Welcome to the Home Network Guy forum!

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Home Network Guy

Pages: 1 2 [3] 4
Troubleshooting / Re: Selective Routing to External OpenVPN Provider
« on: August 23, 2021, 10:02:18 AM »
I get my selective Routing now working with the Help of this Guide here


best regards

Thanks for providing a link to help resolve the issue especially since I don't have a lot of experience with this yet, but I do want to experiment with connecting to external VPNs to help others get their VPN set up even if I do not plan to use a VPN for my own network.

Troubleshooting / Re: Selective Routing to External OpenVPN Provider
« on: August 05, 2021, 10:58:51 PM »
I personally haven’t set up my OPNsense as a client to an external VPN service such as PIA, but it is certainly on my todo list to write about. There is enough interest in the topic, and I would want to see what I could learn along the way that I could share with others.

That said, I think that you may need to do that 3rd step in the pfSense documentation to add the outbound NAT rule. That is similar to how you need the outbound rule for running your own OpenVPN server so communication can occur between your network and your clients.

You will have to set your interfaces to use the VPN as the gateway so you can have some networks on the VPN and some that are not if you so desire.

I haven’t gone through the entire process yet but I think that may be the general idea. I hope tot dig into it more when I get some time to work on it.

Thanks for posting this on the forum! I am hoping others with more knowledge in areas I haven’t explored deeply will chime in with more information. It is why I established a forum rather than just rely on page comments (since it’s harder to work through issues).

If the amount of feedback continues to grow in the future, it could get to the point where it will be too time consuming to respond to every single question. I get questions via email, Disqus comments, and the occasional forum post.

Proposed Network Designs / Re: Just starting out
« on: July 19, 2021, 09:28:29 PM »
Thanks for sharing your proposed design! Once you can post a diagram that will be helpful in visualizing how the network is laid out.

It sounds like you are planning to connect 3 different switches — one to each port of your modem/router. How are you planning to do that? You mentioned you have cables ran so are you running 3 different cables to 3 different locations with a switch at each location?

While that will work, alternatively you could buy one larger switch (16 or 24 port), connect one cable to the switch from the modem/router and then connecting all your devices to that large switch. Of course that requires you to have more cables ran to the location of your switch. If you only have a couple Ethernet drops ran and it’s too hard to run more, putting a switch at location is not necessarily a bad idea for a small, basic home network. Keep in mind that you will be sharing bandwidth if you put a switch at each location if you have multiple devices transmitting/receiving a lot of data.

If you want to separate your IoT or guest devices, you may want to get managed switches. It adds more complexity but it’s nice to have for improved security. However you would need a router that supports VLANs. The Internet Service Provider’s modem/router is not likely to support that type of more advanced functionality. It depends on how deep you want to jump into when creating your home network.

Topic Suggestions / Re: OpnSense Howto Updates?
« on: June 11, 2021, 04:23:01 PM »
Thanks for the suggestion! The default direction is "in" for firewall rules and is what most users will want to use because it processes more efficiently and is likely easier to think about how to write the rules. When I specify settings for the rules, I usually leave out the values that should be left at the default (so I don't have to list 50 data elements and their values). However, I could make mention that you should usually leave that at the default.

I have been slowly working through my old guides and updating them. I've updated the following guides in the last few months: firewall rule cheat sheet, the Sensei Free vs. Home Edition comparison, how to configure WireGuard, and redirecting local DNS requests. Next on my list to update is the intrusion detection how-to since I know it's out of date. I'm trying to mix in new content in between updating the old content.

How-to Discussions / Re: VLAN DHCP In OPNSense?
« on: June 01, 2021, 07:30:52 PM »
It looks like from the screenshot that you didn’t create the same VLANs on your network switch. The VLAN IDs you defined in OPNsense needs to match the VLAN IDs on your switch. You need to make sure you have the proper ports selected as tagged and untagged ports for each VLAN you create. It’s not a bad idea to configure your OPNsense/network switch from the default VLAN so you don’t lose access to the web interfaces.

Troubleshooting / Re: Opnsense content filtering
« on: May 28, 2021, 12:38:16 PM »
Yeah the documentation is lacking for several things. That is one thing that inspired me to create my site. Not just for OPNsense but for other more advanced home networking topics.

Troubleshooting / Re: Opnsense content filtering
« on: May 28, 2021, 11:15:11 AM »
I just took a quick look and that is one of the lists on the Web Proxy help page on OPNsense so that means it is in the right format. I apologize since I haven't looked into implementing the Web Proxy in my network so I don't have much experience with it. I would like to explore using it at some point, but I thought for my purposes, it may be helpful for transparently caching commonly downloaded files so it more than one device on my network needs the same files to download, it will be quicker to hit the local cache.

Troubleshooting / Re: Opnsense content filtering
« on: May 28, 2021, 11:10:26 AM »
It sounds like you are trying to use the Web Proxy for a blocklist. I haven't tried using the Web Proxy for this purpose. I have created a few block lists but created a firewall alias which updates periodically and use a floating rule to block that list for all of my internal networks. The blocklist I use for this is a simple text file with IP addresses -- one on each line. (One list is the Spamhaus block list: https://www.spamhaus.org/drop/drop.txt)

When looking at that list you linked to, it is in a specific format that may only work for Squid and other types of firewall plugins/features that recognize that format. I don't know if the Web Proxy supports blocklists in that format.

I just learned something today about NAT port forwarding. I had incorrectly assumed the settings under Firewall > Settings > Advanced would cause the corresponding WAN rule to be created. However, it gets created when you select "Add associated filter rule" option at the bottom of the NAT port forward rule. However, if you only have one WAN, you can also select "Pass". If you select "Pass", the corresponding WAN rule will not be displayed but the NAT port forward should still work properly.

Security/Advisories / ParkMobile Breach
« on: May 26, 2021, 10:58:24 AM »
I received the following email from ParkMobile about a breach that occurred in March 2021. You may want to change your password since they did not automatically reset passwords for all their users since they stated the passwords were hashed/salted and the encryption keys were not compromised. Better to be safe than sorry!

That’s odd no WAN rules we’re automatically generated. Did you have those 2 advanced firewall settings enabled before creating the rule? The NAT rule and WAN rule you created looks good at a glance. You can’t see all the details of each rule on the main rule list pages so not sure if some other odd/incorrect settings are set.

Port forwarding should be pretty simple in general. I have some servers in the DMZ with port forwarding am that works well and the rules are auto generated on the WAN. You can tell which rules are auto generated from the NAT rule because you can’t edit those WAN generated rules. You can only remove them.

I’m trying to think of what’s wrong. There are lots of knobs and buttons you can turn and push in OPNsense and if you push the wrong ones then you can get into trouble. You said you started from a clean configuration with minor changes so that may not be the issue. I may try think about this more tomorrow. I was away from home today so I was answering in between doing other things with the family.

Use WAN address rather than WAN net. I forgot to specify earlier. Also do you see a corresponding WAN rule created for those 2 rules? You should have 2 rules created automatically on the WAN interface if you have those options enabled that I mentioned earlier.

I think I see the problem. You need to select WAN as your destination since you are port forwarding the WAN address to access your servers remotely. Then for the redirect address you would pick your internal server IPs.

What do your NAT port forward rules look like? By default OPNsense doesn’t create the corresponding WAN rule so you will need to either manually add the WAN rule or change the default setting on “Firewall > Settings > Advanced” page. Enable both “Reflection for port forwards” and “Automatic outbound NAT for Reflection”. That should enable behavior similar to consumer based router and some other routers.

Pages: 1 2 [3] 4