"Recent posts
#91
25.7, 25.10 Series / Firewall Rule using ports fail...
Last post by LisaMT - December 12, 2025, 08:14:42 PMI have a early general firewall rule that allows LAN traffic to ports in an alias 'safe ports' (80 443)
The last firewall rule deny traffic to anywhere. "Block LAN Traffic"
Lan is subnet 192.168.10.0/24
In the logs I'm seeing the following getting blocked on the last rule like this:
LAN In 2025-12-12T12:00:39-07:00 TCP 192.168.10.63:40982 34.160.212.185:443 block Block LAN Traffic
The earlier rule should have passed this.
Not sure why?
The last firewall rule deny traffic to anywhere. "Block LAN Traffic"
Lan is subnet 192.168.10.0/24
In the logs I'm seeing the following getting blocked on the last rule like this:
LAN In 2025-12-12T12:00:39-07:00 TCP 192.168.10.63:40982 34.160.212.185:443 block Block LAN Traffic
The earlier rule should have passed this.
Not sure why?
#92
General Discussion / Re: Need some guidance in how ...
Last post by coffeecup25 - December 12, 2025, 08:00:41 PMQuote from: neomorpheus on December 12, 2025, 07:55:18 PMI believe that I can create multiple SSIDs on this AP.
What I really dont know how to do is attach the AP physically to my Qotom, configure it in a way that it handles both subnets and allow my mobile devices to those IoT for monitoring.
Access points are in the same broadcast zone. It won't work. Even some routers in router mode are iffy with 'guest networks'. I will wave my hand in the air and think good thoughts but that's the best anyone can do for you. There may be an access point somewhere that can automagically do a vlan on an access point, but I doubt it.
If the access point idea worked, then you would not need OPNsense to assist.
#93
General Discussion / Re: Need some guidance in how ...
Last post by neomorpheus - December 12, 2025, 07:55:18 PMI believe that I can create multiple SSIDs on this AP.
What I really dont know how to do is attach the AP physically to my Qotom, configure it in a way that it handles both subnets and allow my mobile devices to those IoT for monitoring.
What I really dont know how to do is attach the AP physically to my Qotom, configure it in a way that it handles both subnets and allow my mobile devices to those IoT for monitoring.
#94
General Discussion / Re: Need some guidance in how ...
Last post by coffeecup25 - December 12, 2025, 07:45:57 PMQuote from: neomorpheus on December 12, 2025, 07:34:38 PMThank you, that provides some guidance.
Remember that I only have one AP and both the IoT and regular devices are using it.
So sadly, I'm not sure how to proceed with your steps 2 and 3.
What you want to do is not possible with 1 access point if each subnet needs wireless. You need a different ssid for each network. This is true even if you want to use a switch controlled VLAN.
Routers are cheap. Tapo doorbells and whatnot do not need the latest and greatest. Best wishes.
#95
General Discussion / Re: Need some guidance in how ...
Last post by neomorpheus - December 12, 2025, 07:34:38 PMThank you, that provides some guidance.
Remember that I only have one AP and both the IoT and regular devices are using it.
So sadly, I'm not sure how to proceed with your steps 2 and 3.
Remember that I only have one AP and both the IoT and regular devices are using it.
So sadly, I'm not sure how to proceed with your steps 2 and 3.
#96
General Discussion / Re: Need some guidance in how ...
Last post by coffeecup25 - December 12, 2025, 07:06:03 PMI can give you the highlights, from memory. Hopefully my memory will get you started.
It's easy to create a 2nd subnet. Personally I would save the switch and connect the 2nd subnet to it. Then you know without thinking what is LAN and what is IOT. Also, I have no idea how to associate more ports with either subnet.
1) Create an interface for a spare port
2) Associate the interface with a subnet
3) Copy the 2 default rules from LAN to IOT and edit accordingly
4) Create a rule on IOT to keep it out of LAN
5) create a rule on LAN to keep it out of IOT
hopefully I did not forget a step.
done - No need to mess with VLANs. Don't even think about them.
If you are using Adguard Home on OPNsense and want it to patrol both subnets, you have to edit AdguardHome.yaml to service both subnets, then reboot the router. I don't recall the exact section. It took me days to figure this out, btw. Rules have no affect on this.
Most people seem to have 'special situations' that make it difficult to answer questions like this. This answer is the best I can provide.
It's easy to create a 2nd subnet. Personally I would save the switch and connect the 2nd subnet to it. Then you know without thinking what is LAN and what is IOT. Also, I have no idea how to associate more ports with either subnet.
1) Create an interface for a spare port
2) Associate the interface with a subnet
3) Copy the 2 default rules from LAN to IOT and edit accordingly
4) Create a rule on IOT to keep it out of LAN
5) create a rule on LAN to keep it out of IOT
hopefully I did not forget a step.
done - No need to mess with VLANs. Don't even think about them.
If you are using Adguard Home on OPNsense and want it to patrol both subnets, you have to edit AdguardHome.yaml to service both subnets, then reboot the router. I don't recall the exact section. It took me days to figure this out, btw. Rules have no affect on this.
Most people seem to have 'special situations' that make it difficult to answer questions like this. This answer is the best I can provide.
