"Quote from: bimbar on September 09, 2024, 11:53:26 AM
Best make that into 2 ports.
Make 2 LAN ports in OPNSense?
Or make 2 physical connections to the main network switch?
Cheers
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#31
Tutorials and FAQs / Re: Looking for a practical worked example for starting with VLANS
September 10, 2024, 08:17:49 PMMake 2 LAN ports in OPNSense?
Or make 2 physical connections to the main network switch?
Cheers
#32
Tutorials and FAQs / Re: Looking for a practical worked example for starting with VLANS
September 08, 2024, 08:16:24 PM
BArt and Bimbar,
Many thanks for this. Yes, I had concluded that part of my issue was the VLAN 1 thing. I have started separating my VMS onto their own PG in ESXI so I can add vlans at some point.
You are right I have a port on the primary network switch that is connected to the OPNSense LAN. That is currently set as Hybrid Untagged 1 Tagged 10 PVID 1
I will persevere for a while and learn some more basics.
Thank you for you help and support.
Cheers
Many thanks for this. Yes, I had concluded that part of my issue was the VLAN 1 thing. I have started separating my VMS onto their own PG in ESXI so I can add vlans at some point.
You are right I have a port on the primary network switch that is connected to the OPNSense LAN. That is currently set as Hybrid Untagged 1 Tagged 10 PVID 1
I will persevere for a while and learn some more basics.
Thank you for you help and support.
Cheers
#33
Tutorials and FAQs / Re: Looking for a practical worked example for starting with VLANS
September 06, 2024, 02:56:29 PM
Bart,
Many thanks for your additional insights. I think I need a brain reset on this.
I will digest this and other notes and see if I can work out a way forward. At this stage I can't redo the entire network.
I was hoping it would be simpleish to introduce a number of VLANS to start to learn more.
I think it might be a long journey :)
Cheers
Many thanks for your additional insights. I think I need a brain reset on this.
I will digest this and other notes and see if I can work out a way forward. At this stage I can't redo the entire network.
I was hoping it would be simpleish to introduce a number of VLANS to start to learn more.
I think it might be a long journey :)
Cheers
#34
Tutorials and FAQs / Re: Looking for a practical worked example for starting with VLANS
September 05, 2024, 10:36:28 PMQuote from: bartjsmit on September 05, 2024, 09:59:35 PMQuote from: sparticle on September 05, 2024, 01:44:38 PM
Setting the PG in ESXI for the main network servers to 4095 was probably a mistake.
Back up any VM's you want to keep (Veeam have a good free CE tier) and wipe the host to start fresh. If you have an external datastore, just unregister the VM's and register them after the rebuild.
I do have a default 'VM Network' PG without a VLAN tag which connects to the LAN
I am just trying to get one vlan working. I do not want to break the existing network at this time.
My instinct is it is something to do with the port config on the HP.
Untagged vs tagged and PVID is confusing. I think it means if the traffic is untagged then default to the VLAN equal to PVID.
I suppose the test VM I setup with an address in the VLAN 10 network would be sending untagged traffic to the PG it is connected to which is set as VLAN 10. Is this the same as a physical switch port being set as an access port on VLAN10?
So in theory all traffic from this VM would be tagged as VLAN 10 by the PG. But why then can I ping the OPNsense LAN interface on the default untagged network? Is it also allowing teh default traffic which is untagged? I can't see any way of being more specific there is no option to set untagged vlan number. Just the VLAN number.
In fact from one of the office pc's on the LAN network 10.0.0.0/24 I can ping the test VM on the VLAN10 network!
The PG on VLAN 10 that the test VM is connected to should not be pingable from a pc on the LAN network surely...right? I can ssh into it so it is like both networks are the same.
#35
Tutorials and FAQs / Re: Looking for a practical worked example for starting with VLANS
September 05, 2024, 01:44:38 PMQuote from: bartjsmit on September 04, 2024, 07:02:47 PM
ESXi actually makes things simpler. Add another vNIC to the firewall VM connected to the VLAN 10 port group.
I have OPNsense on VMware with six such interfaces 8)
Hello Bart,
Did you have any comment on the above? I am still a little baffled as to why it is sort of working.
