"Recent posts
#11
Zenarmor (Sensei) / Re: Zenarmor performance @ Int...
Last post by meyergru - Today at 02:07:54 PMI got hooked by their APs many years ago, so adding their switches is a no-brainer. The management is more "prosumer" than what Cisco or Mikrotik offer, but quite effective and easy to manage. Of course it depends on if you already have one of their router-type appliances or can use all of that on a VM.
Matter-of-fact, the network controller is also available on iOS and Android as standalone apps, because apart from the guest portal, you do not need it running 24/7. I never tried those, because IMHO, you need a bit of screen real estate to easily use the interface.
My main gripes about them are:
1. The dream boxes are crap.
2. Unify protect is only available on their hardware (dream boxes and NVRs) - they stopped the VM versions.
3. In the last 2 years, they started way too many variants of their products, leading to a confusing portfolio and, with the many new offerings, degraded support for any of them.
Matter-of-fact, the network controller is also available on iOS and Android as standalone apps, because apart from the guest portal, you do not need it running 24/7. I never tried those, because IMHO, you need a bit of screen real estate to easily use the interface.
My main gripes about them are:
1. The dream boxes are crap.
2. Unify protect is only available on their hardware (dream boxes and NVRs) - they stopped the VM versions.
3. In the last 2 years, they started way too many variants of their products, leading to a confusing portfolio and, with the many new offerings, degraded support for any of them.
#12
Zenarmor (Sensei) / Re: Zenarmor performance @ Int...
Last post by Seimus - Today at 01:59:18 PMQuote from: meyergru on Today at 01:33:15 PMI have the USW-Pro-HD-24-PoE, which offers more ports, 4xSFP+, 2*10 GbE, PoE. I like the centralised management for Unifi Gear. Their routers are crap, but you can have the network management on a VM.
There are smaller offerings available as well, with and without PoE:
https://geizhals.de/?cat=switchgi&xf=13283_2%7E16696_8%7E2270_Ubiquiti&sort=p#productlist
Woo thanks for the link! I will look thru it.
The CRS326-4C+20G+2Q+RM compared to yours USW-Pro-HD-24-PoE, has the same amount of ports 20+4 Combo, but it has extra 2xQSFP minus the PoE. From my point of view this Mikrotik switch is more targeted as a CORE/Aggregation where the Unifi is more of an access switch.
I will not lie, I did look on the Unifi switches, they have good performance/cost ratio and lot of variations.
But the main beef I have, and I know this is sounding stupid, is the central management/orchestration. I do not own any other Unifi product, thus I would have to run the Management platform for only one device which sounds to me unreasonable.
So basically I am bit torn apart between getting Mikrotik or getting Unify.
Regards,
S.
#13
26.1 Series / Re: Wireguard VPN
Last post by meyergru - Today at 01:48:45 PMWhat would be the difference between WAN and pppoe0?
One is just an assigned name for the underlying PPPoE interface - unless you made the mistake of naming the physical NIC (or VLAN) as WAN.
That is the problem with many of those videos: There is no such thing as a step-by-step tutorial, because each situation is different, like your example clearly shows.
You have to understand how things work, otherwise you will be stuck at each crossing.
With a PPPoE connection, you can have one of these topologies on the WAN side:
1. ISP ONT/modem -> physical NIC ("ONT") -> PPPoE interface ("WAN")
2. ISP ONT/modem -> physical NIC ("ONT") -> VLAN ("VLANXX") -> PPPoE interface ("WAN")
With OpnSense, you have either two or three logical interfaces. Name them according to the scheme above. Firewall rules should always be applied to "WAN", which usually is the same thing as "pppoe0". You do not even need explicit names for ONT and VLANXX, unless you want to have direct ONT/modem access. You also do not need firewall rules for "ONT" either, as per default, everything is blocked.
You obviously use it differently, which causes your confusion:
ISP ONT/modem -> physical NIC ("WAN") -> PPPoE interface ("???")
One is just an assigned name for the underlying PPPoE interface - unless you made the mistake of naming the physical NIC (or VLAN) as WAN.
That is the problem with many of those videos: There is no such thing as a step-by-step tutorial, because each situation is different, like your example clearly shows.
You have to understand how things work, otherwise you will be stuck at each crossing.
With a PPPoE connection, you can have one of these topologies on the WAN side:
1. ISP ONT/modem -> physical NIC ("ONT") -> PPPoE interface ("WAN")
2. ISP ONT/modem -> physical NIC ("ONT") -> VLAN ("VLANXX") -> PPPoE interface ("WAN")
With OpnSense, you have either two or three logical interfaces. Name them according to the scheme above. Firewall rules should always be applied to "WAN", which usually is the same thing as "pppoe0". You do not even need explicit names for ONT and VLANXX, unless you want to have direct ONT/modem access. You also do not need firewall rules for "ONT" either, as per default, everything is blocked.
You obviously use it differently, which causes your confusion:
ISP ONT/modem -> physical NIC ("WAN") -> PPPoE interface ("???")
#14
Zenarmor (Sensei) / Re: Zenarmor performance @ Int...
Last post by meyergru - Today at 01:33:15 PMI have the USW-Pro-HD-24-PoE, which offers more ports, 4xSFP+, 2*10 GbE, PoE. I like the centralised management for Unifi Gear. Their routers are crap, but you can have the network management on a VM.
