Recent posts

#1

25.7, 25.10 Series / Re: Can't rename Gateway.. Tha...

Last post by Maurice - Today at 03:16:49 AM

Gateways are referenced by name in places like static routes and firewall rules. Renaming a gateway could break your configuration.

What you can do: Download a config backup, use search & replace to rename the gateway everywhere, reimport the config.

Cheers
Maurice

#2

German - Deutsch / Re: Kaufberatung

Last post by Maurice - Today at 03:05:34 AM

Eine FW ist eine FW und sollte das auch bleiben, ohne jeglichen Overhead.

Mit "Overhead" meinst Du Virtualisierung? Sehe ich unproblematisch. OPNsense selbst würde ich nicht als Hypervisor betreiben (machen ja tatsächlich manche mit bhyve), aber OPNsense als Gast unter QEMU/KVM und Hyper-V hat sich bei mir über viele Jahre bewährt.

#3

25.7, 25.10 Series / Can't rename Gateway.. Thanks ...

Last post by frozen - Today at 02:56:52 AM

Idiotic UX UI failure, why can't I rename my gateway?  What a complete waste of time, thanks for forcing me to delete all kinds of work just to appease a stupid name change

#4

26.1 Series / Re: Unbound Query Forwarding ....

Last post by nero355 - Today at 01:54:54 AM

But one doubt emerges: How are the hostnames being declared?

Based on reservations made in Kea?

Please read : https://docs.opnsense.org/manual/dhcp.html

And make sure you understand the differences between ISC/KEA/DNSmasqd and their limitations !! :)

#5

26.1 Series / Re: VLAN DHCP not working

Last post by nero355 - Today at 01:51:43 AM

I am going crazy at this point and need some help.

Please read this HowTo Topic : https://forum.opnsense.org/index.php?topic=44159.0

Maybe you are missing something in either Proxmox or OPNsense that's not a simple Enable/Disable option but needs to be set via SysCtl and stuff like that... :)

#6

General Discussion / Automatically download and app...

Last post by danman - Today at 01:49:38 AM

Hey

Just installed a fresh opnsense device where I'm going to use my own certificates via acme.sh (dns option). The certificates are created on another VM and also published for only the home network.
I'm currently gathering some ideas on how best to automate this, especially for opnsense.

I use just a script for simple linux boxes and run them via crontab every day:

Code Select Expand

curl -o "/etc/nginx/ssl/cert.key" -z "/etc/nginx/ssl/cert.key" "https://homecerts.local/cert.key" && \
curl -o "/etc/nginx/ssl/cert.cer" -z "/etc/nginx/ssl/cert.cer" "https://homecerts.local/cert.cer" && \
systemctl reload nginx.service

I'm not familiar with opnsense under the hood. I can also use crontab, but how could I import the certificates then?

Thanks!

#7

26.1 Series / Re: No LAN access anymore afte...

Last post by nero355 - Today at 01:46:54 AM

the network device eth1 went down on Pxvirt/Proxmox level.

Now i always need to restart the networking.service after a reboot of the RaspberryPi to bring up eth1 (Autostart is set but seems not to work).

I changed the driver of the WAN port of OPNsense which is eth0 on Pxvirt/Proxmox, not eth1.

I hope i can find out why eth1 now is making problems ...

What kind of setup is this ?!

Raspberry Pi 4B with some kind of LAN NIC add-on or something ?!

If so, then check your powersupply!

For more information : https://duckduckgo.com/?q=raspberry+pi+check+undervoltage&assist=false

[- Synology part :]

#8

General Discussion / Re: VLAN with Synology RT600AX...

Last post by nero355 - Today at 01:30:29 AM

To be honest : I don't know if ANY Wireless Accesspoint works like that ?!

OpenWRT can do that.

Could you please elaborate a bit for a beginner? I am very close to put this synology AP in the trashcan, and fire up my old Asus AC86U instead with some flashed firmware, maybe Merlin.

He is right : I forgot OpenWRT is a mix of Consumer Level and Prosumer Level Accesspoints when it comes to the default network :)

You can connect the thing and just use the WiFi as is while it's connected to your LAN.
Or you can use all sorts of Advanced Settings and create multiple networks!

But rather than using a Native, I would TAG the traffic into dedicated VLAN and not use VLAN 1 as a PROD carrier.

+1 :)

Leave VLAN 1 Untagged and only for reaching the webGUI and SSH of your networking equipment!

