106
German - Deutsch / Re: Nur PC's aus dem DHCP Bereich Internetzugriff erlauben
« on: May 03, 2022, 10:34:10 pm »
duplicate of https://forum.opnsense.org/index.php?topic=28212.0
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
107
22.1 Legacy Series / Re: HowTo Alliase and Firewall Rule to only allow DHCP devices Access to Internet
« on: May 03, 2022, 09:24:20 pm »
Sorry, still unclear.
Your network is 192.168.49.0/24 and your DHCP range is starting at .10.
(Untrusted) people can get a network cable and assign themselves a IP in the complete network range (192.168.49.2 - 192.168.49.254). You can not really avoid this. You can probably use a MAC addresses whitelist only but that can be spoofed also. Physical access is futile to try to block in my opinion.
A common setup is to create a wireless "guest" network to grant family/friends access to the internet. But you do not want them to access your private systems.
But you start again with a technical question and failed to explain *why* you want this. What is the end goal. WHO do you want to block? So i can not decide if you asking the correct questions.
Update:
Your German post explained it a bit. And the other systems seems yours as well. I think it is a good rule to try to keep similar systems (with similar rights) to their own network. So, create a "server" (lan) network for important stuff (lets say: 192.168.49.x/24). Create another network for your guests (wifi, lets say 192.168.49.x/24). And you can create another network for IOT devices (50.x, like printers). After that you can create rules that 49.x is allowed to IOT but not the other way around. Create a rule to block internet access from IOT.
Also note. if you create for example the 1-network setup and you have 2 systems. 192.168.49.2 and 192.168.49.3. You can *NOT* block traffic between those 2 devices. Simply because no ROUTING is needed. It will only talk to your switch and never reach the router.
Everything on 1 network with firewall rules should be possible for "internet access" but there is not something like "below 10 should not" with firewall rules.
You will have to create rules per IP to allow/disallow stuff.
I would not recommend it.
Your network is 192.168.49.0/24 and your DHCP range is starting at .10.
(Untrusted) people can get a network cable and assign themselves a IP in the complete network range (192.168.49.2 - 192.168.49.254). You can not really avoid this. You can probably use a MAC addresses whitelist only but that can be spoofed also. Physical access is futile to try to block in my opinion.
A common setup is to create a wireless "guest" network to grant family/friends access to the internet. But you do not want them to access your private systems.
But you start again with a technical question and failed to explain *why* you want this. What is the end goal. WHO do you want to block? So i can not decide if you asking the correct questions.
Update:
Your German post explained it a bit. And the other systems seems yours as well. I think it is a good rule to try to keep similar systems (with similar rights) to their own network. So, create a "server" (lan) network for important stuff (lets say: 192.168.49.x/24). Create another network for your guests (wifi, lets say 192.168.49.x/24). And you can create another network for IOT devices (50.x, like printers). After that you can create rules that 49.x is allowed to IOT but not the other way around. Create a rule to block internet access from IOT.
Also note. if you create for example the 1-network setup and you have 2 systems. 192.168.49.2 and 192.168.49.3. You can *NOT* block traffic between those 2 devices. Simply because no ROUTING is needed. It will only talk to your switch and never reach the router.
Everything on 1 network with firewall rules should be possible for "internet access" but there is not something like "below 10 should not" with firewall rules.
You will have to create rules per IP to allow/disallow stuff.
I would not recommend it.
108
General Discussion / Re: Migration from pfSense to OPNsense. Best practice
« on: May 03, 2022, 08:08:19 pm »
I think a couple of options:
* backup the config. It is XML so fairly readable
* Make screenshots of changed settings you remember
* Create a pfsense VM restore the mentioned backup so you can easily compare
* backup the config. It is XML so fairly readable
* Make screenshots of changed settings you remember
* Create a pfsense VM restore the mentioned backup so you can easily compare
109
22.1 Legacy Series / Re: HowTo Alliase and Firewall Rule to only allow DHCP devices Access to Internet
« on: May 03, 2022, 08:05:08 pm »
Please explain exactly what you want. You made a lot of spelling mistakes.
Do you want to block unregistered users on your network? (so plugging in a cable in your router/switch).
