What I think is a simple question, but I can't get a simple answer to

[opnsenseuser8473]

Plus a products success and popularity also comes from word of mouth. those randoms "new people" can help push a product forward. Last thing a product wants is decent product bad community. It promotes less engagement.

[Patrick M. Hausen]

The point is that your question isn't simple but depends on a whole lot of parameters specific to your installation and to yours only. And when professionals who are aware of that fact point it out you act all agressive.

Difficult to help in that case, but you do you.

[coffeecup25]

The point is that your question isn't simple but depends on a whole lot of parameters specific to your installation and to yours only. And when professionals who are aware of that fact point it out you act all agressive.

Difficult to help in that case, but you do you.

The original question was to use an open port on my router / pc as an extra subnet that's isolated from the main LAN but has internet access.

That's as concise as it gets. One nice person gave me some good pointers to complete it.

You would need to imagine a lot to make it confusing.  I was not trying to victimize you. Please do not start looking for inconsistencies to what I just wrote compared to what I wrote earlier. That's generally the next step you people take. When you 'find' an inconsistency it validates your victimhood.

[Patrick M. Hausen]

Assuming your existing imterface is "LAN" and the new one is "IOT", create

- the IOT imterface with an IP subnet different from that on LAN
- the DHCP configuration for that subnet - copy from LAN and adjust the address range
- create a single rule on IOT:

-- source: IOT net
-- destination: LAN net
-- destination invert: check
-- action: allow

That's all. But ...

That only works for a single pair of interfaces. As soon as you have three or more that you want to isolate from each other, that's where the "RFC1918" alias concept comes into play.

Which requires separate additional allow rules for DNS and possibly NTP etc. to the local firewall interface.

But ...

Not all situations have RFC 1918 ("private") networks for internal interfaces. Most of my firewalls actually don't. So you need another different approach - again. I use aliases named "local somethingsomething", one for IPv4 and one for IPv6. Yes, IPv6 exists and people use it in production.


That is why it depends and there is no simple one size fits all answer.

[opnsenseuser8473]

I'll try to explain step by step from beginning to end some stuff you might know or have already done so excuse . First engage your switch and device. Make sure you set A trunk port that's tagged. The rest untagged. Depending on the switch a id or tag number might be needed to communicate. Make sure you set the vlan priority to zero for now, if blank then typically its handled by opnsense.
As that's your own device saidly your gonna need to get support from them.

Opnsense side.

Go to interface->devices-vlan
Here you chose the lan port you want to use. The tag number needed above and the vlan priority is set here. save and apply

Go to interface->assignment you going to see ur vlan name in the drop table in the bottom of the page. in this list hit add.

Interface go to the name of the vlan interface hit  set a static IP separate from you lan. Like instead of 192.168.a.a. You use 192.168.b.b. Letters are symbolising different number or use 10 addresses Hit enable save then apply.

Go to services-> dhcp and just set your range scroll down you will see.
Gateway you can leave blank or put the static IP you set up in interface. Hit apply

Next its separating vlans. They are typically separated by default.
But you want to just set a block rule ,a generic block rule,  encase

Go to alises hit the plus icon to add. make sure u switch it from host to network put created vlan IP address.

Go to you homenetwork not vlan rules in firewal-> rules.

And create a generic in and out block rule where source is you home network IP or blank and destination is your vlan aliase and for safe keeping you might want to reverse the order where source is the vlan, to block to and from traffic. If you have multiple valns its recommended you do this in there specific rules and aliases as well to separate them. Keep these rules on top as order matters.

 Go to the rules section of ur vlan hit new rule.
allow direction in source blank or vlan subnet, destination blank or if u have specific sites but involves complexes rule crafting that most users don't need

As default unbound DNS is default to all interfaces you don't need to do much there

I hope this is remotely helpful. If I missed any specifics or i missed a step please let me know. I'm currently dealing with a complex issues but this is basic so I should be able to help.

[opnsenseuser8473]

I'll try to explain step by step from beginning to end some stuff you might know or have already done so excuse . First engage your switch and device. Make sure you set A trunk port that's tagged. The rest untagged. Depending on the switch a id or tag number might be needed to communicate.Make sure you set the clan priority to zero for now, if blank then typically its handled by opnsense.
As that's your own device saidly your gonna need to get support from them.

