READ THIS FIRST

[meyergru]

I always threatened that at some point I might be inclined to write something like this, because I find myself answering the same questions time and time again.

So, reflecting an old article of the great Dave Barry which starts:

READ THIS FIRST

Congratulations! You have purchased an extremely fine device that would give you thousands of years of trouble-free service, except that you will undoubtly will destroy it via some typical bonehead consumer maneuver.

Which is why we ask you to PLEASE FOR GOD'S SAKE READ THIS OWNER'S MANUAL CAREFULLY BEFORE YOU UNPACK THE DEVICE.

YOU ALREADY UNPACKED IT, DIDN'T YOU? YOU UNPACKED IT AND PLUGGED IT IN AND TURNED IT ON AND FIDDLED WITH THE KNOBS, AND NOW YOUR CHILD, THE SAME CHILD WHO ONCE SHOVED A POLISH SAUSAGE INTO YOUR VIDEOCASSETTE RECORDER AND SET IT ON "FAST FORWARD", THIS CHILD ALSO IS FIDDLING WITH THE KNOBS, RIGHT?

WE MIGHT AS WELL JUST BREAK THESE DEVICES RIGHT AT THE FACTORY BEFORE WE SHIP THEM OUT, YOU KNOW THAT?

Please, read this before you ask questions here:

1. Learn basic networking skills before trying to use OpnSense. OpnSense is a firewall, yes, but in the first place it is a  router (unless you use it as a transparent bridge). Know that you must have disjoint subnets on different interfaces in order to be able to control traffic at all. Many questions hover around topics like: "Why can't I filter traffic between 192.168.23.10 and 192.168.23.17?" (It will not work, that is basic networking 101).

2. This includes scenarios where you have multiple clients attached to different ports of your OpnSense. That would  be called a bridge, which is usually discouraged ("use a real switch"), but can be done, if done correctly ("read the docs" and follow them, stupid). In order to not get confused, do not even assign names to bridge member interfaces, because you will not use them in rules or anything but the bridge definition. Do not forget the tuneables ("Which tunables?" - read the docs again!).
 
3. You have created a VLAN but cannot get internet access? You have to create an outbound "allow all" firewall rule like the one that is created per default on your LAN. Remember? "Anything, that is not explicitely allowed, is forbidden." - from the great book: Purpose of a firewall, chapter 1
   
4. Try to avoid router-behind-router scenarios. You either would need double NAT, which is awkward, or be able to control local routing in your ISP router, which you probably are not.
   
5. Get to know your hardware. One of the more often asked questions is: "I cannot access my web UI after installation." The problem is probably either that you have no useable NICs (see next point), you plugged your LAN connection to the wrong spot or you left the USB stick in and boot the installation image instead of the configured system. If you absolutely want / must use OpnSense virtualized, read this.
   
6. Realtek NICs are badly supported under FreeBSD. That concerns performance, VLANs and more generally, basic operation.  There are OEM drivers which can be installed (System:Firmware:Plugins, os-realtek-re), but in some situations, this is difficult, because you cannot even load them from the internet ("use a USB stick instead").

7. Do not try to use the WLAN adapter on your OpnSense box as a WiFi AP. FreeBSD / OpnSense is just not good (tm) at it. Use dedicated AP(s) for that.
   
8. If something does not work, do not jump to conclusions. Try to pinpoint your problem, e.g. do not say: "ping www.google.com does not work". There are so many problems there:

- ping from where? Client or OpnSense itself?
- What exactly did not work? DNS, IPv4 or IPv6?

Possibly, you know - we don't. So there may be at least 6 separate potential problems that were subsumed in one statement. Use "nslookup www.google.com", "ping 8.8.8.8" and "ping 2600::" instead, from both clients and OpnSense itself. BTW: As far as ping options go: FreeBSD ≠ Linux ≠ Windows.

