- Welcome to Home Network Guy Forum.
Home Network Guy Forum
Going beyond the basics of home networking
Recent posts
#71
Other Random Things / Re: Newbie Q -How to use OPNs ...
Last post by JiveTalking - September 01, 2021, 06:48:52 PMI have done that, disable it from that location, and it's so good to know that outsiders won't be using it's features on my network while I learn - perfect.
Thanks again,
Thanks again,
#72
Proposed Network Designs / Re: Half done - half hoped for...
Last post by JiveTalking - September 01, 2021, 06:46:22 PMEthernet Drop, I get it now. In my situation it will be an Ethernet float, as the direction is up 
I don't yet understand aliases or groups for FW's - the usual - when to use them, how, why, when not to use them.... you know perspective, I have none... yet. Thank you for the block set up info - That will work until I do gain more understanding.
How does one access another device - I am a total newbie yikes!
Thanks so much,
QuoteIf you don't feel comfortable with creating aliases, you could create 2 block rules
I don't yet understand aliases or groups for FW's - the usual - when to use them, how, why, when not to use them.... you know perspective, I have none... yet. Thank you for the block set up info - That will work until I do gain more understanding.
QuoteRepeat the process for the other 2 interfaces. You could always try accessing a device on each network to make sure everything is blocked properly.
How does one access another device - I am a total newbie yikes!
Thanks so much,
#73
How-to Discussions / Re: Configure intrusion detect...
Last post by Home Network Guy - August 31, 2021, 09:39:16 PMIt's ok if you want intrusion detection on the LAN instead of the WAN but you have to make sure you don't select the VLANs instead of the physical LAN interface(s) since it will mess up your VLANs. But if you want to put it on the WAN and use Sensei on the LAN, that will work too. I like the graphs and charts and other information that Sensei provides. It does things that intrusion detection doesn't do, but I think they can complement each other. I don't have a guide on how to set up Sensei since the documentation on Sensei's website is pretty straightforward but I did do a comparison between the home and free versions.
That "Administration Rules" page lists all of the rules you have downloaded. Those are not the rules which have been triggered on your network. It shows the default action of allow, block, or disabled. You have to go to the "Administration Alerts" page to see what has been blocked on your network. You also need to make sure you have "IPS Mode" checked on the "Administration Settings" page.
That "Administration Rules" page lists all of the rules you have downloaded. Those are not the rules which have been triggered on your network. It shows the default action of allow, block, or disabled. You have to go to the "Administration Alerts" page to see what has been blocked on your network. You also need to make sure you have "IPS Mode" checked on the "Administration Settings" page.
#74
Other Random Things / Re: Newbie Q -How to use OPNs ...
Last post by Home Network Guy - August 31, 2021, 05:27:43 PMYou can disable IPv6 entirely by going to the "Firewall > Settings > Advanced" page. It's the first option.
Devices/software will only prefer IPv6 if it's enabled on your network since it cannot communicate via IPv6 if it's disabled.
Devices/software will only prefer IPv6 if it's enabled on your network since it cannot communicate via IPv6 if it's disabled.
#75
Proposed Network Designs / Re: Half done - half hoped for...
Last post by Home Network Guy - August 31, 2021, 05:24:47 PMAn Ethernet drop is just what they call running an Ethernet cable down through walls (the cable is "dropped" down the wall).
If you don't feel comfortable with creating aliases, you could create 2 block rules for the em2 interface to block access to the em1 and em3 interfaces and put them before the allow all rule. So the rules for em2 could be:
(replace em1, em2, em3 with the names you use in OPNsense for those interfaces)
Interface: em2
Action: Block
Source: em2 net
Destination: em1 net
Interface: em2
Action: Block
Source: em2 net
Destination: em3 net
Interface: em2
Action: Allow
Source: em2 net
Destination: any
Repeat the process for the other 2 interfaces. You could always try accessing a device on each network to make sure everything is blocked properly.
If you don't feel comfortable with creating aliases, you could create 2 block rules for the em2 interface to block access to the em1 and em3 interfaces and put them before the allow all rule. So the rules for em2 could be:
(replace em1, em2, em3 with the names you use in OPNsense for those interfaces)
Interface: em2
Action: Block
Source: em2 net
Destination: em1 net
Interface: em2
Action: Block
Source: em2 net
Destination: em3 net
Interface: em2
Action: Allow
Source: em2 net
Destination: any
Repeat the process for the other 2 interfaces. You could always try accessing a device on each network to make sure everything is blocked properly.
#76
How-to Discussions / Re: Configure intrusion detect...
Last post by JiveTalking - August 30, 2021, 05:46:52 PMI've attached a pic of what I'm seeing... that I don't understand 
#77
How-to Discussions / Re: Configure intrusion detect...
Last post by JiveTalking - August 30, 2021, 05:29:43 PMI see, lots for me to think about.
So I went looking and you are right - I did have it set for my interfaces/LAN and not WAN, so I changed it Do you have an article where you give steps for setting up Sensei? I remember reading about your logic on this extra layer, but I didn't know how to do what you were speaking of.
Then I saw in Services: Intrusion Detection: Administration Rules where one was repeatedly showing an Alert, but I remember setting all my rule's Policies to Alert/Drop and just Drop when only one choice was given. I see where I can click to edit this "alert" and change it to Drop in the Rules tab, but I thought Policies were more of a covers it all better place to make these settings.... So now I'm confused again (1) how come I'm getting alerts and not drops? And how come my policy isn't dropping when a rule is triggered? And from where do I fix this just lost in OPNs again - I think I'll write a country music song about the woes of OPNsense.
In Policy I found a new-to-me Tab - