"Recent posts
#1
General Discussion / Re: Need some guidance in how ...
Last post by coffeecup25 - Today at 07:06:03 PMI can give you the highlights, from memory. Hopefully my memory will get you started.
It's easy to create a 2nd subnet. Personally I would save the switch and connect the 2nd subnet to it. Then you know without thinking what is LAN and what is IOT. Also, I have no idea how to associate more ports with either subnet.
1) Create an interface for a spare port
2) Associate the interface with a subnet
3) Copy the 2 default rules from LAN to IOT and edit accordingly
4) Create a rule on IOT to keep it out of LAN
5) create a rule on LAN to keep it out of IOT
done
If you are using Adguard Home and want it to patrol both subnets, you have to edit AdguardHome.yaml to service both subnets. I don't recall the exact section. It took me days to figure this out, btw. Rules have no affect on this.
Most people seem to have 'special situations' that make it difficult to answer questions like this. This answer is the best I can provide.
It's easy to create a 2nd subnet. Personally I would save the switch and connect the 2nd subnet to it. Then you know without thinking what is LAN and what is IOT. Also, I have no idea how to associate more ports with either subnet.
1) Create an interface for a spare port
2) Associate the interface with a subnet
3) Copy the 2 default rules from LAN to IOT and edit accordingly
4) Create a rule on IOT to keep it out of LAN
5) create a rule on LAN to keep it out of IOT
done
If you are using Adguard Home and want it to patrol both subnets, you have to edit AdguardHome.yaml to service both subnets. I don't recall the exact section. It took me days to figure this out, btw. Rules have no affect on this.
Most people seem to have 'special situations' that make it difficult to answer questions like this. This answer is the best I can provide.
#2
French - Français / Re: Problème lors modification...
Last post by hometux - Today at 07:00:51 PMRe Bonjour
J'ai trouvé la solution, j'avais activé dans le menu système->paramètre->administration l'option Strict security en bas de la page. Je l'ai déactivé et ça a résolu mon problème.
J'espère que cela vous aidera
Bonne fin de journée
J'ai trouvé la solution, j'avais activé dans le menu système->paramètre->administration l'option Strict security en bas de la page. Je l'ai déactivé et ça a résolu mon problème.
J'espère que cela vous aidera
Bonne fin de journée
#3
Virtual private networks / Gateway priority and status no...
Last post by zubrick - Today at 06:56:05 PMHello,
I am migrating to an OPNsense firewall and have an issue with the routing table.
I've set up 3 IPSec VPNs with a vti interface on each and a corresponding gateway and different priorities on each.
IP monitoring is working correctly on all three gateways and interfaces of disconnected tunnels are quickly marked as down.
The problem is that the static route I add on those gateways are inserted in the routing table regardless of the gateway status or priority, leaving routes on inactive tunnels.
I've tried all the parameters in the gateways.
If I disable completely the gateway it removes the routes, but makes the goal of having two connections and a vpn on each a bit useless.
I saw there are gateway groups, but I cannot put routes on them, only use them in firewall policies which solves the issue if the connections is initiated from the OPNsense side, but still creates asymmetric routes if the connections is initiated from the other side.
Am I missing something ? Is there an option for it to work?
It seems to work correctly with the two default gateways.
I am migrating to an OPNsense firewall and have an issue with the routing table.
I've set up 3 IPSec VPNs with a vti interface on each and a corresponding gateway and different priorities on each.
IP monitoring is working correctly on all three gateways and interfaces of disconnected tunnels are quickly marked as down.
The problem is that the static route I add on those gateways are inserted in the routing table regardless of the gateway status or priority, leaving routes on inactive tunnels.
I've tried all the parameters in the gateways.
If I disable completely the gateway it removes the routes, but makes the goal of having two connections and a vpn on each a bit useless.
I saw there are gateway groups, but I cannot put routes on them, only use them in firewall policies which solves the issue if the connections is initiated from the OPNsense side, but still creates asymmetric routes if the connections is initiated from the other side.
Am I missing something ? Is there an option for it to work?
It seems to work correctly with the two default gateways.
#4
Tutorials and FAQs / Re: OPNsense + PROXMOX + VLANs...
Last post by elreyquerabio - Today at 06:41:11 PMThanks a lot for the replay.
I've added two pictures with the switch config and here the PROXMOX network config.
pppoe1 is on vnet0 in the config witch is working now.
On the new version (the one that doesn't work) I create one new vnet for every VLAN:
LAN: vnet0
WAN: vnet1
Guests: vnet2
IoT: vnet3
The name vnet0.24 is assigned by the system. When you try to create a new VLAN, a message says that the name has to begin with vlan0
I've added two pictures with the switch config and here the PROXMOX network config.
pppoe1 is on vnet0 in the config witch is working now.
On the new version (the one that doesn't work) I create one new vnet for every VLAN:
LAN: vnet0
WAN: vnet1
Guests: vnet2
IoT: vnet3
The name vnet0.24 is assigned by the system. When you try to create a new VLAN, a message says that the name has to begin with vlan0
#5
25.7, 25.10 Series / Re: service adguardhome not st...
Last post by BrandyWine - Today at 05:27:18 PMQuote from: neek on Today at 06:31:00 AMIs there a way to say that adguardhome service must start after openvpn has completed?
