"Recent posts
#21
General Discussion / Re: VLAN DHCP not working
Last post by ivpenna - December 10, 2025, 09:27:55 PMQuote from: viragomann on December 10, 2025, 07:45:10 PMThis is the LAN subnet. I don't think, you want to connect the devices to LAN.
Quote from: viragomann on December 10, 2025, 07:45:10 PMThis is the LAN subnet. I don't think, you want to connect the devices to LAN.
My bad. It's 192.168.101.0/24. I fixed the original post.
I was able to get an IP address using a notebook and setting up the VLAN ID 20 on Windows. It was easier than configuring the AP itself (don't even know if It has this option).
Your answer gave me guidance. But I think I'm not grasping VLAN basics (at least not the way I'm supposed to configure these TP-Link switches).
What I really wanted is:
- Every device connected to ports 4 or 5 TL-SG105E would get an IP address from 192.168.101.0/24 subnet (tag 20)
- Every device connected to ports 2 or 3 TL-SG105E would get an IP address from 192.168.1.0/24 subnet (untagged)
- Port 1 will be the trunk port.
https://ibb.co/N6jfbpVD
At first, I'm not willing to configure a VLAN on a client (notebook, Access Point, etc).
Thank you for your reply.
#22
Tutorials and FAQs / OPNsense + PROXMOX + VLANs (ag...
Last post by elreyquerabio - December 10, 2025, 09:27:14 PMHello everyone.
I've spent quite some time searching on this forum and other sources ways to properly structure the equipment and systems I'll explain below, but I haven't been able to get it working. I'm convinced that some minor detail is missing, but it's preventing it from functioning correctly. This situation is frustrating.
That's why I'm asking for your help because I don't know what else to try.
We have a laptop with a single NIC, running Proxmox, with OPNsense as main router, in addition to other systems (Home Assistant, OpenMediaVault, and others on standby). The IoT devices at home have grown (now I got 23) and there are two Chinese IP cameras, so I wanted to isolate them from the rest of the network. I wanted to add a guest network too.
At this moment, the system is working like the first picture.
I obviously don't understand how it works (which is embarrassing), because if I set port 1 of the switch to UNTAGGED (as I believe it should be), there's no internet access.
The only thing I can think of is that the tags are being lost through Proxmox, and everything is truly untagged. The connection to the ISP works because it's via PPPoE. Is that correct?
What I'm trying to achieve is something like the second.
But it doesn't work.
HELP!!!!!
I've spent quite some time searching on this forum and other sources ways to properly structure the equipment and systems I'll explain below, but I haven't been able to get it working. I'm convinced that some minor detail is missing, but it's preventing it from functioning correctly. This situation is frustrating.
That's why I'm asking for your help because I don't know what else to try.
We have a laptop with a single NIC, running Proxmox, with OPNsense as main router, in addition to other systems (Home Assistant, OpenMediaVault, and others on standby). The IoT devices at home have grown (now I got 23) and there are two Chinese IP cameras, so I wanted to isolate them from the rest of the network. I wanted to add a guest network too.
At this moment, the system is working like the first picture.
I obviously don't understand how it works (which is embarrassing), because if I set port 1 of the switch to UNTAGGED (as I believe it should be), there's no internet access.
The only thing I can think of is that the tags are being lost through Proxmox, and everything is truly untagged. The connection to the ISP works because it's via PPPoE. Is that correct?
What I'm trying to achieve is something like the second.
But it doesn't work.
HELP!!!!!
#23
25.7, 25.10 Series / What's wrong with my idea of d...
Last post by HighFive - December 10, 2025, 09:22:00 PMHi,
Everybody seems to do it another way around. My intuition and idea would be that dnsmasq would serve as the dhcpd and also resolve internal dns queries (as internal dns). Outbound, however, would be the "upstream" dns server and would listen (in internal lan) in port 5553 and do the resolving for external addresses,
Am I missing something important? Why would this be stupid/subpar, since everyone seems to be doing it another way around?
I'm currently still running 25.1.9_2-amd64.
Thanks
Everybody seems to do it another way around. My intuition and idea would be that dnsmasq would serve as the dhcpd and also resolve internal dns queries (as internal dns). Outbound, however, would be the "upstream" dns server and would listen (in internal lan) in port 5553 and do the resolving for external addresses,
Am I missing something important? Why would this be stupid/subpar, since everyone seems to be doing it another way around?
I'm currently still running 25.1.9_2-amd64.
Thanks
#24
25.7, 25.10 Series / Re: "Danger. Unexpected error,...
Last post by zbiles - December 10, 2025, 09:16:55 PMThis has happened on 2 of my firewalls in the past few days. Super frustrating! One I don't have a snapshot, just a file backup to restore so now I'll be spending the afternoon rebuilding. Unless someone has found a way to recover in-place?