Or do you want people grant internet access but do not want them to access your private LAN. (systems)
Do you want to block unregistered users on your network? (so plugging in a cable in your router/switch).
Or do you want people grant internet access but do not want them to access your private LAN. (systems)
110
22.1 Legacy Series / Re: Duplicate Entries for Static DHCPv4 leases
« on: April 30, 2022, 10:02:41 am »
This change is not released yes. I am not sure if it is actually the same problem. Never trusted those pages after making a static mapping (to another IP). Had similar results with pfSense tho. We should check after the next release
112
22.1 Legacy Series / Re: [unbound] host override won't work when DHCP registration is turned on.
« on: April 30, 2022, 09:19:30 am »
Not sure, possible related to https://github.com/opnsense/core/issues/5599 ?
113
22.1 Legacy Series / Re: Interesting issue
« on: April 29, 2022, 07:52:06 pm »
start with watching
UnIFi & pfsense Deployment, Setup and Planning with WiFi, VLAN & Guest Network -> https://www.youtube.com/watch?v=LNAAfja_ZOY
UnIFi & pfsense Deployment, Setup and Planning with WiFi, VLAN & Guest Network -> https://www.youtube.com/watch?v=LNAAfja_ZOY
114
General Discussion / Re: critique my setup
« on: April 29, 2022, 07:44:53 pm »
printer:
so, is the problem only to find the printer dynamically? If you configure it static in operating system it works?
ping:
not 100% sure. But i think you have to look it as follows. Normal IOT devices connected to your physical interface are disallowed to access your LAN. But the traffic has to pass through the interface.
With your experiment you test directly at the router. so, "after" the firewall. You are using the iot gateway (probably x.x.x.1) as source and not a "client" IP.
Even if i add a block rule for ICMP on the "out" direction the ping still works.
so, is the problem only to find the printer dynamically? If you configure it static in operating system it works?
ping:
not 100% sure. But i think you have to look it as follows. Normal IOT devices connected to your physical interface are disallowed to access your LAN. But the traffic has to pass through the interface.
With your experiment you test directly at the router. so, "after" the firewall. You are using the iot gateway (probably x.x.x.1) as source and not a "client" IP.
Even if i add a block rule for ICMP on the "out" direction the ping still works.
115
22.1 Legacy Series / Re: Duplicate Entries for Static DHCPv4 leases
« on: April 29, 2022, 07:22:37 pm »116
22.1 Legacy Series / Re: VLAN and DHCP not working
« on: April 28, 2022, 08:08:30 pm »
what i mean. Try to add devices which communicate with each other on the same to the same "switch". It is fine to connect your main machine to the router directly. But, if you then want to regularly connect to a NAS on another subnet then it has to route. But if you connect your main system AND your NAS to a switch this traffic will never reach the router. This is just for optimization.
If i understand your drawing correclty. You have devices directly on the minipci (like VLAN 80 en 20) but ALSO connected to your wireless side.
AFAIK this is not even possible. It is a different physical interface so you need to "route". (to your trunk). But maybe i am wrong
The easiest is:
WAN -> MiniPC -> LAN
-> A dedicated interface for your isolated webserver (VLAN not needed, but has its own subnet)
Connect this LAN to a MANAGED SWITCH.
Opnsense: Create the virtual vlans (IOT, GUEST) and use the same physical LAN interface.
Create the same (guest/iot) VLANs on the Wifi AP.
Assign the correct vlans to your managed switch ports.
I can not really help with ddwrt/openwrt. I found i much easier with my TP-Link EAP-245 and netgear GS108Ev3. Those projects contains a lot of "router" parts which you do not need. So, for the Wifi AP you only have to create a SSID, passphrase and enter a VLAN number).
A good drawing can help. Which devices are on what network. How many network wires and floors.
Draw all the switch ports. Describe what (and if) vlans are assigned for each port.
It is still on my todo list for my setup
If i understand your drawing correclty. You have devices directly on the minipci (like VLAN 80 en 20) but ALSO connected to your wireless side.
AFAIK this is not even possible. It is a different physical interface so you need to "route". (to your trunk). But maybe i am wrong
The easiest is:
WAN -> MiniPC -> LAN
-> A dedicated interface for your isolated webserver (VLAN not needed, but has its own subnet)
Connect this LAN to a MANAGED SWITCH.