Setting the PG in ESXI for the main network servers to 4095 was probably a mistake. Once you have set it to anything other than the 0 it has by default you cannot set it back to 0.
#36
Tutorials and FAQs / Re: Looking for a practical worked example for starting with VLANS
September 04, 2024, 06:28:09 PM
Bart,
Thank you for this.
I can confirm that everything in OPNsense looks good. I can see the VLAN 10 interface it is configured correctly. The DHCP service and DNS services are all set to include the VLAN 10 interface etc.
Worth mentioning is that OPNSense runs in an ESXI VM. The PG connected to the VM on the LAN interface is set to VLAN ID 4095 (meaning all) and works perfectly for the rest of the main network.
I setup a basic VM and gave it an address in the VLAN 10 network 10.0.10.40 with a new PG with VLAN 10 I can ping the OPNSense VLAN 10 LAN from it and it gets DNS services from OPNSense. I can also ping out to the OPNSense LAN network. 10.0.0.0/24 and all devices are accessible! I am sure this should not be possible.
So inside the ESXI VM environment, all seems fine.
I setup 2 laptops configured with a VLAN 10 static addresses 10.0.10.120 and 10.0.10.130 and also setup ports(9 and 10) on the physical switch and set it to Untagged 1,10 and PVID 10 it is not possible to config it as an access port. As soon as you tag it, it changes to a hybrid port.
Port 1 on the switch is configured as untagged 1 (default) and tagged 10 with a PVID of 1 and is automatically made a hybrid port.
port 17 is where the office WAP is connected and that is configured as untagged 1 tagged 10 PVID 1
I can connect to the WAP OFFICE and all is well. All services are accessible and I can talk to anything on the main (default) network and get to the internet.
If I connect to the WAP Guest network I can also get a DNCP address from the VLAN10 network and connect to the internet. But I can also access all of the resources on the OPNSense LAN network 10.0.0.0./24
I try to connect via either laptop I can ping the other and all network resources on both the OPNSense LAN and OPNSense VLAN10 networks. But I cannot ping into the VM 10.0.10.40 from outside of the VM environment even though from the VM I can ping everywhere.
It is working sort of but no network seperation and really I don't know why it is working. If I change the 2 laptop ports to be untagged 1 Tagged 10 PVID 10 I can get nowhere from them.
Also I can connect to both the OPNSense LAN (Main network) and the VLAN 10 network from any pc connected to the switch and ping all resources.
Thank you for this.
I can confirm that everything in OPNsense looks good. I can see the VLAN 10 interface it is configured correctly. The DHCP service and DNS services are all set to include the VLAN 10 interface etc.
Worth mentioning is that OPNSense runs in an ESXI VM. The PG connected to the VM on the LAN interface is set to VLAN ID 4095 (meaning all) and works perfectly for the rest of the main network.
I setup a basic VM and gave it an address in the VLAN 10 network 10.0.10.40 with a new PG with VLAN 10 I can ping the OPNSense VLAN 10 LAN from it and it gets DNS services from OPNSense. I can also ping out to the OPNSense LAN network. 10.0.0.0/24 and all devices are accessible! I am sure this should not be possible.
So inside the ESXI VM environment, all seems fine.
I setup 2 laptops configured with a VLAN 10 static addresses 10.0.10.120 and 10.0.10.130 and also setup ports(9 and 10) on the physical switch and set it to Untagged 1,10 and PVID 10 it is not possible to config it as an access port. As soon as you tag it, it changes to a hybrid port.
Port 1 on the switch is configured as untagged 1 (default) and tagged 10 with a PVID of 1 and is automatically made a hybrid port.
port 17 is where the office WAP is connected and that is configured as untagged 1 tagged 10 PVID 1
I can connect to the WAP OFFICE and all is well. All services are accessible and I can talk to anything on the main (default) network and get to the internet.
If I connect to the WAP Guest network I can also get a DNCP address from the VLAN10 network and connect to the internet. But I can also access all of the resources on the OPNSense LAN network 10.0.0.0./24
I try to connect via either laptop I can ping the other and all network resources on both the OPNSense LAN and OPNSense VLAN10 networks. But I cannot ping into the VM 10.0.10.40 from outside of the VM environment even though from the VM I can ping everywhere.