#25
General Discussion / Re: Gateway Monitoring and Pac...
Last post by SenseX - December 10, 2025, 09:11:18 PMHi,
How do I monitor the RTT of the gateway in Reporting:Health?
My RTT is around 2.5 ms, and I would like to see a graph of this on the reporting page, but I can't figure out where to look.
How do I monitor the RTT of the gateway in Reporting:Health?
My RTT is around 2.5 ms, and I would like to see a graph of this on the reporting page, but I can't figure out where to look.
#26
25.7, 25.10 Series / Fresh install: dnsmasq DNS & D...
Last post by slugsshell - December 10, 2025, 09:08:26 PMHi everyone,
I did a fresh install of the latest OPNsense community edition on a new N150 mini-PC (4 NICs: igc0, igc1, ix0, ix1). During initial setup I ran into some confusing behaviour around DNS/DHCP and the default services.
What happened in my setup:
After installation I used the console menu to reassign interfaces and set up a new LAN interface.
I plugged my notebook into the new LAN port but the client did not receive an IP address via DHCP.
I went back to the console, created/changed the LAN interface again and set a new IP, but the client still did not get an address.
At one point I briefly saw an error along the lines of "VIP already exists" when applying the new LAN settings.
In the end I changed the LAN IP to a completely different subnet and set a static IP on my notebook; only then I could reach the Web GUI again.
When I finally got into the GUI, I noticed that under
Services → Dnsmasq DNS & DHCP → General
the service was enabled by default on LAN on this fresh installation. At the same time, Unbound DNS and ISC DHCPv4 are also present, so effectively I had multiple DNS/DHCP components available from the start.
For my use case (multiple VLANs, Unbound as the only DNS resolver, clear separation of DHCP and DNS) this was quite confusing, because it is not obvious which combination is intended as the "default baseline" today. It also makes it easy to end up with:
dhcp/dns services bound to the old LAN interface after reassignment, or
overlapping IPs / VIP warnings when changing addresses repeatedly from the console.
My questions:
Is it intentional that Dnsmasq DNS & DHCP is enabled on LAN by default on a fresh install, even though Unbound DNS is also present as the standard resolver?
For new installations, what is the recommended baseline today:
Unbound DNS + dnsmasq DHCP,
Unbound DNS + ISC DHCP (legacy), or
dnsmasq for both DNS and DHCP on small setups?
Would it be possible to clarify this in the installer or GUI, for example:
a short note explaining "dnsmasq is the default DHCP engine, Unbound is the default DNS resolver", or
a simple choice/wizard for "single DNS stack" (Unbound only vs dnsmasq only) so users do not accidentally run two DNS services?
I am not complaining about dnsmasq itself; using it as default DHCP for small networks is perfectly fine. The confusing part is that on a fresh install it is not clear which component is meant to do what, and changing LAN via console while dnsmasq is active seems to make the first-time experience harder than necessary.
Any clarification on the intended design and best practice for new installs would be very welcome.
Thanks a lot for your work on OPNsense.
Best regards,
Alex
I did a fresh install of the latest OPNsense community edition on a new N150 mini-PC (4 NICs: igc0, igc1, ix0, ix1). During initial setup I ran into some confusing behaviour around DNS/DHCP and the default services.
What happened in my setup:
After installation I used the console menu to reassign interfaces and set up a new LAN interface.
I plugged my notebook into the new LAN port but the client did not receive an IP address via DHCP.
I went back to the console, created/changed the LAN interface again and set a new IP, but the client still did not get an address.
At one point I briefly saw an error along the lines of "VIP already exists" when applying the new LAN settings.
In the end I changed the LAN IP to a completely different subnet and set a static IP on my notebook; only then I could reach the Web GUI again.
When I finally got into the GUI, I noticed that under
Services → Dnsmasq DNS & DHCP → General
the service was enabled by default on LAN on this fresh installation. At the same time, Unbound DNS and ISC DHCPv4 are also present, so effectively I had multiple DNS/DHCP components available from the start.
For my use case (multiple VLANs, Unbound as the only DNS resolver, clear separation of DHCP and DNS) this was quite confusing, because it is not obvious which combination is intended as the "default baseline" today. It also makes it easy to end up with:
dhcp/dns services bound to the old LAN interface after reassignment, or
overlapping IPs / VIP warnings when changing addresses repeatedly from the console.
My questions:
Is it intentional that Dnsmasq DNS & DHCP is enabled on LAN by default on a fresh install, even though Unbound DNS is also present as the standard resolver?
For new installations, what is the recommended baseline today:
Unbound DNS + dnsmasq DHCP,
Unbound DNS + ISC DHCP (legacy), or
dnsmasq for both DNS and DHCP on small setups?