9. Only some sites are unreachable, like OpnSense.org? Even if basic DNS, routing and firewalling works for both IPv4 and IPv6, there may still be other problems lurking, like wrong MTU settings on WAN because of encapsulation via PPPoE, VLANs or IPoE, which you did not account for. In that case, some sites with defective PMTU discovery may fail.
There is a tool to check how big your WAN MTU may safely be set for a specific site.

10. You do not get close to your ISP's advertised speed? Some CPUs are not sufficient for fast internet connections. Look for ones with high single-thread performance, especially, if you need PPPoE, VPN and/or Zenarmor. For more than 1 GBps, you may need something along the range of an N100, for more than 2.5 Gbps you will look at CPUs with even more punch. There are many websites to compare CPU speeds or look in the hardware and performance section. That being said, hand-me-down systems often are sub-par w/r to being used for OpnSense, because older CPUs tend to use way more power such that the energy cost may soon outweigh the savings in a 24/7 scenario.
   
11. If you aim to access your ONT on the WAN side, you will need a virtual IP within the same subnet plus an outbound NAT rule for that, because the ONT does not have a default gateway and does not know how to access anything beyond its own subnet.
   
12. If you think you can control on what enters your network with a firewall, notice there are two basic ways:
  a. you can control specific domains via pre-manufactured DNS-based black- or whitelisting or
  b. you can inspect traffic by intercepting it with a web proxy (this would also allow a centralised virus scanner)
Now forget b. Why? Because for the most part, web traffic is encrypted these days. In order to inspect it, you will have to de- and then re-encrypt it.  Since the re-encryption is done by your firewall, its "faked" TLS certificates must then be trusted by the client devices, which is difficult to do on PCs and mostly infeasible on many smartphones and IoT devices. Such "man-in-the-middle-attacks" are deliberately made hard for good reasons. Thus, you would at least have to use TLS "no bump" for banking sites and also, for many Microsoft URLs.

13. I do not believe in IPSs like Zenarmor or Suricata, but YMMV. At least do not use Suricata on WAN, unless you are willing to sacrifice IPv6 connectivity. This is a fine example for always having a tradeoff between (perceived) security and useability.

14. Install OpnSense with ZFS, not UFS. You will get a "snapshot" feature that enables you to roll back system upgrades iff you use it before you update. Also, it is more robust against hard resets. If your storage space is small, keep in mind that the default swap size is 8 GBytes - you may need to lower that value during installation to have enough logging space.

15. If something really strange happens, like you cannot log in, try things that should be obvious, but aren't:
  - verify that the system time and date is correct.
  - verify that the file system is not out of disk space (you may have set verbose logs that filled it all up). You can also have logging on a RAM disk if you do not need permanent logs. In that case, a reboot will clear the logs.

16. Whenever you have a question, please, use the forum search. It is highly likely your question has been asked (and answered) many times before. If you still have questions, do not add to or revive another thread if it does not handle your specific problem, but create your own thread with as much information pertaining to the problem, such as:
- OpnSense version
- network topology
- IP ranges
- rules or settings that you use
- hardware
If your problem was solved, mark the thead by prepending [SOLVED] in its title. If someone has really helped you, thank him by pressing the [applaud] button under his name on the left.

17. You found that the dashboard temperatures are higher than those reported by "sysctl dev.cpu | fgrep temperature"? Congratulations - but please, do not ask about it or tell us before having consulted one of these threads:

https://forum.opnsense.org/index.php?topic=44373.0
https://forum.opnsense.org/index.php?topic=42575
https://forum.opnsense.org/index.php?topic=36234
https://forum.opnsense.org/index.php?topic=34395
https://forum.opnsense.org/index.php?topic=41759.0
https://forum.opnsense.org/index.php?topic=30293

These turn up in the first 30 search results if you just use "temperature" as keyword. A fine example of what can be achieved by using the search, isn't it?





This list will likely be expanded in the future...

[MarieSophieSG]

Halo Meyergru,
Danke for this post, amusing and unfortunately dead right
As I suggested before (and I'm certainly not the only one) a forum section "newbe" would be great
With pinned posts like this one, and links to the documentation and videos (or let the newb' post these links)
I can do the translation into French ..