Ok so you like a challenge, I take it.

Meh... I am just curious :P

To be fair, it is very likely the error is on me somewhere since I'm VERY new to networking.

I think you have made 2 small mistakes :

- Synology part :

According to https://www.manua.ls/synology/rt6600ax/manual?p=29 and the pages after that + the external links you get to read along the way you should do the following :
1. Either Create a New network or Edit one of the networks availabile.
2. During this procedure you should at least Assign 1 LAN Port to this network!
3. That Port should have Native/Untagged VLAN 1 and Tagged VLAN 10.
4. The WiFi SSID that belongs to this network should be Tagged with VLAN 10.

So start reading CAREFULLY https://www.manua.ls/synology/rt6600ax/manual?p=29 and the pages + external links after that to accomplish this !!


- OPNsense part :

I think what you have done is more or less correct, however I am worried about this small detail :

assign it to parent re0 (LAN).

re0 sounds like a RealTek NIC and is not the best choice for OPNsense/FreeBSD useage, but let's say it's not doing anything wrong in our setup for now...

Now to continue to the actual issue : Firewall Rules configuration.

You have made rules for :
1. Allow NAS DNS.
This seems OK and can stay as is.
I am guessing you are running some kind of AdBlock software for your whole network. I will call this the 1st rule.

2. You have made a rule that blocks access from 'Guesttag10 net' to 'LAN net'.
This is a good rule, but I would use it as the 4th rule and not the 2nd rule.

3. You have made a rule that blocks access from 'Guesttag10 net' to 'This Firewall'.
This is a good rule, but I would use it as the 2nd rule and not the 3rd rule.
It might also be better to use 'Guesttag10 address' instead of 'This Firewall'.

4. You have not made a rule that blocks access from 'Guesttag10 net' to 'LAN address'.
This will be the 3rd rule after you have created it.


So after the above is all done you will have something like this :

1. Allow from 192.168.10.0/24 to 192.168.1.200
2. Block from 192.168.10.0/24 to 192.168.10.1 - So for example NO webGUI/SSH access from Guest VLAN!
3. Block from 192.168.10.0/24 to 192.168.1.1 - So for example NO webGUI/SSH access from Guest VLAN!
4. Block from 192.168.10.0/24 to 192.168.1.0/24

And then the regular Allow rule after this will give you Internet Access.
The rules created by OPNsense when you created the Guesttag10 Interface should give you DHCP and DNS Server access.



Aaaaand we are DONE! _{(I think...?!)} :)


Good luck!

#9

26.1 Series / Re: VLAN DHCP not working

Last post by Seimus - Today at 01:09:40 AM

Also enabled VLAN tag in proxmox LXC settings.

What do you mean with this? OPNsense on Proxmox can not run in LXC its a a VM.

If you are going to handle the VLAN in the VM, do not set the TAG in the Proxmox for the NIC. If you set the VLAN per NIC per VM, you are basically making it an access port from. But you need to have here a TRUNK.

Also do not mix tagged and untagged VLANs on OPNsense.

Regards,
S.

#10

German - Deutsch / Re: Kaufberatung

Last post by fastboot - February 28, 2026, 10:32:28 PM

Für das Heimnetz bin ich persönlich auch ein Freund von Konsolidierung und Virtualisierung. So wenig Hardware wie möglich, nicht zuletzt wegen des Stromverbrauchs.

Mein gesamtes Heimnetz - Switch, GPON-ONT, WLAN-AP, OPNsense, File Server, mehrere RIPE Atlas Probes, LTE-Modem, USV, Freifunk, Smart Home Controller, Hue Bridge, DECT (bestimmt habe ich etwas vergessen) - habe ich mittlerweile auf 32 Watt gedrückt. Und da ist noch Luft nach unten, die nächste Optimierung ist schon geplant. :)

Aber ich stimme Patrick zu, dass man nicht zu viel auf einmal anfangen sollte. Gerade die Konstellation "keine Erfahrung mit OPNsense und keine Erfahrung mit Virtualisierung" sorgt bei vielen schnell für Frust.

Grüße
Maurice

Was die Effizent angeht, gebe ich Dir sicherlich recht.

Trotzdem sollte man meiner Meinung nach gerade bei einer Firewall dem KISS Prinzip folgen. Eine FW ist eine FW und sollte das auch bleiben, ohne jeglichen Overhead.