Recent posts

#1
General Discussion / Re: Port forwarding never reac...
Last post by NovianCasper - Today at 03:53:09 AM
Im having the same issue. I've tried different configurations:
1.) Setting the firewall rules to pass on the port forward co fig
2.) ^ setting it to manual and making my own firewall rules

It reaches the firewall and I see
"WAN OUT SOURCE:PORT PUBLICIP:PORT PASS"
But no traffic going in.
#2
General Discussion / Re: DNS, DoH, DoT, DoQ, DNSCry...
Last post by OPNenthu - Today at 03:17:22 AM
Quote from: nero355 on April 04, 2026, 03:40:27 PM- Or you could use Pi-Hole + Unbound the way it's explained here : https://docs.pi-hole.net/guides/dns/unbound/

Their main website (https://pi-hole.net/) get blocked on my end by a DoH IP list.  Looks like a CDN domain (*.b-cdn.net) according to uBlock origin and it has a high abuse score to boot:

https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/37.19.207.37

I've used Pi-Hole in the past and wanted to experiment with it again in a Proxmox container, but I don't want to whitelist these IPs.  Not a good look for a privacy-focused DNS project :-/

No issue with their GitHub repo, though.

As I haven't used Pi-Hole in years and haven't followed the project, do you still find them trustworthy now in 2026?  Any concerning developments or money ties?
#3
General Discussion / Re: Crashing after upgrading t...
Last post by bigdog420 - Today at 03:04:41 AM
Thanks for looking at this! I'll have to reconfigure my settings. I'll come back with an update if I see things be stable without FQ PIE
#4
General Discussion / Re: Support AmneziaWG
Last post by OPNenthu - Today at 02:04:10 AM
Indeed, thanks for those links.
#5
General Discussion / Re: Trouble understanding VLAN...
Last post by nero355 - Today at 01:13:54 AM
Quote from: Patrick M. Hausen on April 13, 2026, 07:30:14 PM
Quote from: bloodyNetworker on April 13, 2026, 07:21:04 PMDo you have an alternative brand / products to suggest?
Mikrotik.
We are dealing here with a "Beginner" and despite the fact that MikroTik does have such a thing as their WinBox GUI for setting up everything I am not sure if that's a good idea ?

Quote from: Boxer on April 13, 2026, 10:03:56 PMFirst, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode.
Tapo ?! Are you talking about TP-Link M4 Mesh Sets or something else ?!

Quote from: bloodyNetworker on April 13, 2026, 07:21:04 PMIt is in AP mode. I also first thought, that the AP only sets up the "bridge" and do not require IPs, but if you take a closer look at my logs you'll see I'm not lying when I'm saying that my TP-Link APs have their own IPs and THEY THEMSELVES send out telemetry.
I think you have misunderstood my reply about Accesspoints and IP Addresses...

What you are describing is pretty much as expected because you need a way to manage them via their webGUI or some kind of app on your Phone/Tablet :)

Quote from: bloodyNetworker on April 13, 2026, 07:41:29 PMThe APs are connected through the network cables that are in our walls. They don't have to be directly connected.
I'm assuming I'm misunderstanding you wrong?
I think it's time to post a schematic picture of your network setup before we have a lot more misunderstandings...

QuoteEither TP-Links specifications are not very clear or idk...
Here is a list of all "Omada Mesh" supported devices on their own website.
The "ceiling" EAP225 is advertised with Omada Mesh support, same as it's outdoor variant.
I'm starting to dislike this company... they do all that telemetry goof, force you into cloud accounts to manage your devices and are just so incredibly confusing with their marketing and specifications IMO.
Everyone does it these days and a lot of it can be disable in a lot of cases...

Take for example the more expensive alternative to the TP-Link Omada system : Ubiquiti UniFi
You need multiple steps to disable everything :
- Two different places in the webGUI of the UniFi Controller.
- And another additional file with the right content in the right directory on your UniFi Controller.
After that you need to manually trigger so called 'Provisioning' for all your devices to apply the changes in that file !!

And don't get me started about TV's and Mobile Devices and all the adware/spyware and horrible EULA's you have to accept so you can use them even tho you have paid a lot of money for them...

Quote from: bloodyNetworker on April 13, 2026, 11:19:45 PMEDIT: I just found a big forum post on TP-Links official website, where their customers report the same: The TP-Link APs do infact send out telemetry.
https://community.tp-link.com/en/business/forum/topic/525328
They are too sorry to make firmware updates for their cheaper product lines to opt-out.
That's really a shame...

The M4 units are one of, if not THE cheapest option to have Accesspoints everywhere in the house :)

Quote from: bloodyNetworker on April 13, 2026, 11:38:51 PMThis was my original idea, but nero355 told me this could go wrong if I were to put them in IOT VLAN.
Please note :
That was based on my understanding at the time that you were going to put one of the M4 units in a certain VLAN and not in combination with Advanced (VLAN Aware) Accesspoints !!

QuoteThe cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.
Everytime you mention a NIC and Accesspoint it sounds like you are using the Accesspoint as an extension of the NIC in a PC ?!