#97
French - Français / Re: Problème lors modification...
Last post by hometux - December 12, 2025, 07:00:51 PMRe Bonjour
J'ai trouvé la solution, j'avais activé dans le menu système->paramètre->administration l'option Strict security en bas de la page. Je l'ai déactivé et ça a résolu mon problème.
J'espère que cela vous aidera
Bonne fin de journée
J'ai trouvé la solution, j'avais activé dans le menu système->paramètre->administration l'option Strict security en bas de la page. Je l'ai déactivé et ça a résolu mon problème.
J'espère que cela vous aidera
Bonne fin de journée
#98
Virtual private networks / Gateway priority and status no...
Last post by zubrick - December 12, 2025, 06:56:05 PMHello,
I am migrating to an OPNsense firewall and have an issue with the routing table.
I've set up 3 IPSec VPNs with a vti interface on each and a corresponding gateway and different priorities on each.
IP monitoring is working correctly on all three gateways and interfaces of disconnected tunnels are quickly marked as down.
The problem is that the static route I add on those gateways are inserted in the routing table regardless of the gateway status or priority, leaving routes on inactive tunnels.
I've tried all the parameters in the gateways.
I saw there are gateway groups, but I cannot put routes on them, only use them in firewall policies which solves the issue if the connections is initiated from the OPNsense side, but still creates asymmetric routes if the connections is initiated from the other side.
Am I missing something ? Is there an option for it to work?
It seems to work correctly with the two default gateways.
UPDATE:
After some tests it seems OPNsense doesn't like to have two routes to the same subnet on two different gatways and acts completely random in that case.
This is the first firewall on which I am not able to do that.
This is really a basic feature for a route based VPN.
The current workaround will be to take advantage of the routing engine more specific route priority and divide the subnets in two on preferred VPN gateway.
So for exemple 10.20.30.0/25 and 10.20.30.128/25 on the primary vpn and 10.20.30.0/24 on the secondary one
This is a lot of work and is really error prone, but I don't see anything else.
And then it still doesn't solve my issue because I need to go disable the routes manually, because OPNsense doesn't remove route of a disabled gateway?????
I am migrating to an OPNsense firewall and have an issue with the routing table.
I've set up 3 IPSec VPNs with a vti interface on each and a corresponding gateway and different priorities on each.
IP monitoring is working correctly on all three gateways and interfaces of disconnected tunnels are quickly marked as down.
The problem is that the static route I add on those gateways are inserted in the routing table regardless of the gateway status or priority, leaving routes on inactive tunnels.
I've tried all the parameters in the gateways.
I saw there are gateway groups, but I cannot put routes on them, only use them in firewall policies which solves the issue if the connections is initiated from the OPNsense side, but still creates asymmetric routes if the connections is initiated from the other side.
Am I missing something ? Is there an option for it to work?
It seems to work correctly with the two default gateways.
UPDATE:
After some tests it seems OPNsense doesn't like to have two routes to the same subnet on two different gatways and acts completely random in that case.
This is the first firewall on which I am not able to do that.
This is really a basic feature for a route based VPN.
The current workaround will be to take advantage of the routing engine more specific route priority and divide the subnets in two on preferred VPN gateway.
So for exemple 10.20.30.0/25 and 10.20.30.128/25 on the primary vpn and 10.20.30.0/24 on the secondary one
This is a lot of work and is really error prone, but I don't see anything else.
And then it still doesn't solve my issue because I need to go disable the routes manually, because OPNsense doesn't remove route of a disabled gateway?????
#99
Tutorials and FAQs / Re: OPNsense + PROXMOX + VLANs...
Last post by elreyquerabio - December 12, 2025, 06:41:11 PMThanks a lot for the replay.
I've added two pictures with the switch config and here the PROXMOX network config.
pppoe1 is on vnet0 in the config witch is working now.
On the new version (the one that doesn't work) I create one new vnet for every VLAN:
LAN: vnet0
WAN: vnet1
Guests: vnet2
IoT: vnet3
The name vnet0.24 is assigned by the system. When you try to create a new VLAN, a message says that the name has to begin with vlan0
I've added two pictures with the switch config and here the PROXMOX network config.
pppoe1 is on vnet0 in the config witch is working now.
On the new version (the one that doesn't work) I create one new vnet for every VLAN:
LAN: vnet0
WAN: vnet1
Guests: vnet2
IoT: vnet3
The name vnet0.24 is assigned by the system. When you try to create a new VLAN, a message says that the name has to begin with vlan0
#100
25.7, 25.10 Series / Re: service adguardhome not st...
Last post by BrandyWine - December 12, 2025, 05:27:18 PMQuote from: neek on December 12, 2025, 06:31:00 AMIs there a way to say that adguardhome service must start after openvpn has completed?
Yes, but not like how we can use "After" commands under systemd.
Does openvpn also start on it's own? Why is openvpn a dependency for AdGuard?
Start with "service -e"
Find the AdGuard service script and park a "sleep 10" in it (at the beginning or in the start section), see if that helps.
We could also modify that service script to actually check for openvpn status, but I don't think you need to complicate things at this point.