Opnsense side.

Go to interface->devices-vlan
Here you chose the lan port you want to use. The tag number needed above and the vlan priority is set here save and apply

Go to interface->assignment you going to see ur vlan name in the drop table in the bottom of the page. in this list hit add.

Interface go to the name of the vlan interface hit  set a static IP separate from you lan. Like instead of 192.168.a.a. You use 192.168.b.b. Letters are symbolising different number or use 10 addresses Hit enable save then apply.

Go to services-> dhcp and just set your range scroll down you will see.
Gateway you can leave blank or put the static IP you set up interface. Hit apply

Next its separating vlans. They are typically separated by default.
But you want to just set a block rule a generic block rule in case

Go to alises hit the plus icon to add. make sure u switch it from host to network put created vlan IP address.

Go to you homenetwork not vlan rules in firewal-> rules.

And create a generic in and out block rule where source is you home network IP or blank and destination is your vlan aliase and for safe keeping you might want to reverse the order where source is the vlan to block to and from traffic. If you have multiple valns its recommended you do this in there specific rules and aliases to separate them. Keep these rules on top as order matters.

 Go to the rules section of ur vlan hit new rule.
allow direction in source blank or lan subnet destination blank or if u have specific sites but involves complexes rule crafting that most users don't need

As default unbound DNS is default to all interfaces you don't need to do much there

I hope this is remotely helpful. If I missed any specifics or i missed a step please let me know. I'm currently dealing with a complex issues but this is basic so I should be able to help.

As you are asking a basic question I assume ur set ups not as complex yet.

[opnsenseuser8473]

Assuming your existing imterface is "LAN" and the new one is "IOT", create

- the IOT imterface with an IP subnet different from that on LAN
- the DHCP configuration for that subnet - copy from LAN and adjust the address range
- create a single rule on IOT:

-- source: IOT net
-- destination: LAN net
-- destination invert: check
-- action: allow

That's all. But ...

That only works for a single pair of interfaces. As soon as you have three or more that you want to isolate from each other, that's where the "RFC1918" alias concept comes into play.

Which requires separate additional allow rules for DNS and possibly NTP etc. to the local firewall interface.

But ...

Not all situations have RFC 1918 ("private") networks for internal interfaces. Most of my firewalls actually don't. So you need another different approach - again. I use aliases named "local somethingsomething", one for IPv4 and one for IPv6. Yes, IPv6 exists and people use it in production.


That is why it depends and there is no simple one size fits all answer.

To be fair to coffee the guy went into an I can't stand these type of people statement.

[Patrick M. Hausen]

coffeecup25 went into an absolutely uncalled for "I can't stand this type of people" statement. Correct.

meyergru and myself are among the regulars doing the heavy lifting week after week helping countless users for free. In our spare time.

[opnsenseuser8473]

I understand and appreciate but sometime abrasiveness isn't what's needed. For basic stuff I'll try to help out if I can learn this site.

[Patrick M. Hausen]

Very much appreciated. There's nothing much to learn, actually. Just communicate like you would face to face.

If I was sitting with a customer who would ask "how much is this and that?" I would answer "it depends, can we go through the details that help me to better understand your particular challenge?"

And if I get "can't you just answer a simple straightforward question, you <redacted>?", well, I would probably try to continue that meeting once or twice in a constructive manner, but finally just terminate the customer relationship.

Assuming that "my question is simple so I deserve a simple straightforward answer" assumes that the people supposed to answer and help know your particular situation and requirements - which frequently is incompletely specified. As users seeking help tend to do.

Overreacting when the answer isn't a simple recipe but first a bunch of questions about details is not helpful.

If being a network professional for almost four decades taught me one thing it is that

- there are no simple answers
- every problem is to be considered unique unless shown otherwise

Hey, that's two things 😉

And since I invested way more time into this discussion than I'd like, already, let me phrase it again from another angle.

As a support engineer without direct (UI or SSH) access to your network I try to build a mental model of the situation you have at your place. That's challenging and exhausting, intellectually, and I need as much information as possible and very specifically when I ask a question, I need an answer to that question with just the facts. Not you jumping to conclusions based on your own understanding of the problem. If these were sufficient, you would not need my help, right?

