Recent posts

#21
German - Deutsch / Re: Probleme mit DNS + VLAN + ...
Last post by viragomann - December 08, 2025, 07:28:41 PM
Hallo,

Quote from: mfreudenberg on December 08, 2025, 07:04:58 PMIch habe das Gefühl, dass der Switch korrekt konfiguriert ist. Immerhin kommt ein Ping zum OPNSense durch.
dann versuch es mal etwas weiter.
Du hast am Client Interface aktuell alles erlaubt. Mach mal einen Ping auf eine andere Interface IP und ins Internet, bspw. 1.1.1.1.

Wenn alles okay, verfolge das DNS Problem.
Welcher DNS Server wird am Client verwendet? Mach einen simplen nslookup / dig, um andere potentielle Ursachen auszuschließen.
Welcher DNS Server wird angesprochen?

Wenn ein lokaler, versuche den Lookup mit 1.1.1.1
#22
General Discussion / Re: Struggling with OPNsense i...
Last post by coffeecup25 - December 08, 2025, 07:22:59 PM
Quote from: pfry on December 08, 2025, 06:41:02 PM
Quote from: coffeecup25 on December 08, 2025, 03:30:55 PM[...]My first instinct was to use 'problem decomposition'.[...]

Perhaps "System: Configuration: Backups" -> "Downloads", download and search for ".5." or similar. But it doesn't sound like it'll be there, as hitting the default deny suggests an external source.

Quote from: Untoasted9563 on December 08, 2025, 12:05:51 PM[...]ping -S 192.168.10.1 8.8.8.8  is successful[...]

Is it? Typo, or another subnet?

Good idea.
#23
25.7, 25.10 Series / Re: KEA hostnames in the fire...
Last post by FredFresh - December 08, 2025, 07:16:51 PM
Solved -> https://forum.opnsense.org/index.php?topic=45457.0

Looking in the log of unbound, it was notified an error about a specific hostname....I found I entered that with a " " (space) instead to use an underscore ....

Activating  "Register DHCP Static Mappings", now everything seems to work.

Thank you Cedrik for your time.
#24
Portuguese - Português / Re: Comunidade - Língua Portug...
Last post by glgontijo - December 08, 2025, 07:09:53 PM
Opa!
Tudo bem pessoal?

Meu caso com o OPNsense é curioso e acho que vale a pena dividir com a comunidade.

Sou servidor público e assumi em setembro do ano de 2024 no cargo na rede de TI de uma universidade federal. Meu conhecimento com firewalls (já criei alguns com slackware, openbsd...) fez com que me pedissem para criar um para ser implementado nas casas (locais alugados pela universidade para complementar a infraestrutura) que não tinham comunicação com a nossa rede interna. A intenção era permitir que alguma política de rede fosse implementada e que substituíssemos os atuais roteadores (CISCO Ethernet) que não conseguiam passar de 100Mbps (os links eram de 500 a 600Mbps).
Iniciei tentando fazer isso em um linux. Com certeza ficaria estável, mas não tinha uma interface gerenciável e nada "user friendly" para outros da equipe. Então me lembrei do pfSense. Nas pesquisas sobre o mesmo, vi mais 3 ou 4 opções, inclusive o OPNsense. Decidi testar em VM para ver qual teria a melhor configuração para minha necessidade e ainda pudesse ser o famoso "user friendly". Resumindo... OPNsense foi implementado em 11 casas e tenho mais 2 PCs prontos para duas novas estruturas que estamos finalizando.
As possibilidades que o OPNsense nos trouxe, foram além de somente organizar os links. Implementei VPNs que permitiram monitorar toda a infraestrutura (Zabbix, SNMP, ICMP) presentes nas casas. Levamos a nossa rede wi-fi, Ruckus com autenticação Radius (rede educacional nacional EDUROAM), a todos e pusemos os usuários destas casas em LAN com a sede.