So like I said above : Please make a scheme/drawing of your network setup!
#6
General Discussion / Re: Trouble understanding VLAN...
Last post by bloodyNetworker - April 13, 2026, 11:47:17 PM
Quote from: Boxer on April 13, 2026, 11:26:10 PMPost #5 https://community.tp-link.com/en/home/forum/topic/214828
Apparently it's a built-in mechanism that cannot be turned off

I'd rather not buy from them again. They're lying that it is needed to check for connectivity. Being so nontransparent and non-cooperative with the communities demands to remove 24/7 connections with Big Data and telemetry to their own cloud infrastructure can only mean they're trying to hide their shadiness (probably data selling)
Spread the word to the folks buying from TP-Link. Warn them about TP-Links lack of trustworthiness.
#7
General Discussion / Re: Trouble understanding VLAN...
Last post by bloodyNetworker - April 13, 2026, 11:38:51 PM
Quote from: Patrick M. Hausen on April 13, 2026, 08:07:12 PMYou could try to connect the APs to the "AP VLAN" which offers IP addresses via DHCP but no Internet access by simply not adding the firewall rules that would be necessary for that. But with an IP address the APs should be manageable.

Then create an SSID per VLAN and connect SSID and tagged VLAN at the AP(s). So devices connected to SSID "LAN" will be in VLAN "LAN" and get those 10.0.0.0/24 IP addresses etc.

Where do those network cables in your walls lead? What is at the opposite end of each AP?

This was my original idea, but nero355 told me this could go wrong if I were to put them in IOT VLAN. You've said it yourself: Without internet connectivity, I cannot conveniently update their firmware via their user interfaces. So I guess my best shot would be to just give them a static DHCP Lease and only block those addresses they constantly connect to.

The cables in the walls lead to every NIC in the household. They're coming together in a room where I have them connected to my "main" switch.
So basically it doesn't matter to which NIC in the wall the APs are connected to since the switch makes sure that they can all speak to each other.
#8
General Discussion / Re: Trouble understanding VLAN...
Last post by Boxer - April 13, 2026, 11:26:10 PM
Post #5 https://community.tp-link.com/en/home/forum/topic/214828
Apparently it's a built-in mechanism that cannot be turned off
#9
General Discussion / Re: Trouble understanding VLAN...
Last post by bloodyNetworker - April 13, 2026, 11:19:45 PM
Quote from: Boxer on April 13, 2026, 10:03:56 PMFirst, let me apologise. The Tapo AP's ping those servers (reddit, netflix etc) to check the connection is still up. So sorry about questioning that. I still think that's absurd if they're in AP Mode. But it is a ping only, there's no data telemetry. You can block those pings on opnsense but the AP will show a constant red light as if network is down, even when it's up.

They are in AP mode I can tell you that. How are you so sure that those are only pings? I only know what sites they connect to, whether they really send telemetry is just my speculation. Especially since they just connect with Big Data sites I doubt that those are just pings. I mean why not just ping the upstream DNS server?
In my household that is Quad9 and I'd be totally fine with that.

EDIT: I just found a big forum post on TP-Links official website, where their customers report the same: The TP-Link APs do infact send out telemetry.
https://community.tp-link.com/en/business/forum/topic/525328
They are too sorry to make firmware updates for their cheaper product lines to opt-out.
#10
German - Deutsch / OPNsense DEC740 – Nach TOTP Ak...
Last post by BSc - April 13, 2026, 10:56:32 PM
Hallo zusammen

Ich bin aktuell komplett ausgesperrt und suche nach einer Möglichkeit, ohne Datenverlust wieder Zugriff zu erhalten.

Es handelt sich um eine OPNsense Deciso DEC740 Appliance.

Ich komme aktuell noch auf die Weboberfläche, aber das root-Passwort funktioniert nicht mehr.
Vor kurzem hat alles noch funktioniert, aber nach Änderungen an der Konfiguration ist ein Login nicht mehr möglich.

Wir haben heute versucht, die Sicherheit zu erhöhen und eine Zwei-Faktor-Authentifizierung (TOTP / One-Time Password) für den Login zu aktivieren.
Seit dieser Änderung funktioniert der Login nicht mehr korrekt und ich habe mich ausgesperrt.

Der Zugriff über die Konsole via USB (Mini-USB) funktioniert ebenfalls nicht.
Das Gerät wird auf meinem Mac zwar erkannt (/dev/tty.usbmodem...), aber es wird kein Output angezeigt.

Ich verwende ein MacBook AIr 2025 (nur USB-C Anschlüsse).

Hat jemand Erfahrung mit diesem Modell (DEC740) und kann bestätigen, ob die USB-Console standardmässig aktiv ist oder ob zwingend der RJ45-Console-Port verwendet werden muss?

Falls der RJ45-Console-Port notwendig ist:
Welches genaue Kabel wird benötigt (USB-C → RJ45 Console / Cisco / FTDI), um direkt vom MacBook darauf zugreifen zu können?

Vielen Dank für eure Hilfe.

Freundliche Grüsse
Beat Schnell