We frequently had e.g. threads where we went through a gazillion of configuration things and after three pages on this forum the OP dropped that their OPNsense was virtualised in a hypervisor. "Why did you not tell upfront?" - "I did not consider it important." - EVERYTHING is important.

That's why meyergru and me reacted the way we did and will probably continue to do so. There's nothing toxic or gatekeeping about that, IMHO. When we ask for the facts, we have a reason. As long as my mental model of your setup is incomplete, I cannot help.

HTH, kind regards,
Patrick, network and support engineer since the late 80s.

[passeri]

@coffeecup25 Banking on my recently acquired "nice guy" reputation :) firstly I am happy it is now working for you. Having a test bed, even pfsense rather than opnsense, can be useful and is something I do (with opnsense).

I might apologise for omitting the possible need to check DNS settings. My own IoT setup from which I plucked the example I gave includes a rule to redirect DNS to local, Unbound, and I have a floating rule for NTP. I omitted these because I was providing general advice, because I did not know your setup or your full needs.

I am long retired from consulting where an occasional role was managing and solving business-critical problems in IT-related space. Patrick's comment here deserves nailing to a wall.

I try to build a mental model of the situation you have at your place. That's challenging and exhausting, intellectually, and I need as much information as possible and very specifically when I ask a question, I need an answer to that question with just the facts. Not you jumping to conclusions based on your own understanding of the problem.

I learned opnsense having had only general involvement in networking, learning from Patrick, cookiemonster, meyergru, and others who have not posted in this particular thread as well as from reading, trying, reading again. They have different approaches, some more in tune with my own yet all with obvious expertise.

You have success for your initial question. I have always found that having supporting experts in specific domains is quite useful, worth retaining.

[coffeecup25]

passeri,

I stated my situation clearly, completely, and concisely several times. i never even hinted at hidden parts. I won't repeat it since it wouldn't make a difference. Once you provided the private network bits, the clarity appeared and I could confidently ignore some of the horrid advice the internet offered in favor of people who knew something. Until then, everyone's advice carried equal  weight, meaning none were worth listening to. Now I think I know enough to make my own rules for this.

Why is it even still unclear and confusing to everyone here? And everyone today has attitude or is a victim when stood up to or not recognized  as The Boss.

Your good guy status came simply from trying to be helpful and courteous while being on point concisely. It seems to be uncommon today.

I was also in consulting long ago, not networking. I was good at it. Many of my peers bluffed their way through by providing answers to questions they knew the answers to, not the question that was asked. These people remind me of them. Everyone should have a hobby, though I don't see what you see in them.

I can't imagine ever asking for advice here again.

[opnsenseuser8473]

passeri,

I stated my situation clearly, completely, and concisely several times. i never even hinted at hidden parts. I won't repeat it since it wouldn't make a difference. Once you provided the private network bits, the clarity appeared and I could confidently ignore some of the horrid advice the internet offered in favor of people who knew something. Until then, everyone's advice carried equal  weight, meaning none were worth listening to. Now I think I know enough to make my own rules for this.

Why is it even still unclear and confusing to everyone here? And everyone today has attitude or is a victim when stood up to or not recognized  as The Boss.

Your good guy status came simply from trying to be helpful and courteous while being on point concisely. It seems to be uncommon today.

I was also in consulting long ago, not networking. I was good at it. Many of my peers bluffed their way through by providing answers to questions they knew the answers to, not the question that was asked. These people remind me of them. Everyone should have a hobby, though I don't see what you see in them.

I can't imagine ever asking for advice here again.

To be fair i assumed you generally asked how to separate vans while keeping internet as that's what it sounded like. If that's not the question then I apologize. As I can only give basic connection steps at the moment that worked for me.

But if its the issue it just about separating the subnet and putting a block rule for those vlan subnets in the homenetwork interface rule before your allow rule to the internet.

[cookiemonster]

Well. I tried to help from the start (post #3 with you acked on #4), then again tried see post #10 even screenshot (now removed) but you on #11 even started snide comments toward anyone else like me trying to help. After that I've fallen into the "these people" "Other guys" who are "weirdos who hate simple questions" and the target of your displeasure.
Good luck. I'm out.

[passeri]

I have some important listening to songbirds to do.