With an FAQ&A ranging from:
- Did you plug your box to the power outlet ?
- Do you have a direct access to your box in case you need to hard-reset or change your interface IP (optoin2)
- Did you made sure
- You have your LAN1 connecting fine, but not your LAN2 ? did you copy the LAN1 FW rules to LAN2 ? yes ? then did you set the DHCP server for LAN2 as well ?

You know ... we, newbes, are going to keep coming anyway (despite the warning) and yes, unpacking and plugging and tweaking even before knowing what a NAT or DHCP is
So in a way to avoid having us kiddos overloading the "grownup" section, we could use a dedicated sandbox :-p were we could halp each other while learning, and maybe from time to time having one of you coming over to give a hand ?

I'm sure I'm not the only one to feel bad having to ask questions in the "grownup" section while I'm convinced it must be something obvious .. on the other hand, as I'm sure it's something obvious, I'm convinced it will be an easy answer from you guys

Anyway, food for thoughts ..
Cheers,
MSSG

[meyergru]

You should not feel bad for asking questions at all. I just wanted to have a reference for often-asked questions so I do not have to type so much. Now I can refer newbies to this thread, with "see point N". And if someone stumbles over this in the Tutorials and FAQs section, he (or she) may find the answer already even without asking.

It is only that I feel 95% of questions have been answered before (with ~80% of them covering network basics that someone who wants to use OpnSense, should already have, anyway).

Or in other words: "Use the search, Luke!"

P.S.: As for the neccessity of a "newbie" section: Most of us seasoned forum users can count - we use the force to look at the post count and (sometimes wrongly) conclude the experience based on that number.

[MarieSophieSG]

Oh ! right, I see, ... sorry, I misinterpreted the msg
Well, as a newbe myself, I have to say the search engine is quite daunting, so a direct ref to the Q&A would be much appreciated

I mean it's not obvious when first coming to this forum that this section, "Tutorial" is (or should be seen as) the entry point

I've posted my first few questions in the "24.7 production" and lucky me got answers, but I "knew/felt" it was not the right section for such basics questions.
That's what I'm thinking when suggesting a "Newbe" section, something more obvious for us to go visit first and post/search our first questions
Such section could as well allow newbes to get together and some less new would be able to help with the newer ones, which is a great way to learn BTW

As for the post count, a simple question wit a lot of B&F could easily rise up to 15, 20 while still being a very beginner, and you could have a well seasoned user who have a very specific question answered with 2 posts, so unless one grows up to hundreds+ posts, it is not a good segregation indicator

My point is just a first-hand view of a first time user, and I think this community is great, but the newb are easily lost in the huge quantity of options and "it depends" :/

[MarieSophieSG]

As for the router-behind-router scenario, I'm sure I'm not the only one here with a definite plan to get my current router to be plugged behind the OPNs box (which will be my WiFi only router, as all RJ45 cnxion will be directly on the OPNs box with switches)

For now, I'm just planning on plugging it and leave it as-is, meaning
RS39 OPNsense box => LAN2 192.168.102.101/31 DHCP 192.168.102.102
Cisco WiFi router get its IP from DHCP => 192.168.102.102
Cisco WiFi router DHCP 192.168.222.111 - 192.168.222.122

At some point I will most likely try to have access to/from some of these IP from the other networks (LAN1 and LAN3) but I'm not there yet

For those who hesitate with CIDR:
In my LAN2, I used /31 for I need only one IP for my sub-router (Cisco WiFi)
If you are unsure, just use the most common /24 (254 IPs available)
https://www.freecodecamp.org/news/subnet-cheat-sheet-24-subnet-mask-30-26-27-29-and-other-ip-address-cidr-network-references/

But don't forget, once you've given the CIDR (The Qty of IP you want available) to set up the DHCP to *actually* attribute IPs to the network, otherwise your IPs will remain "available" but not usable, and your devices plugged to this network will not get any.