to opnsense store (https://shop.opnsense.com/product/etpro-telemetry/), accept the terms and give your e-mail, your surricata license will be sent to e-mail.

Free telemetry edition will sent anonymous data about your traffic (that's why it's free), but you can use rulesets that won't require license for free and without admitting data.

In Firmware ---> Plugins section, install ruleset package of your choice, after that's done, you can configure IDS/IPS Under services ---> Intrusion detection.

179

Virtual private networks / Re: Which VPN to use?

« on: June 05, 2022, 09:07:41 pm »

Docker or any container allowes you to install software natively regardless which OS you use (for example Steam uses container to install games to Linux and SteamOS), so ease of use is down to which OS you run the container in.

What comes to Ubiqity, you can either buy cloud key (physical device with Ubiqitys own OS installed on it) and connect that to Ubiqity switch.

If you don't have a switch from Ubiqity, then you can install the free software and run it on either physical machine or VM image of windows, Linux or Mac OS (just read the instructions)

Yes, you have to register a local user for Ubiqity (without it Web GUI won't work), but you don't have to register online.

VLANs share their bandwidth and delay on physical ports (for example if you have 200 computers on VLAN 20 and 100 computers on VLAN 30 and both VLANs are signed to 1 single 10Gb port, overall bandwidth of both VLANs is 20Gb/s, then it can go below 10Gb/s due to physical limitation of the NIC, you can't exceed physical hardware limitations with VLANs.)

Delay depends on the length and type of the cable and hardware your firewall has. Now you can improve delay and bandwidth within internal networks by adding switch, then firewall only needs to take care of internet side of things.

VLANs are generally used by schools and corporates to separate networks (1 example would be 1 VLAN to manage your network including having SSH and Webgui access to switch and firewall, 2nd which has access to only internet and 3rd which has access to intranet stuff like IP phones and internet)

You certainly can setup VLAN for VPN, but unless you have speciffic requirement (for example you would have to allow internet and / or intranet access, but blog web and SSH access to firewall etc.), it's pretty pointless.

If you are trying to achieve something on home network and instructions won't make any sense to you, then just leave it there, read more documents about things in question, so that you have general knowledge of things and try again.

VPN doesn't require much knowledge, but VLANs require NIC that supports 802.1q Tagging (IEE 802.1q) and switches with VLAN tagg support and quite a bit knowledge to get them up and runnign well.

180

Virtual private networks / Re: OpenVPN, can't access internet

« on: June 05, 2022, 11:38:24 am »

Check your firewall rules.

go to Firewall ---> Rules and select interface you created for VPN.

VPN network should have same "allow all" rule as LAN has, if it doesn't you can clone "Default allow LAN to any rule" from lan and change interface to "name of the VPN interface" and source to "name of the VPN" net (see picture, I circled them) and description to "Default allow VPN to any rule"

Opnsense will automatically create "allow all" rule only once to LAN interface, for any other interfaces you add later you need to create it manually.

Also rule priority is crucial, by default if "allow all" is on top of any block rules, then block rules will be ignored, so if you have some block rules, make sure they are above allow all rule.