News:

Welcome to the Home Network Guy forum!

Main Menu
Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - ejayb9

#1
Troubleshooting / Purpose of VLANs in OPNSense
September 09, 2021, 03:51:19 PM
What's the purpose of the VLAN's in OPNSense? I'm trying to figure out under which circumstances a VLAN is required, and also under which circumstances is it plain useful. Or if it just complicates a configuration.

Only thing I can come up with is if it is an unmanaged switch then a VLAN would be needed. I'm using a 4 port Protectli and each port (WAN, LAN, OPT1, OPT2) can be configured to an interface (em1, em2, etc...) so, I don't see the reason to add a VLAN on top of that.

But I do notice that machines in OPT1 can talk with machines on OPT2, even though they are in different IPs. For example, if OPT1 is 192.168.2.100-125 and OPT2 is 192.168.3.100-125. They can ping/telnet whatever to each other unless I put in a block rule for each interface. I'm not sure if a VLAN would stop that from happening, I haven't had much luck configuring VLAN's on a Protectli.

Thoughts? Should VLANs be used always, or for specific situations, or only when absolutely necessary?
#2
Thanks! I'll give this a try.
#3
I went through the cheat sheet, and I don't usually have trouble understanding how to set up rules, but for some reason, I'm struggling with creating HTTP and HTTP pass rules.

I'm using the 4 port Protectli and have configured 2 networks, let's call it NA and NB on separate ports (OPT1 and OPT2).  No VLANs (I actually have another question about that, which I'll post in a new thread). I want to block all traffic out on NA so that it cannot access NB, but I do want NA to be able to access HTTP and HTTPS on the WAN. There are 2 machines on NA, and I have aliases for both of them.

Pass rule NA HTTP -> WAN network
Pass rule NA HTTPS -> WAN network
Block rule NA * * * (anything else).

It's not working. Does anyone know what I might be doing wrong?
#4
Troubleshooting / Re: Opnsense content filtering
September 05, 2021, 12:12:23 AM
I wanted to reply to this in case anyone else tries to go down the route of content filtering and using a transparent proxy. It's basically useless. The reason, which I had to learn along the way, is because HTTPS cannot be decrypted, in order for the content to be filtered. I even tried to create a DNS based trust certificate on AWS and Let's Encrypt, but the certs are not updated fast enough to handle requests. So, I went with Sensei. As much as I hate to have to pay for a service, it at least makes things a bit easier to manager and configure. So, in that sense (pun intended), it's worth it.
#5
Troubleshooting / Re: Opnsense content filtering
May 28, 2021, 12:09:12 PM
Thanks for the reply.
Yes, I used a combination of the Opnsense documentation with 2 Youtube videos
https://www.youtube.com/watch?v=EWGt6mWhN_o
https://www.youtube.com/watch?v=PmmzsKuEdCw

The first is for pfSense but combined with the other 2 sources it helps to fill in the blanks.

Wish there was more documentation and examples.
#6
Troubleshooting / Opnsense content filtering
May 28, 2021, 10:48:04 AM
Hello. I'm struggling to get content filtering working in Opnsense. I'm sure the part I have wrong is the rule order, in the NAT and in the interface Rules, but it could be something else.

Setup:
I'm using a 4-port Protectli and just updated Opnsense to 21.1.6.
Created a guest network on OPT2 with 192.168.1.1/24
No VLAN (I couldn't get this to work, and I couldn't find any tutorial on why it is even needed)
DHCP service for OPT2 is enabled.

Steps followed:
Added http://www.shallalist.de/Downloads/shallalist.tar.gz to Remote Access Lists - downloaded and apply
Cleared the authentication method and local group (within the Forward Proxy sub-menu)
Checked box to enable HTTP (Forward Proxy sub-menu). Turned on "full help" and the used the "add new firewall rule" link to add the NAT rule.
Select "add associated filter rule" at bottom of new NAT rule and also enabled rule.
Repeated for HTTPS.
Added HTTP and HTTPS block rules in OPT2
Checked box to enable proxy in Web Proxy -> administration -> general proxy settings
Done

Current Rule order for OPT2 is: 1)HTTP redirect to proxy rule 2)HTTPS redirect to proxy rule 3)HTTP block rule 4)HTTPS block rule
no other rules inside OPT2

It's just not working. Could use any help/advice. Thank you!