Welcome to the new Home Network Guy forum!

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Home Network Guy

Pages: [1] 2
Topic Suggestions / Re: OpnSense Howto Updates?
« on: June 11, 2021, 04:23:01 PM »
Thanks for the suggestion! The default direction is "in" for firewall rules and is what most users will want to use because it processes more efficiently and is likely easier to think about how to write the rules. When I specify settings for the rules, I usually leave out the values that should be left at the default (so I don't have to list 50 data elements and their values). However, I could make mention that you should usually leave that at the default.

I have been slowly working through my old guides and updating them. I've updated the following guides in the last few months: firewall rule cheat sheet, the Sensei Free vs. Home Edition comparison, how to configure WireGuard, and redirecting local DNS requests. Next on my list to update is the intrusion detection how-to since I know it's out of date. I'm trying to mix in new content in between updating the old content.

How-to Discussions / Re: VLAN DHCP In OPNSense?
« on: June 01, 2021, 07:30:52 PM »
It looks like from the screenshot that you didn’t create the same VLANs on your network switch. The VLAN IDs you defined in OPNsense needs to match the VLAN IDs on your switch. You need to make sure you have the proper ports selected as tagged and untagged ports for each VLAN you create. It’s not a bad idea to configure your OPNsense/network switch from the default VLAN so you don’t lose access to the web interfaces.

Troubleshooting / Re: Opnsense content filtering
« on: May 28, 2021, 12:38:16 PM »
Yeah the documentation is lacking for several things. That is one thing that inspired me to create my site. Not just for OPNsense but for other more advanced home networking topics.

Troubleshooting / Re: Opnsense content filtering
« on: May 28, 2021, 11:15:11 AM »
I just took a quick look and that is one of the lists on the Web Proxy help page on OPNsense so that means it is in the right format. I apologize since I haven't looked into implementing the Web Proxy in my network so I don't have much experience with it. I would like to explore using it at some point, but I thought for my purposes, it may be helpful for transparently caching commonly downloaded files so it more than one device on my network needs the same files to download, it will be quicker to hit the local cache.

Troubleshooting / Re: Opnsense content filtering
« on: May 28, 2021, 11:10:26 AM »
It sounds like you are trying to use the Web Proxy for a blocklist. I haven't tried using the Web Proxy for this purpose. I have created a few block lists but created a firewall alias which updates periodically and use a floating rule to block that list for all of my internal networks. The blocklist I use for this is a simple text file with IP addresses -- one on each line. (One list is the Spamhaus block list: https://www.spamhaus.org/drop/drop.txt)

When looking at that list you linked to, it is in a specific format that may only work for Squid and other types of firewall plugins/features that recognize that format. I don't know if the Web Proxy supports blocklists in that format.

I just learned something today about NAT port forwarding. I had incorrectly assumed the settings under Firewall > Settings > Advanced would cause the corresponding WAN rule to be created. However, it gets created when you select "Add associated filter rule" option at the bottom of the NAT port forward rule. However, if you only have one WAN, you can also select "Pass". If you select "Pass", the corresponding WAN rule will not be displayed but the NAT port forward should still work properly.

Security/Advisories / ParkMobile Breach
« on: May 26, 2021, 10:58:24 AM »
I received the following email from ParkMobile about a breach that occurred in March 2021. You may want to change your password since they did not automatically reset passwords for all their users since they stated the passwords were hashed/salted and the encryption keys were not compromised. Better to be safe than sorry!

That’s odd no WAN rules we’re automatically generated. Did you have those 2 advanced firewall settings enabled before creating the rule? The NAT rule and WAN rule you created looks good at a glance. You can’t see all the details of each rule on the main rule list pages so not sure if some other odd/incorrect settings are set.

Port forwarding should be pretty simple in general. I have some servers in the DMZ with port forwarding am that works well and the rules are auto generated on the WAN. You can tell which rules are auto generated from the NAT rule because you can’t edit those WAN generated rules. You can only remove them.

I’m trying to think of what’s wrong. There are lots of knobs and buttons you can turn and push in OPNsense and if you push the wrong ones then you can get into trouble. You said you started from a clean configuration with minor changes so that may not be the issue. I may try think about this more tomorrow. I was away from home today so I was answering in between doing other things with the family.

Use WAN address rather than WAN net. I forgot to specify earlier. Also do you see a corresponding WAN rule created for those 2 rules? You should have 2 rules created automatically on the WAN interface if you have those options enabled that I mentioned earlier.

I think I see the problem. You need to select WAN as your destination since you are port forwarding the WAN address to access your servers remotely. Then for the redirect address you would pick your internal server IPs.

What do your NAT port forward rules look like? By default OPNsense doesn’t create the corresponding WAN rule so you will need to either manually add the WAN rule or change the default setting on “Firewall > Settings > Advanced” page. Enable both “Reflection for port forwards” and “Automatic outbound NAT for Reflection”. That should enable behavior similar to consumer based router and some other routers.

How-to Discussions / Re: VLAN DHCP In OPNSense?
« on: May 06, 2021, 02:00:36 PM »
Is your computer that you are logging into OPNsense on the same default LAN network? By default OPNsense runs on When working with VLANs, the default untagged VLAN ID is usually 1. So that means all ports on your switch that do not have any VLANs set will be on that default untagged VLAN 1. Make sure the computer you are connecting to OPNsense is on an untagged port.

Also, you will need to sure that the port on the switch that the OPNsense box is connected to is set up to allow all VLAN tags to pass through. Different network device manufacturers use different terms. Some call it trunk ports. The port the router is plugged into needs to be configured to allow all VLAN and untagged traffic if you are using the default VLAN 1 as the management VLAN. I think it's easiest to use the default VLAN.

I know some people prefer to change the management network to a different VLAN since it's easy to make the mistake of plugging a device on an untagged port and have access to the network management network. If you set all of your other ports to be in different VLANs (or may another default unused VLAN ID), then you would not have to worry about that issue as much.

How-to Discussions / Re: VLAN DHCP In OPNSense?
« on: April 08, 2021, 07:45:40 AM »
Yes, that should be adequate to give you basic VLAN support. Unmanaged switches will often pass along VLAN tags, but you can't configure any of the ports to participate in VLANs, which is why you need a smart/managed switch. Once you have the switch, you will set up the same VLAN IDs on both the switch and OPNsense (or whatever router software you are using).

How-to Discussions / Re: VLAN DHCP In OPNSense?
« on: March 31, 2021, 09:18:31 AM »
Are all of your switches VLAN aware? Also when you daisy chain your switches, you will need to make sure that the ports connecting each switch are configured to be as a "trunk" so that it will pass all of the VLAN IDs between the switches. The terminology for VLAN "trunks" can vary between vendors, but the concept is the same. You need to make sure the VLAN tags can propagate between all of the switches. That is my first thought on why you are not getting any DHCP addresses assigned if you are following the guide without knowing any other information about your configuration.

Pages: [1] 2