Would it be possible to clarify this in the installer or GUI, for example:
a short note explaining "dnsmasq is the default DHCP engine, Unbound is the default DNS resolver", or
a simple choice/wizard for "single DNS stack" (Unbound only vs dnsmasq only) so users do not accidentally run two DNS services?
I am not complaining about dnsmasq itself; using it as default DHCP for small networks is perfectly fine. The confusing part is that on a fresh install it is not clear which component is meant to do what, and changing LAN via console while dnsmasq is active seems to make the first-time experience harder than necessary.
Any clarification on the intended design and best practice for new installs would be very welcome.
Thanks a lot for your work on OPNsense.
Best regards,
Alex
#27
German - Deutsch / Re: GeoIP (Maxmind) nicht mehr...
Last post by kosta - December 10, 2025, 08:17:54 PMHa! Behoben. Für die Dokumentation: ich habe die WAN-Regel tatsächlich komplett gelöscht, womit sich dann der Datum in GeoIP geändert hat und offensichtlich korrekt geladen wurde. Neue Rule erstellt und alles gut.
#28
General Discussion / Re: VLAN DHCP not working
Last post by viragomann - December 10, 2025, 07:45:10 PMQuote from: ivpenna on December 10, 2025, 07:21:04 PMThen I created in OPNSense a VLAN to connect the IoT devices that are in this room. DHCP server is enabled for this interface (192.168.100.0/24This is the LAN subnet. I don't think, you want to connect the devices to LAN.
What's about the access point?
You connected it to a tagged switch port. Hence you have to configure the VLAN on the AP as well.
#29
General Discussion / Re: Micron exits consumer mark...
Last post by qarkhs - December 10, 2025, 07:24:31 PMQuote from: OPNenthu on December 09, 2025, 07:36:37 PMThe data centers are not employing people, least of all locals. That's a lie. They're bringing in experts to set them up and then they run autonomously more or less.
For those interested in such matters, this just dropped: A discussion of the experience with data centers and jobs in the state of Michigan.
https://www.techpolicy.press/michigan-offers-handouts-for-data-centers-promising-jobs-will-those-jobs-come/
#30
General Discussion / [SOLVED] VLAN DHCP not working
Last post by ivpenna - December 10, 2025, 07:21:04 PMHello!
I'am running an appliance with OPNSense:
Versions
OPNsense 25.7.9-amd64
FreeBSD 14.3-RELEASE-p5
OpenSSL 3.0.18
That's my first time VLAN configuration. First I followed the step showed by this link: https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-vlan-on-opnsense
That's the overview:
Interfaces:
LAN01: 192.168.1.0/24 (DHCP server enabled) - general purpose)
LAN02: 192.168.100.0/24 (DHCP server enabled - IoT devices)
VLAN01: 192.168.101.0/24 (DHCP server enabled - IoT devices - Parent to LAN01, VLAN TAG 20)
So, there is only one cable that goes to this distant room and it's connected to the LAN01 (blue). Yellow dashed line area shows the devices that must be configured.
https://ibb.co/N6jfbpVD
Then I created in OPNSense a VLAN to connect the IoT devices that are in this room. DHCP server is enabled for this interface (192.168.101.0/24)
https://ibb.co/p6BRXzp6
- Both switches are managed (TP-Link showed in the picture). Here is the configuration.
https://ibb.co/DgDM2Mpv
https://ibb.co/35b81sDN
The IoT devices in this room are not even getting an IP. What am I missing?
Thanks in advance.
I'am running an appliance with OPNSense:
Versions
OPNsense 25.7.9-amd64
FreeBSD 14.3-RELEASE-p5
OpenSSL 3.0.18
That's my first time VLAN configuration. First I followed the step showed by this link: https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-vlan-on-opnsense
That's the overview:
Interfaces:
LAN01: 192.168.1.0/24 (DHCP server enabled) - general purpose)
LAN02: 192.168.100.0/24 (DHCP server enabled - IoT devices)
VLAN01: 192.168.101.0/24 (DHCP server enabled - IoT devices - Parent to LAN01, VLAN TAG 20)
So, there is only one cable that goes to this distant room and it's connected to the LAN01 (blue). Yellow dashed line area shows the devices that must be configured.
https://ibb.co/N6jfbpVD
Then I created in OPNSense a VLAN to connect the IoT devices that are in this room. DHCP server is enabled for this interface (192.168.101.0/24)
https://ibb.co/p6BRXzp6
- Both switches are managed (TP-Link showed in the picture). Here is the configuration.
https://ibb.co/DgDM2Mpv
https://ibb.co/35b81sDN
The IoT devices in this room are not even getting an IP. What am I missing?
Thanks in advance.