It is working sort of but no network seperation and really I don't know why it is working. If I change the 2 laptop ports to be untagged 1 Tagged 10 PVID 10 I can get nowhere from them.
Also I can connect to both the OPNSense LAN (Main network) and the VLAN 10 network from any pc connected to the switch and ping all resources.
#37
Tutorials and FAQs / Re: Looking for a practical worked example for starting with VLANS
September 03, 2024, 10:34:10 PM
Bart,
Many thanks. I am a little stuck at present.
I have configured OPNsense to have VLAN 10 with the parent interface on the LAN copied the same firewall rules that the LAN has to VLAN 10 and setup DHCP for VLAN10.
On the WAP I have configured 2 networks one on the default VLAN 1 and one on VLAN 10
On the switch I have configured the port the WAP is connected to as belonging to VLAN 10 and the port is marked as a hybrid port. I also configured the switch with an additional address on the VLAN 10 network.
The port connected to the OPNsense LAN is also configured as hybrid.
I can connect to the office_wifi and all is well and I have internet access as well as lan access to the main network and all is well on that network.
If I connect to the Guest network I do not get a DHCP address. However, if I configure a static IP on the connection from my phone. I can connect to the switch on its VLAN 10 address. But I cannot get to the OPNsense VLAN 10 address or the internet.
I am sure I am missing something fundamental but can't see it.
The switch is a HP A5120 fully managed.
Cheers
Many thanks. I am a little stuck at present.
I have configured OPNsense to have VLAN 10 with the parent interface on the LAN copied the same firewall rules that the LAN has to VLAN 10 and setup DHCP for VLAN10.
On the WAP I have configured 2 networks one on the default VLAN 1 and one on VLAN 10
On the switch I have configured the port the WAP is connected to as belonging to VLAN 10 and the port is marked as a hybrid port. I also configured the switch with an additional address on the VLAN 10 network.
The port connected to the OPNsense LAN is also configured as hybrid.
I can connect to the office_wifi and all is well and I have internet access as well as lan access to the main network and all is well on that network.
If I connect to the Guest network I do not get a DHCP address. However, if I configure a static IP on the connection from my phone. I can connect to the switch on its VLAN 10 address. But I cannot get to the OPNsense VLAN 10 address or the internet.
I am sure I am missing something fundamental but can't see it.
The switch is a HP A5120 fully managed.
Cheers
#38
Tutorials and FAQs / Looking for a practical worked example for starting with VLANS
September 03, 2024, 01:51:11 PM
Hello,
We are a long time user of OPNsense. The time has come I feel for us to be a little more security conscious and start to logically segment the network.
VLANS seem to be the answer. But I am a little confused on the practicalities. It seems its like a magic trick, someone who knows the trick makes it seems simple. YOu can sort of understand it, it makes sense but the practical implementation alludes us.
We can create VLANS in OPNsense. Configure DHCP on the VLAN. But are missing knowledge of the detail. For instance. We have OPNSense with a WAN with a /29 and a LAN /24. The LAN is 10.0.0.0/24 we have firewall rules and port forwards to various servers and all is well.
OPNsense is connected to our main network switch which has a number of servers for Virtualisation, NAS etc. also has security cameras, office PC's, WAP's a wireless link to another building which also has a WAP and security cameras, a link to another building which has 5 WAPS, Security Cameras, Smart TV's, a number of internet connected devices. All on the same /24 network.
Ideally in future world we would want to segment some of these devices.
When configuring a VLAN it asks for the DNS server and gateway. If I put the DNS server address as the OPNSense LAN address it can't see that as it is on a different network.
As a simple example to get started. We have a VLAN capable WAP in the office.
IT would be good to configure 2 networks on it. The default network called Office_Wifi and a Guest network on a different network.
Office_Wifi
Default 10.0.0.0/24
Guest_Wifi 10.0.10.0/24
I can configure the Guest_WiFi network in the WAP with VLAN id of 10 and set it's address as 10.0.10.1
DHCP would come from the OPNSense DHCP service.
