Welcome to the Home Network Guy forum!

Main Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - JiveTalking

Well, I think I've solved my slow down issue :D it was my VPN which needed some tweaking.

But I still cannot find (internet searching) any tips on how to deal with a error as I have posted here.

- I mean do I remove strongswan-5.9.4, or would this cause other issues?

Can anyone point me to where how to deal with errors is laid out?

I really only trust this forum  :-* but I did search OPNsence forum but didn't find anything....

UPdate: I found out that there is a new strongswan release strongswan-5.9.5-released, but it does not show up for updating in my OPN and I do not know why.  Maybe I need to uninstall it.
Here is the information should anyone else be needing it

I find this:
Currently running OPNsense 21.7.8 (amd64/LibreSSL) at Tue Feb  1 10:01:11 PST 2022
Fetching vuln.xml.bz2: .......... done
strongswan-5.9.4 is vulnerable:
  strongswan - Incorrect Handling of Early EAP-Success Messages

1 problem(s) in 1 installed package(s) found.

So I reinstalled Strongswan, ran the test again, and the error remains - I have no idea what to do now, this will be a recurring theme as this posts goes along.

I also received this:
The default strongSwan configuration interface have been updated to vici.
To use the stroke interface by default either compile the port without the vici option or
set 'strongswan_interface="stroke"' in your rc.conf file.
Checking integrity... done (0 conflicting)

This means nothing to me, and again I have no idea what to do.

Any help is greatly appreciated :/

Thank you, I will try pinging.

I have not experimented because I'm working from an old Windows PC (highest comfort level) to set all of this up and log into control management consoles for now.  I know Windows will change my settings on the fly if I ask it to connect to this or that, so I know better not to, but pinging should be safe.

Thank you for all the options and about your aliases article, very cool.
I have done that, disable it from that location, and it's so good to know that outsiders won't be using it's features on my network while I learn - perfect.

Thanks again,
Ethernet Drop, I get it now.  In my situation it will be an Ethernet float, as the direction is up :)

QuoteIf you don't feel comfortable with creating aliases, you could create 2 block rules

I don't yet understand aliases or groups for FW's - the usual - when to use them, how, why, when not to use them.... you know perspective, I have none... yet.  Thank you for the block set up info - That will work until I do gain more understanding.

QuoteRepeat the process for the other 2 interfaces. You could always try accessing a device on each network to make sure everything is blocked properly.

How does one access another device - I am a total newbie yikes! 

Thanks so much,

I've attached a pic of what I'm seeing... that I don't understand  :-\
I see, lots for me to think about.

So I went looking and you are right - I did have it set for my interfaces/LAN and not WAN, so I changed it :)  Do you have an article where you give steps for setting up Sensei?  I remember reading about your logic on this extra layer, but I didn't know how to do what you were speaking of.

Then I saw in Services: Intrusion Detection: Administration Rules where one was repeatedly showing an Alert, but I remember setting all my rule's Policies to Alert/Drop and just Drop when only one choice was given.  I see where I can click to edit this "alert" and change it to Drop in the Rules tab, but I thought Policies were more of a covers it all better place to make these settings.... So now I'm confused again (1) how come I'm getting alerts and not drops? And how come my policy isn't dropping when a rule is triggered?  And from where do I fix this :) just lost in OPNs again - I think I'll write a country music song about the woes of OPNsense.

In Policy I found a new-to-me Tab - Rule Adjustments - on that tab I see two SID rule adjustments, both showing Alert and only the top one enabled.
So I changed that enabled one to Drop.  My fingers are crossed!
Quote(.0 and .255 are reserved for special use such as network broadcasts).

Oh, this explains why when I was setting the DCHPv4 FW rule for my em2 I got an error :D Thanks for explaining!

QuoteSometimes devices/software will prefer to use the newer IPv6 protocol if it's enabled. You have to keep that in mind when creating firewall rules. If you want to restrict the traffic for both IPv4 and IPv6 network traffic, you need to apply the rules to both protocols.

Hum.... even if I un-enabled IPv6 on OPNs? 
I do not want to eliminate IPv6 I just want to block/stop it for now, while I'm learning.  I know it's the next great thing, but I what to start old-school while I learn about it all.  Newer-ish tech always brings new security issues, and I don't want more to learn about just now.

"register DHCP leases" - Your reply regarding this helped me a lot! 
I printed out the tables under Interfaces: Diagnostics:, and have sussed out all my currently plugged in devices via their IP's and their subnets.   I just have 2 IP's which I'm guessing are IPv4 & IPv6 from my ISP or something similar.  I may, after I pass Firewall rules swamp, actually follow your steps and map them.

Thank you ~

Thanks for the reply Dustin,

QuoteInstead of having a separate switch in each room, you could have one switch in your closet. However, it means you would need to run an Ethernet drop for each device in all the rooms. It is easier to manage to have 1 centralized switch, but if your house isn't wired and you aren't willing or able to run more wires, the approach you are taking will work also!

This is good to know... whew!  Your reply helped me to realize something - where other's want devices connected and able to share things across their home network, I do not.  This is because my LAN --> switch --> Office has all I want to share :)  Next 2 switches will be used exactly the same, but in different rooms, and that is to watch media, check email and search the web, in a limited more secure fashion.  I want division between these interfaces and my LAN - so both can be their own network or their own switches/interfaces as you say.