Yes, but not like how we can use "After" commands under systemd.
Does openvpn also start on it's own? Why is openvpn a dependency for AdGuard?
Start with "service -e"
Find the AdGuard service script and park a "sleep 10" in it (at the beginning or in the start section), see if that helps.
We could also modify that service script to actually check for openvpn status, but I don't think you need to complicate things at this point.
#6
25.7, 25.10 Series / Re: 25.4 to 25.10 Business Edi...
Last post by Monviech (Cedrik) - Today at 05:25:02 PMThe main firewall does /not/ change from pf to ipfw. Some components have always used ipfw, like the traffic shaper or captive portal. There is not breaking change hidden in the upgrade, feel free to do it.
#7
General Discussion / Need some guidance in how to s...
Last post by neomorpheus - Today at 05:23:04 PMHi.
I have a Qotom firewall that has 6 ethernet ports but its not a switch.
I also have an unmanaged switch, a TP Link TL-SG1005D.
I currently have the following on my network:
1- NAS hardwired with several Docker containers.
2- 1 PC hardwired, but I am planning in moving it to wireless.
3- Omada EAP670 Access Point, controlled from a Docker container.
4- Wireless door bell.
5- Indoor wireless camera.
6- Multiple smart plugs by Tapo.
7- Phones and tablets.
8- TV and Streamer.
9- Wireguard server in the OPNSense firewall.
Besides the NAS, I will be moving to wireless since my needs allows it.
I want to eliminate the switch (if possible) and also, have the IoT devices separated from the rest of the network devices.
In the future, I will replace the firewall with another PC that will have 2.5Gb NICs but thats an upcoming project.
Suggestions as to how I can proceed?
Thanks.
PS Sorry but I am not a network expert so will definitely need some handholding in here.
I have a Qotom firewall that has 6 ethernet ports but its not a switch.
I also have an unmanaged switch, a TP Link TL-SG1005D.
I currently have the following on my network:
1- NAS hardwired with several Docker containers.
2- 1 PC hardwired, but I am planning in moving it to wireless.
3- Omada EAP670 Access Point, controlled from a Docker container.
4- Wireless door bell.
5- Indoor wireless camera.
6- Multiple smart plugs by Tapo.
7- Phones and tablets.
8- TV and Streamer.
9- Wireguard server in the OPNSense firewall.
Besides the NAS, I will be moving to wireless since my needs allows it.
I want to eliminate the switch (if possible) and also, have the IoT devices separated from the rest of the network devices.
In the future, I will replace the firewall with another PC that will have 2.5Gb NICs but thats an upcoming project.
Suggestions as to how I can proceed?
Thanks.
PS Sorry but I am not a network expert so will definitely need some handholding in here.
#8
25.7, 25.10 Series / 25.4 to 25.10 Business Edition...
Last post by gctwnl - Today at 05:17:41 PM25.4 is EOL so I will be upgrading to 25.10. But I noticed quite an important change: from ipfw to pf. Now, both work in a fundamentally different way (first/last rule match wins for instance). Is this change seamless? Any other gotchas?
#9
Virtual private networks / Re: WireGuard Exporter Tool
Last post by meyergru - Today at 04:24:42 PMThat is the whole point here:
1. The best / most secure way to do it is to create a client configuration on the client itself. You need the server ip, port, public key and optionally, the shared secret for that. Then you would have to import the client's public key into the server and use that as the key (not the other way around). If you do that, the peer generator does not help, either way.
2. If you trust OpnSense to create a private key, you can use the peer generator and import the generated secrets - including the private key - into your client. That works best with the QR code, which you can directly scan from the screen if your device supports it. You can also copy & paste the text and transfer it some other way to your client. However, since you probably lack a secure way to do that, it is debatable if you should. If there was a way to download the config directly, many people would not notice what security problem they are about to create just now.
3. Lastly, if you want to use the peer generator regardless - do not complain that you cannot export the client configuration after the fact. Actually, it is a sign of security that the client's private key is not stored on the server. Also, if you need to export the peer config later on, you can always delete that peer configuration and create a new config with a new key instead - it will work just as well and nobody has the old key, anyway - this being the very reason why you need that config again.
1. The best / most secure way to do it is to create a client configuration on the client itself. You need the server ip, port, public key and optionally, the shared secret for that. Then you would have to import the client's public key into the server and use that as the key (not the other way around). If you do that, the peer generator does not help, either way.
2. If you trust OpnSense to create a private key, you can use the peer generator and import the generated secrets - including the private key - into your client. That works best with the QR code, which you can directly scan from the screen if your device supports it. You can also copy & paste the text and transfer it some other way to your client. However, since you probably lack a secure way to do that, it is debatable if you should. If there was a way to download the config directly, many people would not notice what security problem they are about to create just now.
3. Lastly, if you want to use the peer generator regardless - do not complain that you cannot export the client configuration after the fact. Actually, it is a sign of security that the client's private key is not stored on the server. Also, if you need to export the peer config later on, you can always delete that peer configuration and create a new config with a new key instead - it will work just as well and nobody has the old key, anyway - this being the very reason why you need that config again.
#10
General Discussion / Re: 25.7.9 update - xorgproto:...
Last post by marcels - Today at 04:15:57 PMI have the same fault during update. Thanks for any help.
