Messages

Another clarification, on OPNSense the port running VLAN does not run any untagged interface or any other DHCP subnet so its only one VLAN (with unique subnet) for each port.

I am very new to VLAN but think that is the case for few reasons:

- using a TrendNet TEG S80ES switch where port-1 (VLAN 1) is the static tagged port & connected to the wall socket. Within the UI for switch there are VLANs configured using other ports for TV, IoT & GuestWifi. The two other VLANs for TV & IoT are working fine.

- I am using Archer A7 for GuestWifi in AP mode for this setup but when I change the mode from AP to router then all the clients connected to GuestWifi are able to get to the Internet. But the drawback in this case is that TP Link router starts running its own DHCP for clients with 192.168.0.x subnet. Ideally I'd like to handle all DHCP and FW rules on OPNSense box.

Since the second scenario is working, I inclined to think that connectivity between the L2 switch port and OPNsense has been configured correctly.

If you want to change DNS setting system wide then look under System ==> Settings ==> General, there is a section for DNS servers and option to disallow overwriting by DHCP on the WAN side.

HTH.

Hi,

I'd like to run a guest wifi on a VLAN on my home network so did following steps:

1. Picked on port on OPNSense appliance and created a VLAN (=4) on one of the ports, this port does not run any tagged interface and only the VLAN (=4).
2. Added a DHCP server on the VLAN with 192.168.4.x
3. The VLAN port is physically wired to another corner of the house (behind the walls) and at the outlet there is a L2 managed switch. And there is a VLAN (=4) port configured on L2 switch.
4. For testing, when I connect a laptop to VALN(=4) configured port on L2 switch I get a correct IP assigned in the 192.168.4.x subnet...so far working good.

This is where I am running into problems:
The only FW rule on VLAN(=4) interface is to allow all traffic outside (attached screenshot). From my laptop when I ping 8.8.8.8, the logs shows that it gets to the gateway of 192.168.4.x subnet but no response comes back and the laptop machine cannot get to anything past the gateway.

I'll appreciate any pointers to get this working, it seems simple enough that I cannot find any reasons for it not to work.

Thanks.

Hi,

I want to setup an email notifications when OPNSense boots up. There are few examples of conditions and services tests but the syntax seems very cryptic and I cannot figure out how to add condition for boot up.

If anyone else has done with or have familiarity with the syntax, please guide me!
Regards,

PM

@bartjsmit and @ chemlud - thanks for the inputs. The ping to 8.8.8.8 was not working that alerted me to look at the live firewall logs (screen captured earlier). But I wish if I had the presence of mind to capture packets...it could've saved me few hours!! I will be sure to remember that in future.

Anyway the problem got solved and the culprit was not OPNSense but the TP-Link wireless router. When I enabled the AP mode for its operations, it seems one of the obscure setting for "Enable SIP Firewall" got activated. So it was the router that was blocking traffic all this time  >:(

Thanks again for your comments and helpful insights  :)

HI,

I have a GuestWiFi running on a separate VLAN which was working till few days back but has stopped working. For troubleshooting I have disabled all rules on GuestWiFi and allowing all traffic out.

The log view shows that host on this VLAN is trying to resolve DNS query but nothing nothing seems to be coming back as DNS resolution response. So the internet is not reachable on this VLAN and I cannot make any sense out of this behavior.

Any pointers?

Fixed it with following  tweak  8)

Hi,
I am getting stuck with some testing of a basic firewall rules, here is the test setup:

1. GuestWiFi LAN: 192.168.10.1/24
2. WiredLAN: 192.168.20.1/24
3. Alias created "ProhibhitedGuestWiFi" and added network "192.168.20.1/24"
4. Added a firewall rule under GuestWiFi to block all traffic from ProhibitedGuestWiFi

But the ping from 192.168.10.10 machine is still going through to another one at 192.168.20.20. I added a similar rule for WiredLAN but reversed the networks, so little confused about this behavior.

Attached is the screenshot of the rules described above.

Is there anything wrong with my setup?
Thanks!

@wgseaton

Did you create a rule (incoming) on LAN to allow ICMP pings to LAN net? To keep things easy, please this rule at the very top for LAN rules for this testing.

I did exactly the same except I am using the IP of Nextcloud (it has no FQDN) and the Directory Name which can't be left blank (or it generates the error "The Backup Directory can only consist of alphanumeric characters, dash, underscores and slash. No leading or trailing slash.")

I am pretty sure this is a certificate issue. Again, my Nextcloud is not accessible from the internet so I am using self-signed certificate which was generated during installation of Nextcloud (not corresponding to a FQDN). I had no problem to import this certificate in Firefox or Thunderbird though...

Any clue?

Since this (Next Cloud) is a built in integration it will not surprise me if the developers leaned in favor of security in which case self signed certificates may not work. Here are few ways to try different things:
1. Use a service like "Let's Encrypt" to make a FQDN work just in case above premise is true - https://www.youtube.com/watch?v=IR41duTqN6Y
2. Since this is an internal LAN, there are other ways to make things reliable like isolating machines using VLANs and then you can use simple local archive or rsync to move configuration files between machines.

While I understand that https is more secure than http but overusing it on LAN is the equivalent of adding a bolted lock on each cabinet inside the house. But if there are legit reasons for you to use https for every service on LAN then you may want to rethink topology again.

In my house, I have few VLANs which provides such convenience:
- GuestWiFi is the most restrictive VLAN and does not have access to any other LAN/VLANs
- IoTs have some restricted services available (mostly on host basis)
- Working machines have most liberal access
- Management machines is also very restrictive and this VLAN is used for managing L2 switches and Idrac for server machines. On this VLAN, I collect all the logs centrally and do not feel the need to use https because it is isolated from other subnets using VLAN.

Hope this helps.

I think I'm having the same issue.  I've tried w/ both my actual username/password and the application specific generated credentials.  Here are the relevant logs

2021-03-11T19:26:40   config[36701]   {"url":"https:\/\/nextcloud.willsisti.com\/ocs\/v1.php\/cloud\/user","content_type":null,"http_code":0,"header_size":0,"request_size":0,"filetime":-1,"ssl_verify_result":0,"redirect_count":0,"total_time":60.00686,"namelookup_time":0.000374,"connect_time":0,"pretransfer_time":0,"size_upload":0,"size_download":0,"speed_download":0,"speed_upload":0,"download_content_length":-1,"upload_content_length":-1,"starttransfer_time":0,"redirect_time":0,"redirect_url":"","primary_ip":"","certinfo":[],"primary_port":0,"local_ip":"","local_port":0,"http_version":0,"protocol":0,"ssl_verifyresult":0,"scheme":"","appconnect_time_us":0,"connect_time_us":0,"namelookup_time_us":374,"pretransfer_time_us":0,"redirect_time_us":0,"starttransfer_time_us":0,"total_time_us":60006860}   
2021-03-11T19:26:40   config[36701]   Cannot get real username

I was getting the same error and resolved it with following steps:
1. From profile icon (NextCloud account), under Security create an app specific password
2. In OPNSense add following items:
a. Enable backup under NextCloud
b. URL: https://nextcloud.willsisti.com  (mine is with linuxfabrik.io just in case you want to give it a try)
c. Username: your email for NC account
d. Password: generated in step 1)
e. Encryption: leave it blank for now but change it later
f. Directory name: leave blank for now to save at the root but you can change it later
3.Click on Setup/Test, and wait few seconds for backup to be created and uploaded to root directory of NC account

The above steps worked for me, hope it solves your problem.

Hi,
I have a Orbi router connected to a L2 switch and Orbi is running in AP mode so all DHCP assignments for wireless clients are done via OPNSense. On both Android and iPhone there is an option under WiFi to use phone MAC or a randomized MAC, I understand that the latter is more secure.

There are no host specific rules on WiFi VLAN and for now I have allowed pass everything to keep things simple. It works fine when I use phone MAC address but when I switch to randomize MAC on cellphone, the device gets the correct IP assignment (with WiFi VLAN subnet) but does not get internet access.

Is there an explanation for this behavior?

@greelan thanks for your comments.

Yes I am little confused, UI of OPNSense seems better than PF but will take some time to sink in!!

The recommendation you made about the FW rule on VLAN10, I thought I was doing the same (see screenshot below). Is this not same as what you suggested? If not then this may be the the source of my problem.

Thanks.

Hi,
I am a user of pfSense and thinking of using Opnsense so decided to play with it on GNS3 just to get a hang of it:

See attached for a simple topology I created:
1. OPNSense machine where on LAN (em2), I created two VLans (10: Office and 20: Home)
2. Turned off DHCP on LAN and turned DHCP on VLAN10 (192.168.91.x) and VLAN20 (192.168.92.x)
3. Added a L2 switch in between and configured f0/4 as VLAN10, f0/5 as LAN20 and f0/3 as uplink
4. Added one PC to each VLAN and each of the PCs gets a correct DHCP address in the subnet assigned above

I was really thrilled till this point to make so much progress on my first attempt  :)

Then tried following:
1. Ping PC1 from PC2 and vice versa - both sides worked, I was expecting it to be blocked as default rules should be "block all" so would appreciate if anyone can explain how this ping is going through when there are NO rules under VLAN10 or VLAN20.

2. Checked the rules under LAN and found "Allow All" rule - turned both of them off

3. The pings from PC1 and PC2 to each other stopped working

4. On VLAN10 added an outbound rule to allow any IPv4 protocol from VALN10 to VALN20, I was expecting the ping to work from PC1 to PC2 (based on pfSense experience) but it did not work

5. Under VLAN20 added an inbound rule to allow any IPv4 protocol into VLAN20 from VLAN10, surprisingly the ping from PC1 (on VLAN10) to PC2 (on VLAN20) still did not work.

So clearly I am doing something wrong here and would appreciate any pointers?

Thanks,