Messages

91

General Discussion / Re: Ubiquiti intigration package potential?

« on: January 30, 2023, 08:43:57 pm »

Getting popular?
It's been popular for a while and now most people I know are getting rid of it because they learned how to network themselves and want control of their network instead of having the equipment control itself.

92

General Discussion / Re: How did this firewall rule get created?

« on: January 30, 2023, 05:06:39 pm »

Bottom of the NAT you created.

93

23.1 Legacy Series / Re: Gui becomes unresponsive (can't reach it)

« on: January 29, 2023, 05:38:04 pm »

If you have physical access to the box you should be able to use the console.

94

General Discussion / Re: Is it a good idea to schedule the opnsense firewall to shutdown for x hours

« on: January 29, 2023, 05:36:53 pm »

The question is is it need the efforts?  Does it benefit the ssd by letting it stay idle for 4 hours?

Thanks.

I had a pfSense box up for 1172 days. Finally got some down time to be able to update it.
It's FreeBSD, it's made to stay up. Of course hardware problems can happen at any time whether it's run 24/7 or not, so just let it run.

95

General Discussion / Re: Suddenly blocked within LAN by Default deny / state violation rule

« on: January 29, 2023, 03:36:14 pm »

On the LAN interface, delete the Lan net to DMZ net rule. The default allow any already covers that.

What does "The webpage can be show but cannot post any file back to the website" mean?

Why have a DMZ if you're allowing it to everywhere?

96

General Discussion / Re: Suddenly blocked within LAN by Default deny / state violation rule

« on: January 29, 2023, 12:43:35 pm »

@combo The firewall wouldn't even see traffic on the same subnet. That would be layer 2 traffic only.
There's something you're not telling us about your setup. Post pics of your network layout.

@ttw1988 Post pics of your firewall rules from all interfaces.

97

22.7 Legacy Series / Re: Laptop & Managed Switch (TL-SG10) & VLANs

« on: January 27, 2023, 01:47:16 am »

Not sure about this but once you set the WAN back to dhcp, that probably enabled the firewall again.
You can check by running pfctl -e, it'll probably say it's already enabled. Again, not sure if that enables it but any change in rules does so that may also.

You didn't say what type of internet, if you have a cable modem you will have to power cycle it anytime you change the directly connected device.
I wonder if your dhcp lease expired before you plugged the laptop back in and that's why it worked now. If you get a public IP there shouldn't be anything blocking that in the firewall.

Obviously, if it isn't already, reenable pf and see what happens.

98

General Discussion / Re: Lan port is hosed, can't access gui

« on: January 26, 2023, 06:53:21 pm »

You're better off doing it from the console. Assign interfaces.

AS far as Xfinity, you don't need them to reset the modem.
Cable modems "remember" the MAC of the directly connected device. So if you change that device, just power cycle the modem to clear the old MAC.

99

General Discussion / Re: Lan port is hosed, can't access gui

« on: January 26, 2023, 01:50:54 pm »

option 8 in console.
pfctl -d to disable firewall. fix the rules. when you apply the fix it will restart pf but pfctl -e is the enable command.

Keep in mind, this disables the WAN rules also, so maybe disconnect WAN if you're worried.

100

Virtual private networks / Re: OpenVPN - site to site UP but no traffic or ping

« on: January 26, 2023, 11:41:19 am »

Start using the packet capture. See where you can get to, then you'll have a better understanding of where you can't get to.

101

Virtual private networks / Re: OpenVPN - site to site UP but no traffic or ping

« on: January 26, 2023, 12:55:17 am »

Two things you need to fix.
Shared key is done with. Since this is a new instance, you might as well use the SSL/TLS now instead of having to change it with an upcoming release.

It's a peer to peer, why are you using a /24 for the tunnel?? Change the tunnel to either a /30 or /31 (can't remember if Opnsense allows /31's?).

It would probably work just by changing the tunnel but at some point it's gonna stop working and you're gonna wish you did it right at the beginning. (hint: NOW)

102

General Discussion / Re: Seperate VLAN for IOT network

« on: January 25, 2023, 05:06:22 pm »

"Why should he need to buy a switch just to use VLANs between OPNsense and the AP?"

Because he want switching. Use a switch.
Yes the bridge will work but at a huge performance cost.
Again, do you have any hubs in your network?? No, because switches replaced them.
If a bridge was a switch, switches would have replaced them too.
There's a place for bridges, but it's not switching.

103

Virtual private networks / Re: OpenVPN - site to site UP but no traffic or ping

« on: January 25, 2023, 05:02:36 pm »

"I’ve also added a firewall rule to the LAN subnet on both sites with “OpenVPN Net” as source"

This will never work. The only thing that can be a source on any interface is the directly connected network.
The LAN comes defaulted with an allow any rule, so it already has access to the OpenVPN.

Post pics of your config's.

104

22.7 Legacy Series / Re: Laptop & Managed Switch (TL-SG10) & VLANs

« on: January 25, 2023, 12:44:52 am »

Are you sure you should get a public address?
Not sure how your modem works, if you get a private address uncheck block private addresses.

A way to check the switch would be to set a static address on your wan.
Turn off the firewall. (ssh in and do pfctl -d, -e will reenable)
Plug a pc into port 2 on the switch with a static address in the same subnet as the wan and see if you can ping it.

105

General Discussion / Re: Seperate VLAN for IOT network

« on: January 25, 2023, 12:42:09 am »

A bridge is designed to connect 2 network segments. When a packet arrives at the bridge, if it's destined for that side of the bridge, no problem. If it isn't destined for that side it sends it on hoping it gets to the destination.
A switch is designed to connect devices to a network. It knows what device is where so it knows where to send a packet.
If a bridge was a switch it would be called a switch. There would be no bridges. Got any hubs in your network???
No, I wounder why?

As for FreeBSD, and I should've specified pf, when you have a bridge every packet through that bridge still gets inspected. So if you have a powerful enough processor, no problem. If not, you're gonna take a huge performance hit.
When you want switching, use a switch. That's why they make them.