Com o projeto em andamento, nosso firewall, já obsoleto e em processo de licitação por um novo, resolveu parar. Morria e voltava de acordo com a sua própria vontade. Sem mais condição de licenciar (obsoleto e com licença encerrando em Janeiro) ou garantia e suporte, me pediram para testar o OPNsense como uma solução temporária, uma vez que a licitação de um novo equipamento, dificilmente seria concluída antes do segundo semestre do ano que vem. OK! Desafio aceito. Consegui 02 servidores dual processados Dell com 32GB de RAM e, aos percalços, implementei um firewall OPNsense com HA, tendo 8 interfaces GB no principal, Wireguard VPN para os OPNs das casas, 12VLANs, 02 links WAN em balanceamento de carga definidos em firewall, DMZ /23 com ip público RNP e os serviços: NetFlow (enviando logs para o servidor graylog, que são tratados para atender as exigências do marco civil), CrowdSec, monitoramento SNMP e Zabbix. O firewall ainda me possibilitou diminuir o número de estados gerados de cerca de 600mil para 200mil, sem prejuízo de regras e com um melhor desempenho que o antigo SonicWall.

Esta "carta" é pra expressar a gratidão inclusive com a comunidade, onde busquei artigos e orientações que me permitiram em menos de 6 meses, literalmente revolucionar a rede da universidade, levando a gestão a todos os prédios e melhorando o desempenho da nossa infraestrutura.

Obrigado!

PS.: Já me procuraram para criar um novo servidor VPN e já estou iniciando um novo OPNsense aqui para permitir aos servidores em trabalho remoto acessarem arquivos e dados na rede local. Atualmente eles precisam acessar CPU na rede para depois enviar os arquivos e etc. Faremos um com OpenVPN e autenticação radius LDAP (eduroam) e controle de endereçamento via Framed_IP_Address no radius.
#25
German - Deutsch / Probleme mit DNS + VLAN + Mana...
Last post by mfreudenberg - December 08, 2025, 07:04:58 PM
Hallo Zusammen,

Das ist mein erster Post hier. Ich habe versucht einen passenden Beitrag zu finden, aber nichts, was zu 100% passt. Daher mein Post. Ich bin noch kompletter OPNsense Neuling, betreibe aber schon seit Jahren ein Homelab mit einer Fritz!Box. Nun wollte ich mein Homelab mit einem managed Switch und OPNSense auf das nächste Level heben.

Ich versuche seit Tagen mein OPNSense mit meinem managed Switch zum laufen zu bekommen. Leider habe ich ein Problem mit der DNS-Auflösung. Ich erhalte zwar innerhalb der VLANs eine IP-Adresse via DHCP, aber die Namensauflösung klappt leider nicht. Ich kann die VLAN-Adresse des OPNSense anpingen, aber ein nslookup schlägt fehl. Ebenfalls ein `nc -vzw 4 <ip-des-opnsense> 53` läuft in einen timeout. Ich nutze für das Debugging ein Arch-Linux Laptop, der sowohl via WLAN (via Port 5), als auch via LAN (Port 3) an den Switch angebunden werden kann. Beim AP handelt es sich um einen TP-Link EAP653, der auch VLAN-Fähig ist und die passenden VLANs konfiguriert hat.

Ich habe ein Zyxel XGS1935 und eine OPNSense in einer VM auf einem Proxmox-Server installiert. Anbei eine kleine Skizze des Netzwerks


Ich habe die folgenden VLANs im Switch konfiguriert:

VLAN1  Management
VLAN20 Heimautomation
VLAN50 Clients

Im folgenden gebe ich nur die Konfigurationsdetails für das VLAN50 aus. Die anderen VLANs identisch konfiguriert und zeigen gleiche Symptome.

In OPNSense habe ich die folgenden VLANs eingerichtet:

vlan0.01 [MGMT] vtnet1 (mac-adresse) [LAN] 1 Best Effort (0, default)
vlan0.50 [Clients] vtnet1 (mac-adresse) [LAN] 50 Best Effort (0, default) Internet
vlan01.20 [Heimautomation] vtnet1 (mac-adresse) [LAN] 20 Best Effort (0, default) Heimautomation



Hier beispielhaft die Konfiguration für das Client-Interface (VLAN50) in OPN-Sense.