So the WAP would have 2 networks. 10.0.0.0/24 and 10.0.10.0/24
At the OPNSense end I can configure a VLAN with an ID of 10 and setup the network as 10.0.10.0/24 But what DNS do I specify and what gateway address? The address of the OPNsense LAN 10.0.0.1 for both?
Then at the network switch I would need to setup VLAN 10 and add the port that the WAP is connected to? Would it need to be set as a trunk port as it could be carrying traffic from either of the 2 wifi domains and networks?
Do I need to configure the port that the OPNSense LAN is connected to as a Trunk port. Do I need to add that port to VLAN 10 also?
As a basic starter, I would love someone to assist with setting up this first VLAN to get the WAP serving the 2 groups; office staff and guests. With connected office staff being able to see the default network 10.0.0.0/24 and Guests being served a DHCP address by OPNsense and only able to access the internet.
Any help is appreciated. And apologies for the ramble just trying to get this stuff out of my head.
Cheers
We are a long time user of OPNsense. The time has come I feel for us to be a little more security conscious and start to logically segment the network.
VLANS seem to be the answer. But I am a little confused on the practicalities. It seems its like a magic trick, someone who knows the trick makes it seems simple. YOu can sort of understand it, it makes sense but the practical implementation alludes us.
We can create VLANS in OPNsense. Configure DHCP on the VLAN. But are missing knowledge of the detail. For instance. We have OPNSense with a WAN with a /29 and a LAN /24. The LAN is 10.0.0.0/24 we have firewall rules and port forwards to various servers and all is well.
OPNsense is connected to our main network switch which has a number of servers for Virtualisation, NAS etc. also has security cameras, office PC's, WAP's a wireless link to another building which also has a WAP and security cameras, a link to another building which has 5 WAPS, Security Cameras, Smart TV's, a number of internet connected devices. All on the same /24 network.
Ideally in future world we would want to segment some of these devices.
When configuring a VLAN it asks for the DNS server and gateway. If I put the DNS server address as the OPNSense LAN address it can't see that as it is on a different network.
As a simple example to get started. We have a VLAN capable WAP in the office.
IT would be good to configure 2 networks on it. The default network called Office_Wifi and a Guest network on a different network.
Office_Wifi
Default 10.0.0.0/24
Guest_Wifi 10.0.10.0/24
I can configure the Guest_WiFi network in the WAP with VLAN id of 10 and set it's address as 10.0.10.1
DHCP would come from the OPNSense DHCP service.
So the WAP would have 2 networks. 10.0.0.0/24 and 10.0.10.0/24
At the OPNSense end I can configure a VLAN with an ID of 10 and setup the network as 10.0.10.0/24 But what DNS do I specify and what gateway address? The address of the OPNsense LAN 10.0.0.1 for both?
Then at the network switch I would need to setup VLAN 10 and add the port that the WAP is connected to? Would it need to be set as a trunk port as it could be carrying traffic from either of the 2 wifi domains and networks?
Do I need to configure the port that the OPNSense LAN is connected to as a Trunk port. Do I need to add that port to VLAN 10 also?
As a basic starter, I would love someone to assist with setting up this first VLAN to get the WAP serving the 2 groups; office staff and guests. With connected office staff being able to see the default network 10.0.0.0/24 and Guests being served a DHCP address by OPNsense and only able to access the internet.
Any help is appreciated. And apologies for the ramble just trying to get this stuff out of my head.
Cheers
#39
Hardware and Performance / Re: OPNsense on ARM
March 22, 2023, 12:39:50 PMQuote from: lilsense on November 26, 2022, 04:35:02 PM
you just gotta know where to report them. :)
And that would be where?
Cheers
Spart
#40
Hardware and Performance / Re: usb ethernet ASIX AX88179A
March 22, 2023, 12:38:24 PMQuote from: chemlud on March 19, 2023, 07:45:10 PM
...next time buy an optiplex SFF and you can add PCI NICs, problem 100% solved ;-)
SFF are really too big a form factor for the job. The USFF devices are closer to an ideal but lack the internals from what I can see.
Is there a recommendation for a micro or USFF device than can take a single or dual nic?