Opnsense: Create the virtual vlans (IOT, GUEST) and use the same physical LAN interface.
Create the same (guest/iot) VLANs on the Wifi AP.
Assign the correct vlans to your managed switch ports.
I can not really help with ddwrt/openwrt. I found i much easier with my TP-Link EAP-245 and netgear GS108Ev3. Those projects contains a lot of "router" parts which you do not need. So, for the Wifi AP you only have to create a SSID, passphrase and enter a VLAN number).
A good drawing can help. Which devices are on what network. How many network wires and floors.
Draw all the switch ports. Describe what (and if) vlans are assigned for each port.
It is still on my todo list for my setup
117
22.1 Legacy Series / Re: Feature: Backup files from file system
« on: April 28, 2022, 06:35:51 pm »
maybe better to support ZFS snapshots (filesystem snapshot). This is what TrueNAS is doing also.
118
22.1 Legacy Series / Re: VLAN and DHCP not working
« on: April 28, 2022, 04:34:29 pm »
you use vlans if you want multiple subnets on 1 physical interface (and 1 cable).
Also, your netgear is probably a "stupid" switch and not vlan aware. And the AP-part usually also does not support Vlans. You need a real Access Point or custom firmware (openWrt).
Try to determine your usual huge traffic flows. You do not want to pass all traffic through the router. (routing is "expensive"). You want to let the switch pass the traffic to the targets. But you can have a valid use case for your design.
Maybe this helps: https://www.youtube.com/watch?v=b2w1Ywt081o
It is for pfsense and unify switch but the principles are the same.
So, if you really need the interfaces on the minipc side. Start with this. Connect systems and look if you get a valid IP.
After that you configure your MANAGED switch with the correct vlans.
Also, your netgear is probably a "stupid" switch and not vlan aware. And the AP-part usually also does not support Vlans. You need a real Access Point or custom firmware (openWrt).
Try to determine your usual huge traffic flows. You do not want to pass all traffic through the router. (routing is "expensive"). You want to let the switch pass the traffic to the targets. But you can have a valid use case for your design.
Maybe this helps: https://www.youtube.com/watch?v=b2w1Ywt081o
It is for pfsense and unify switch but the principles are the same.
So, if you really need the interfaces on the minipc side. Start with this. Connect systems and look if you get a valid IP.
After that you configure your MANAGED switch with the correct vlans.
119
General Discussion / Re: Logging POST requests
« on: April 27, 2022, 10:09:09 pm »
never used zenarmor. But note that 99% of the internet is encrypted nowadays (https). The only part the router can inspect is DNS requests and the SNI header (the domain, like: www.youtube.com). If you really want to inspect content you have to create a MitM setup and you have to add custom certificates to your browser.
You have to add those for ALL devices (phones/tablets/etc). In most cases not even possible.
If you really mean "http" then more should be possible to inspect.
You have to add those for ALL devices (phones/tablets/etc). In most cases not even possible.
If you really mean "http" then more should be possible to inspect.
120
22.1 Legacy Series / Re: VLAN and DHCP not working
« on: April 27, 2022, 08:58:45 pm »
I am not sure if i understand. Also you create vlan's on multiple physical interfaces. This is possible, but is this what you want/need? Are you connecting multiple switches to your router? To recap, usually you do.
interface LAN -> on physical interface igb2 -> with dhcp, like 192.168.1.1
virtual interface VLAN80 -> on physical interface igb2 (the name will be igb2_vlan80) -> with dhcp, like 192.168.80.1
So, for each (virtual) interface you have to:
* add a static ipv4 IP (gateway)
* DHCP (with range)
* firewall rule(s)
Hope it helps
interface LAN -> on physical interface igb2 -> with dhcp, like 192.168.1.1
virtual interface VLAN80 -> on physical interface igb2 (the name will be igb2_vlan80) -> with dhcp, like 192.168.80.1
So, for each (virtual) interface you have to:
* add a static ipv4 IP (gateway)
* DHCP (with range)
* firewall rule(s)
Hope it helps