Recent posts

[so all the wired devices that are connected to the bridge port works fine.]

#91

General Discussion / Re: No internet to clients con...

Last post by nero355 - February 01, 2026, 04:09:25 PM

so all the wired devices that are connected to the bridge port works fine.

the problem is the wifi clients not having access to internet, which i cannot figure out what else i need to tweak in opnsense configs.

If that is the case then you need to figure out what is going on at your Omada Accesspoint ?!

For example : If the WiFi SSID has Tagged VLAN setup instead of just using the Native/Untagged VLAN then the Clients obviously won't have any Internet Access in this new setup :)

And just to be sure :
- Did you setup new Firewall Rules similar to those that the LAN network has by Default ?
- DHCP settings are also adjusted ?

(yes, I can remove bridge and set up wifi AP underneath the switch, but this means i need to buy a switch with more ports. So before I actually decide on spending more money, I want to try if I can some how work with current setup)

For what's it worth :

I really like having each NIC dedicated to one of my VLAN's in OPNsense :
- eth0 = WAN
- eth1 = Untagged Port for LAN a.k.a. VLAN 1
- eth2 = Untagged Port for VLAN 10 Network
- eth3 = Tagged Port for a small Guest VLAN network and in the future maybe some other stuff...
_{(This last one is not recommended by many, but I was curious to see how it would work and what is different (or not) compared to the WAN Tagged VLAN setup...)}

For a cheap small 8-port Switch there are TP-Link and Netgear options and both have '108E' in their model name.

#92

25.7, 25.10 Series / Re: Seting up Vlan

Last post by JustSecure - February 01, 2026, 04:05:25 PM

After reading it all, i have ordered a TP-Link TL-SG105E. This should hook me up properly.

Usually the 8-port version is pretty much the same price, but the 5-port version is OK too ofcourse! :)

Yeah for my needs it just enough.

I changed the whole setup put cables around but now its running fine. Thanks to all your answers, setup is now.

so i made a IOT/Vlan Which is seperated from all other lans/wans. made some firewall rules to permit the localVM(inside Vlan) ssh and all. Hooked up a spare 2,4 ghz zyxel as my IOT-WIFI. its riddled with bugs, but they can only be abused locally thru telnet for instance. everything is of on there except wifi. no dhcp, no remote, no telnet or ssh.

the switch has 1 uplink offcourse. port 2 and 3 are on my main lan. port 4 and 5 Vlan. (1 port left)
Today im switching everything "smartIOT" over to the "safe" wifi :P

everything hooked up and ready.

Even found a old IPcam, which when booted screams something in chinese. think its hacked, now it got time to check it.

#93

General Discussion / Re: No internet to clients con...

Last post by darkencraft - February 01, 2026, 04:00:41 PM

Coming back from some more additional findings:
When I ping OPN (192.168.1.1) from wifi device (internet not working), I can see from OPN packet capture that ARP who is request (from wifi device) and ARP reply (from OPN) are being sent.
But after this OPN packet capture does not see ICMP echo request from wifi device.

I compared this behavior with wifi device pinging an other internal device (ie. my NAS). In the OPN capture, I see ARP request/reply, followed by ICMP packet echo request/reply.

Based on this and "considering that wifi device works fine when OPN not in bridging ports", could there be cirmcumstances where:
1. Although ARP reply is sent an OPN packet capture, it is blocked by firewall rules, and never reached to the wifi device
2. Or, ICMP echo request was sent from the wifi device, but firewall rules blocking the ICMP request to OPN (but passing any other ICMP request to internal devices), therefore OPN capture not seeing any ICMP request coming in.

Is there anyway to verify 1 and 2? Or any other ideas?

#94

26.1 Series / Re: Anti-Lockout Rule (Destina...

Last post by Patrick M. Hausen - February 01, 2026, 03:58:27 PM

Possibly a bad interaction of anti-lockout and NAT reflection? I use neither, sorry.

#95

26.1 Series / Re: Nextcloud Backup creates m...

Last post by Patrick M. Hausen - February 01, 2026, 03:57:28 PM

This is completely unusable. I have to revamp my entire backup strategy for >10 firewalls.

At the very least use readable timestamps for which alphabetical and chronological order is identical like YYYY-MM-dd-hh:mm:ss or similar.

I backup half a dozen of firewalls to the same Nextcloud directory - how am I going to tell them apart without the hostname in the file name?

EDIT: I'll switch to git I guess. I stopped using git because performing a local config rollback breaks the connection of the local and the upstream repo with a merge conflict, but probably one can work around that. Having one properly time stamped file every 24 hours was perfect.

#96

26.1 Series / Re: os-isc-dhcp-1.0_3 failed t...

Last post by iorx - February 01, 2026, 03:56:00 PM

FWIW: I mocked around a bit with removing, changing and adding static mappings. Worked as intended.

#97

26.1 Series / Re: Anti-Lockout Rule (Destina...

Last post by RamSense - February 01, 2026, 03:55:21 PM

Looks like a bug, when I place a block rule on wan port 444 I can still externally reach the OPNsense gui:

#98

26.1 Series / Re: Suricata - Divert (IPS)

Last post by xpendable - February 01, 2026, 03:53:42 PM

So, if this mode may be associated with a specific PF rule, how can I inspect normal browsing traffic (HTTP/DNS/FTP)?
I mean, in IPS/IDS mode I can just test Suricata with "curl http://testmynids.org/uid/index.html" and I see the alert, but this won't happen in Divert mode.

So what I've done now is a more targeted approach I would say and have only added the Divert-to Intrusion Detection on my existing rules. I added it to my VPN rule for the WAN interface that exposes that port and I enabled it on the LAN default allow to any rule. Putting it on the default LAN out rule doesn't hurt, but the benefit may vary I suppose depending on your use case.

I would imagine if you added/enabled Divert-to Intrusion Detection on the "Default allow LAN to any rule", that would probably catch those tests. If you want to catch that traffic coming in on the WAN (as in initiated from the internet) and you have existing rules for those open ports, then you would add/enable Divert-to Intrusion Detection on those rules. However if you don't have existing rules for open ports, I would suggest to NOT create rules for that purpose.

I hope I didn't cause to much confusion from my earlier lack of understanding on how this new mode really worked.

#99

26.1 Series / Re: Nextcloud Backup creates m...

Last post by muchacha_grande - February 01, 2026, 03:28:15 PM

Ok... thank you

I've closed the request.

#100

German - Deutsch / Re: OPNsense hinter einer DS-l...

Last post by Patrick M. Hausen - February 01, 2026, 03:24:46 PM

Du würdest m.E. deine Dienste einfach nur über IPv6 verfügbar machen. Weiter weiß ich auch nicht, ich habe einen vernünftigen Provider 😉