There are smaller offerings available as well, with and without PoE:
https://geizhals.de/?cat=switchgi&xf=13283_2%7E16696_8%7E2270_Ubiquiti&sort=p#productlist
There are smaller offerings available as well, with and without PoE:
https://geizhals.de/?cat=switchgi&xf=13283_2%7E16696_8%7E2270_Ubiquiti&sort=p#productlist
#15
26.1 Series / Wireguard VPN
Last post by leony - Today at 01:03:11 PMHi
I have setup wireguard instance and clients as exactly in this video, it clearly shows
However when I connect to the server, it establishes connection but packets are not received.
The only difference is I have pppoe connection (as interface), however I have allowed Wireguard port on the WAN firewall only.
Do I need to open firewall port on pppoe interface rather than WAN? Or how can I trouble shoot? Thanks.
I have setup wireguard instance and clients as exactly in this video, it clearly shows
what to do.
However when I connect to the server, it establishes connection but packets are not received.
The only difference is I have pppoe connection (as interface), however I have allowed Wireguard port on the WAN firewall only.
Do I need to open firewall port on pppoe interface rather than WAN? Or how can I trouble shoot? Thanks.
#16
Zenarmor (Sensei) / Re: Zenarmor performance @ Int...
Last post by Seimus - Today at 11:59:02 AMQuote from: Greg_E on March 27, 2026, 04:27:50 PMDefine good.I need a 24P switch with at least 2x10G ports and with at least 8x2.5G ports.
The only switch that did fulfill this is Mikrotik CRS326-4C+20G+2Q+RM, but its expensive. But on the other hand it was QSFP support which makes it bit future proof.
Regards,
S.
#17
26.1 Series / Re: [SOLVED]Can't Move Multipl...
Last post by Monviech (Cedrik) - Today at 11:57:11 AMYou can always open a feature request on github and see how it turns out over time.
Right now it will probably not be a priority right away though, but having it on github gives other users the opportunity to +1 the request to see how widespread this demand is.
Right now it will probably not be a priority right away though, but having it on github gives other users the opportunity to +1 the request to see how widespread this demand is.
#18
General Discussion / Re: Does a DMZ make sense?
Last post by meyergru - Today at 11:26:41 AM@150d: What you characterize as a DMZ is actually something different, namely a double-firewall setup. Thus, you mix up two questions here.
I would argue that a "real" DMZ, in the notion of having some (potentually exposed) devices on a separate network in order to keep them out of your internal LAN makes complete sense. By doing that, an attack could not proliferate to your LAN. This would only presume one leg (either physical NIC or VLAN) of one OpnSense to be separated.
What you propose instead has two disadvantages the way you decribe it:
1. This is a router-behind-router scenario with double NAT and all of its complications, e.g. port-forwarding must be configured on both firewalls. I would avoid it for the average setup.
2. It does not even have the benefit that some enterprise setups would try to reach by doing such a thing nonetheless: By using two cascaded firewalls of different kind, you could potentially harden your infrastructure against attacks to known vulnerabilities of one or the other. This is not the case with two cascaded firewalls of the same kind.
I would argue that a "real" DMZ, in the notion of having some (potentually exposed) devices on a separate network in order to keep them out of your internal LAN makes complete sense. By doing that, an attack could not proliferate to your LAN. This would only presume one leg (either physical NIC or VLAN) of one OpnSense to be separated.
What you propose instead has two disadvantages the way you decribe it:
1. This is a router-behind-router scenario with double NAT and all of its complications, e.g. port-forwarding must be configured on both firewalls. I would avoid it for the average setup.
2. It does not even have the benefit that some enterprise setups would try to reach by doing such a thing nonetheless: By using two cascaded firewalls of different kind, you could potentially harden your infrastructure against attacks to known vulnerabilities of one or the other. This is not the case with two cascaded firewalls of the same kind.
#19
Tutorials and FAQs / Re: KEA DHCP reservations - fo...
Last post by Jiheffe - Today at 10:56:18 AMQuote from: meyergru on March 27, 2026, 10:30:49 PMWhy don't you try to export reservations to see what the format is?
You will find this structure:
ip_address;hw_address;hostname;description;option_data;option
Fair enough! That's actually what I wanted to do. I was looking for it all over the place and it was sitting there in front of me ;-) !
#20
26.1 Series / Re: Can't Move Multiple Select...
Last post by (MARLOO) - Today at 10:14:58 AMThanks for the detailed explanation, Cedrik! That GitHub link clears it up perfectly—makes sense why multi-select move isn't there yet with the sequence recalc logic.
A quick workaround I've used: when batch-creating rules in the new interface, set the Sequence field manually on each one right away (e.g., 100, 101, 102) to drop them in the exact order/position you want. No repositioning needed afterward.
Feature request for multi-move would still be nice, though—maybe with a "Move selected block" option that shifts the whole range?
A quick workaround I've used: when batch-creating rules in the new interface, set the Sequence field manually on each one right away (e.g., 100, 101, 102) to drop them in the exact order/position you want. No repositioning needed afterward.
Feature request for multi-move would still be nice, though—maybe with a "Move selected block" option that shifts the whole range?