## Basic Configuration
Enable [x] Enable Interface
Lock [x] Prevent interface removal
Identifier opt3
Device vlan0.50
Description Clients

## Generic configuration
Block private networks [ ]
Block bogon networks [ ]
IPv4 Configuration Type Static IPv4
IPv6 Configuration Type None
MAC address [...]
Promiscuous mode [ ]
MTU [...]
MSS [...]
Dynamic gateway policy [ ] This interface does not require an intermediate system to act as a gateway

## Static IPv4 configuration
IPv4 address 172.17.50.253
IPv4 gateway rules Disabled

Hier die Firewall-Regeln für das Client-VLAN50:

IPv4 TCP Clients net * Clients address 443 (HTTPS) * * Allow OPNSense HTTPS-Webfrontend from Clients-Net (debugging)
IPv4 * Clients net * * * * * -
IPv4 TCP Clients net * WAN net 443 (HTTPS) * * -
IPv4 TCP/UDP Clients net * WAN net 53 (DNS) * * -
IPv4 TCP/UDP Clients net * Clients address 53 (DNS) * * Allow access to DNS-Servers on the Internet
IPv4 * Clients net * ! PrivateNetworks  * * * Default allow LAN to any rule

Zum Schluss noch die Switch-Konfiguration

VLAN-Setup für VLAN50

| Port | VLAN-Member | Tagging    |
| ---- | ----------- | ---------- |
| 1    | 50          | Tx Tagging |
| 2    | -           | -          |
| 3    | 50          | -          |
| 4    | 50          | -          |
| 5    | 50          | Tx Tagging |

Port-Belegungen für VLAN50
VLAN50
---
Ports: 2 4 6
Ports: 1 3 5
T/U: - U T
T/U: T U T

Habt ihr eine Idee, was das Problem sein könnte, oder wo ich suchen kann?

Ich habe das Gefühl, dass der Switch korrekt konfiguriert ist. Immerhin kommt ein Ping zum OPNSense durch.

Danke und Grüße,
Michael;
#26
25.7, 25.10 Series / Re: KEA hostnames in the fire...
Last post by FredFresh - December 08, 2025, 07:00:47 PM
uh...complicated, I should take my time to carefully read through it.

On unbound i tried to flag the "Register DHCP Static Mappings" as it seems to be what I need, but once I restart the opnsense, unbound does not start because of an error.

If I correctly understand, it could be this https://github.com/opnsense/core/issues/7237
#27
25.7, 25.10 Series / Re: KEA hostnames in the fire...
Last post by Monviech (Cedrik) - December 08, 2025, 06:48:15 PM
It looks like Unbound doesnt know the IP address.

It needs a reverse lookup zone (in-addr.arpa)

I dont know if Kea DHCP reservations register reverse lookups inside Unbound.

With dnsmasq though it should work via this tutorial, you can see how the in-addr.arpa TLD is forwarded from Unbound.

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

#28
25.7, 25.10 Series / Re: KEA hostnames in the fire...
Last post by FredFresh - December 08, 2025, 06:41:46 PM
Hi, here an example:

C:\Users\DD>nslookup 192.168.1.155
Server:  OPNsense.localdomain
Address:  192.168.2.1

*** OPNsense.localdomain non è in grado di trovare 192.168.1.155: Non-existent domain
#29
General Discussion / Re: Struggling with OPNsense i...
Last post by pfry - December 08, 2025, 06:41:02 PM
Quote from: coffeecup25 on December 08, 2025, 03:30:55 PM[...]My first instinct was to use 'problem decomposition'.[...]

Perhaps "System: Configuration: Backups" -> "Downloads", download and search for ".5." or similar. But it doesn't sound like it'll be there, as hitting the default deny suggests an external source.

Quote from: Untoasted9563 on December 08, 2025, 12:05:51 PM[...]ping -S 192.168.10.1 8.8.8.8  is successful[...]

Is it? Typo, or another subnet?
#30
25.7, 25.10 Series / Re: Time based Shaper?
Last post by Seimus - December 08, 2025, 06:35:01 PM
Quote from: knebb on December 08, 2025, 04:56:22 PMI got it so far the pipes limit the bandwidth (upper limit) while the queues weight the traffic according to the rules. Queues can get oignoredd when a rule sends the traffic to a pipe immediately ( I do not know how any weight is then calculated). Got this so far.

Do not bind rules to Pipes, bind them to Queues.

Quote from: knebb on December 08, 2025, 04:56:22 PMBut how are the (firewall-)rules coming into the game you mentioned above? Do I overwrite everything and directly assign traffic to pipes/queues? How are they different (except scheduling possibility) from the shaper rules?

The pf rules "Traffic shaping" works similar way like the rules in Shaper > Rules. But in pf rules you can define both direction within one rule and set as well the rules to be time based.

Regards,
S.