What is an Ethernet Drop? - I thought that's what my switches were, at least in my imagination :)

QuoteFor testing purposes, you could mimic that allow all rule in your em2 interface to see if you can get access to the Internet. If that works, then you can work on locking down access between your interfaces. If you don't use VLANs, the configuration will be more simple but if you plan to setup VLANs, you have to set them up on the interfaces in OPNsense and your network switches. You also have to be careful not to lock yourself out when changing the VLANs on your switch/OPNsense. You will need to be connected to a port that's not on the VLAN you are trying to set up (VLAN 1 is a safe default since that is untagged traffic).

I did just this last night - and it looked good, that is to say my laptop which connects to the internet from my office made a wired connection em2.
But wait, I could not reach the internet.... browser never resolved, command line could not find packets, I could not update my system :/

On the surface my em2 interface Firewall rules look the same as my em1/LAN except for -Destination- I was instructed to put LAN net in there to prevent my switch devices from connecting to my LAN devices....  This sound good so I change that one setting different from my LAN's settings.

But the term Destination and then LAN net sounds like my em2 switch is heading to my LAN and not avoiding it.  So I changed the setting to "Any" and now I can reach the Internet, but I really have very little security - sigh

- any thoughts?

~ Beth

Hello -

Can you talk a bit (maybe even an article) about IP addresses, subnets, why I see two WAN coming from my ISP, beginner stuff like that?  I see many devices attached, but cannot figure out who is who.  I could using my off the self router before because the hardware names were listed along with MAC address - in OPNs it's just IPs...

Thank you ~
Hello,  First of all great article!

So I followed your steps - and so far so good, however I was very uncertain about the section for setting up Policy's.

So I nervously set my 1 policy to cover the's I had selected, with no filters, because they are over my head.  Maybe an article part 2 for digging deeper into this stuff would be so helpful.

My 2nd policy I set for all the Emerging Threats (ET), with no filters for the same reason.

And my 3rd policy I set for the last group of my rules, same as the others.

I really hate guessing, it makes me very nervous - I have three policies, but I don't know why, or if they are any good, or where to go from here....

I know this is all very subjective for each persons Internet use, but are there any articles which give more guidance on polices you'd recommend, and some use examples.  I'd imagine there are many threats out there that the majority of people would want to guard against, so something that shoots down the middle as far as policy specifics?

I do a lot of email, ftp, browser searches and logins, some web email, banking, shopping and VOIP - no social media, no IoT If this helps.

Thanks for the enlightenment,

Hello all,

So happy to have found a safe place for a newbie such as myself....

My network plan imagined by me (before I heard of VLANs) is simple I thought, best laid plans and all that.

The Layout & History:
My office and living room have a broom closet between their facing walls - so I put a 6port Vault running OPNsense in the closet, had my ISP run their fiber modem into the closet, and drilled holes in the left and right walls of the closet, into each of the rooms mentioned.  I connected cat6 from my PC to the LAN port on my Vault, and of course the modem to the WAN port.

All was well - I had internet access in my office.  That was to easy, I was very happy, for a bit.

I then attached a new TPLink 8port Gbit Smart Switch in between my Office PC and the Vault router LAN port- all was still well, and I then cat6 my Linux PC & laptop also - all 3 devices still good, but I was about to learn of the special settings for LAN ports on routers.

I then ran cat6 through the other wall hole (living room) to a TPLink 5port Gbit Easy Smart Switch, and you guessed it nothing plugged into that found the internet... all is not well :/ and I didn't know why.... I did a ton of research but other peoples network layouts were to complicated for my understanding and needs.

My goal was higher level access for my Office/LAN/Devices computing needs (1 - 4 devices) - and restricted access for the 2 switches installed via cat6 in other rooms.  #1=Living room next to Office through closet, and #2=upstairs above the Office/closet.  These switches would be for media TV and simple laptop Net searches, and email. 

I have since heard of VLANS, which I still don't fully understand - I will dig into learning of these after I get some additional security understanding set up in my OPNsense (the entire point of this adventure in the first place is much better security).
- Many thanks Network Guy for your informative articles ♥ which have really helped, and scared me.

I felt that the trouble might be in my interfaces - so I set one up for em2 (em0 is WAN, em1 is LAN) the same as the one for my LAN except I gave it ........20.1/24 where the LAN is ........10.1/24 - Still no access for em2.  Why that IP - I have no idea I just guessed.

I have poked around, lost internet access - oops, got it back again (no idea how I lost it, or got it back, yikes!)

But I have seen that there are no Firewall rules for my em2 living room could be an issue I say.  But I read when OPNs mostly comes set up like an off the shelf router - security sucks = all access, maybe this just means for LAN port - so sad.  FW scares me, I almost didn't make it through setting up Intrusion Prevention System - Thanks again Network Guy!  Not sure I have that done right, but nothing broke so I call it a win!

So - best network layout practices for setting up 2 limited port/switches - mostly for Internet browsing and media?  While... not killing my LAN :) this is my current quest.

I read where you say this type of wired/switches sucks bandwidth, or better, competes for bandwidth - I want a 99% wired home network, I was hoping not to daisy chain the whole thing, so I can deal with rooms/hardware independently - it's how I think.  Something that looks like an octopus, router being the central hub/brain banished to the broom closet.

If and when I do add low range wifi I would like it to be turn-off-able <-- my technical term.  I do not have any IoT to deal with -yea!  I do hope to add things as I learn and go - pi hole, physical redundancy for my LAN, backup power source, maybe my own email server, maybe a NAS server for home media (a girl can dream).

Q2: any good beginners practical How-To books?  So far there seems to be a huge vacuum in this: "for personal use, home networking" space.  So glad to find Network Guy is addressing this :D

I've attached my network layout/map - all rooms are only 4-12' apart.