Tried PfSense for a week and not liking it.

[nerlins]

I am going to install OPNsense now, on my new Protectli router. PfSense seemed to have a bug I couldn't get past.

I had allow all traffic on a wireless VLAN I created, with a Unifi AP. When testing the firewall rules I then created a rule to block all traffic to LAN, to see how separate the VLAN would be. It worked, and I couldn't ping anything on LAN, but still had interest access.

When I deleted the rule it persisted. It's stuck and I can't get that VLAN to see anything on LAN again. I deleted states and rebooted.

Anywho, has anyone had an issue like that on OPNsense? Also, if you migrated from PfSense what was your major reason?

[Patrick M. Hausen]

I doubt it will do either community well to swap advocacy threads on this forum or the other one. pfSense for sure is a decent product that in most cases does what is advertised. I run one in production and I don't have a reason to complain.

I switched to OPNsense because I like the UI much better and I prefer more frequent updates and closer tracking of upstream, i.e. FreeBSD.

Kind regards,
Patrick

[nerlins]

The UI pictures of OPNsense look better to me. So no issues adding and removing firewall rules?

[franco]

Taking a guess here.

Chances are you run into the same behaviour with OPNsense. Most of the time people will do foot-shooting with untagged/tagged interface (like LAN untagged and then one WIFI tagged on top) and then seem to wonder why LAN rules will match for WIFI. pf(4) doesn't care. It can read your VLAN tags and skip them to enforce the "appropriate" rules.

Moral of the story: don't mix tagged and untagged traffic on the same interface.


Cheers,
Franco

[nerlins]

Ok...I think you need to treat me as very dumb, because this actually is all new to me. If I have a switch plugged into the LAN port with LAN as an interface and multiple VLANs interfaces on the same port I should make LAN a VLAN as well? I thought the router would handle the traffic accordingly?

My goal was one port on the switch to hardwired devices, ie LAN, ine port for a Unifi AP with VLANs, and one for a dummy AP ( of which I would make that port a VLAN). I have to have the Unifi devices on the same subnet as the network controller, so I can access them.

[Patrick M. Hausen]

It is generally not advisable to mix tagged and untagged traffic on a trunk port. Whoever got the concept of the "native VLAN" into the standard deserves to be shot.

[nerlins]

Ok, so LAN needs to be a VLAN so I can properly ping devices from LAN to a wifi VLAN?

[Patrick M. Hausen]

That will at least prevent any LAN interface rule from matching traffic on the other tagged VLANs. The rest is up to you and your ruleset.

[nerlins]

Ok, don't flak me for what I am about to say:

I have daisy-chained some switches because I was lazy. That might be my undoing. The PC on LAN has a netgear prosafe 'smart' switch in-line before it reaches the Unifi switch on PfSense. The Unifi AP has the VLANs then attached to the Unifi switch. I got lazy and didn't want to run a bunch of new cables and just wanted to use the netgear as untagged and just a way to plug devices in where it is located.

Apparently the prosafe switch defaults all ports as VLAN ID1 unless you configure them. You can only choose between VLANs 1-8 for the 8 port configuration. Could that be the culprit for lost pings between the PCs??

[nerlins]

Figured I should post my fix, since I never received an answer to my last question.

The simple fix was actually my VPN client blocking the connection from the VLAN host to the LAN host. Disabling it worked fine. Setting split-tunneling and leaving it on worked fine.

I also removed that netgear switch from the equation and took it back to the store, as well as put the UNIFI AP on the em2 port on my router box, then used set-inform to find it in the Unifi controller.

This was NOT an issue of untagged (ie., a VLAN not tagged on a port) mixed with tagged traffic on a port. Not-tagged (not untagged) traffic from LAN passes to any tagged host on the Unifi VLANs. My LAN did not need to be a VLAN.