Messages

I get managed switch. Ive set properly tagged 802.1q vlans assigned to ports on switch. Tagged ports. Im still geting dual leases fron LAN net + VLAN net dhcp for each vlaned device. What im doing wrong?

Thanks a lot for explanation.

Ok so they are separated now by firewall rules and subnets but not by vlans. Ok i understand now, Theh can swtich betwteen vlans only when device spoofs mac. Im buying managed swtich now.

Im network newbie :D .

Blocked Access to LAN net by blacklisting macs. So i have few subnets, different on each vlan. I created firewall rules. And devices not seeing each other. They are not reached even by ping. Currently i have no managed switch. But i will buy it. No videos on youtube said that i need manageable switch. EVERYONE just say haw to create vlans so i created them :D

I got different subnets on different VLANS . I got static leases set on iscdhcp servers assigned to vlan devices (set by mac) . And my clients leaking from my vlans to the lan. I got vlan tags set. But devices uses not that dhcp server what i want. They taking ips from LAN net even when they have static leases set on VLAN. I dont know how to assign clients to VLANS in another way. Probably im doing something wrong.

Ive decided to separate clients in my network by making vlans because i have decoder maded by Shenzhen SDMC Technology CO.,Ltd.   

i got vlan named "television" put static lease in dhcp setup by mac address. Ive set to on this options:
-If this is checked, only the clients defined below will get DHCP leases from this server.
-By default, the same MAC can get multiple leases if the requests are sent using different UIDs. To avoid this behavior, check this box and client UIDs will be ignored.

Ive set rules in firewall for television vlan to separate networks: IPv4 *    *    *    ! LAN net , mama net    *    *    *
So decoder is jailed.
But this decoder breaking into my LAN net leasing address from LAN net dhcp even with same options set for lan net. Iptv decoder mac address is not on the LAN net list.

I dont know what to do with this. This is weird behavior. Same thing happened with my wi-fi access point . It "leaks" into my LAN net where my main pc is connected.

Leases for iptv decoder are doubled:

LAN 192.168.1.107 xx:xx:xx:xx:xx:xx Shenzhen SDMC Technology CO.,Ltd.2025/04/29 04:45:54 2025/04/29 06:45:54 active dynamic
telewizja 192.168.2.2 xx:xx:xx:xx:xx:xx Shenzhen SDMC Technology CO.,Ltd. telewizja active static

Im using OPNsense 25.4-amd64

Sorry, my bad, bad googling. I found solution. Go to ISC DHCPv4>>[LAN]>>MAC Address Control>>Use this option: Enter a list of partial MAC addresses to deny access, comma-separated, no spaces, such as 00:00:00,01:E5:FF . Ive set blacklist of mac for lan and any vlan that i have. This should be easier than copying each mac from any unwanted device for any subnet/lan/vlan. This should be clickable solution. Selecition from leases : "select this device to acces only vlan1". To many devices to many macs and setting this in any vlan.

That is super shocking... 😜
[/quote]

Exactly because ive set 853 tls for dns, and blocking outgoing port 53 connections from wan.

My maltrail instance on 25.4 detects malicious dns queries from my wan address on port 53. Decided to block outbound connections from wan with destination port 53. I have enabled dns over tls(quad9). When i block port 53 im loosing dns resolving. No domains are resolved. So all the time i had no dns encryption? What servers opnsense is using then? Why tls port 853 is not used?

EDIT: This dns servers was used to resolve malicious domains ips: 162.159.38.3, 172.64.35.93, 192.33.14.30 . I never set anywhere this ip addreses. I got enabled unbound as resolver + dns over tls.

This domains was resolved: cdn.prod.website-files.com, prod.website-files.com, .website-files.com
Maybe its just false positive in mailtrail?

Thanks for explanation. Cutted my bandtwith by about 20% currentlu it works best for me. Even when i cut more or less it has worse results on my docsis connection . Really weird situation.

Ive tested bufferbloat here: https://www.waveform.com/tools/bufferbloat with A+ result and here https://speed.cloudflare.com/ with result: great (top result) . But when im downloading with full speed and pinging some domains in my country i get ping over 750+ ms (its variable up to this value). I dont understand why this is happening. Im currently using fq codel setup from opnsense docs: https://docs.opnsense.org/manual/how-tos/shaper_bufferbloat.html

Why this tests lie?

Services widget on dashboard indicates that crowdsec is not running. But when i get in to services:crowdsec:overview thats tells me that crowdsec and firewall bouncer is running. So which one is bugged?

EDIT: Post can be deleted. I just misunderstood some blocklists from github. Used them as alias for firewal rules. It was dnsblocklists. Removed from alias, and moved them to custom blocklists for unbound. Now everything works fine. Sorry. Im newbie.

I posted about this problem a couple of months ago. Some combinations of Opnsense, hardware, browser, client OS worked, some did not, in no consistent pattern that isolated one of the above for me. I think I recall seeing another post about the problem last month. What combination are you using?

Switched to OPNsense Buisness edition. Also not working on windows 11 + Latest firefox. But on debian stable + firefox esr works. Its related to operating system / browser. Thanks for info.

Remove - Save - Re-add the widget on the dashboard

Still not working after that.

Trapphic graph widget on version 25.1.3 not forking for me. Buf graphs in Reporting>>Traffic working.

If logs or more info needed just tell me what, and how to check this.

Its not HOW TO but its informational topic. I get much better results with my hybrid fiber-coaxial (docsis 3.0) modem when im using flow queue pie than flow queue codel. With fq codel i need to waste 20% of my bandtwith for good bufferbloat results. With fq pie i waste 3% for sqm, and have better results than with fq codel. Anyone can tell me what results achieve with fq pie? Im using "Enable PIE"(linux man pages says thas fq pie uses pie by default but i have different results with that option enabled), and "CoDel ECN" on download only (ecn setting works for fq pie when fq pie is used). Increased FQ-CoDel flows to 4096 (it works as fq pie flows when fq pie is used) but i must WARN you. Increasing flows requires reboot (flows are alocated in ram during bot time) but if you increase them to much you can brick your router because it consumes some ram. Im using 4096 now for 8 gig of ram on router. Tune your target and interval as is described here : https://docs.opnsense.org/manual/how-tos/shaper_bufferbloat.html Pie uses many codel parameters but has different defaults. But i dont know do its implemented in opnsense to control this parameters for fq pie. Just tuned it as codel and have much better results than with fq codel. Fq pie is implemented as default queue mechanism in docsis 3.1 standard. Docsis 3.1 is described as low latency docsis.

You can try it and share your results.

EDIT: I must say that my results may be different each time i test bufferbloat. I have low quality isp with no guaranteed speed. My max bandwith fluctuates. On weekends i have always worse results than during week.