Cheers
Spart
#41
Hardware and Performance / Re: usb ethernet ASIX AX88179A
March 19, 2023, 06:31:47 PM
I have a J5Create USB 3.0 Gbic it is using ugen0.3: <ASIX Elec. AX88179> at usbus0 driver.
Seems rock solid with no dropouts.
Cheers
Spart
Seems rock solid with no dropouts.
Cheers
Spart
#42
Hardware and Performance / Re: Fujitsu Thin Client S920 Hardware
March 19, 2023, 05:50:01 PM
An LP bracket for most of the intel Quad cards is around 5 pounds on ebay!
#43
Hardware and Performance / Re: [Work In Progress] OPNsense Ported into ARM Devices
March 19, 2023, 02:09:42 PM
Just testing the 22.7.11 build from here. https://www.yrzr.tk/opnsense-22-for-aarch64/
Installs fine remember to copy one of the config_rpi3 or 4 to config.txt before inserting the sd card.
Loaded the config from my current opnsense box with a couple of mods to the IP addresses and interface names.
However, on update it gets stuck at [3/5] Extracting ruby-2.7.6_2,1: .....
Not sure what the fix is.
On reboot hangs on the serial interface after showing the interface assignments and keys.
No further response on the serial port.
Cheers
Installs fine remember to copy one of the config_rpi3 or 4 to config.txt before inserting the sd card.
Loaded the config from my current opnsense box with a couple of mods to the IP addresses and interface names.
However, on update it gets stuck at [3/5] Extracting ruby-2.7.6_2,1: .....
Not sure what the fix is.
On reboot hangs on the serial interface after showing the interface assignments and keys.
No further response on the serial port.
Cheers
#44
Hardware and Performance / Re: Dell R720 Esxi 6.7 host - Best intell Quad port NiC to use for performance
December 01, 2022, 04:53:24 PM
Standard the Dell R720 also supports converged adaptors.
Broadcom 57800T 2 x 10Gbe and 2 x 1Gbe Copper
Intel X540 2 x 10Gbe and 2 x 1 Gbe
So they may also be an option with a forward path if we upgrade the Prosafe switch to include 10Gbe ports.
Does anyone have any experience of ESXI 6.7 and either of those cards with OpnSense they can share?
Cheers
Spart
Broadcom 57800T 2 x 10Gbe and 2 x 1Gbe Copper
Intel X540 2 x 10Gbe and 2 x 1 Gbe
So they may also be an option with a forward path if we upgrade the Prosafe switch to include 10Gbe ports.
Does anyone have any experience of ESXI 6.7 and either of those cards with OpnSense they can share?
Cheers
Spart
#45
Hardware and Performance / Re: [Work In Progress] OPNsense Ported into ARM Devices
December 01, 2022, 11:59:04 AMQuote from: gwurb on November 03, 2022, 08:25:25 AM
I followed what I understood on https://yrzr.tk/opnsense-22-for-aarch64/
but can't get RPI4B system to boot. I don't have a serial adapter so unfortunately can't troubleshoot a lot.
Here is what I did:
Downloaded:
OPNsense-22.1.10-OpenSSL-arm-aarch64-RPI.img.xz
and
OPNsense-22.7.5-OpenSSL-arm-aarch64-RPI.img.xz
Used Raspberry Pi Imager to write the img to file. Renamed config_rpi4.txt to config.txt and deleted config_rpi3.txt . Put the newly flashed card into RPI4 and powered it up. It gets to the rainbow/multicolour splash screen and then nothing. This was the case for both img files, written with either Raspberry Pi Imager or Balena Etcher, unarchived first or provided as .xz to the imager. I tried this on two RPI4.
I tried booting the same card on RPI3B+ with config_rpi3.txt renamed to config.txt and it booted, showing the boot process. I set a static IP and then used config_rpi4.txt renamed to config.txt to boot rpi4. Got the rainbow screen but could still access the system. So there is something wrong with the video.
Is there something wrong with the default config_rpi4.txt? What could I try to get the console to show on hdmi output?
Thanks
A great investment <10$ is a USB to TTL serial adaptor. Try DSD TECH
This allows you to congfig the serial out when booting to follow the boot process and interact.
Cheers
Spart
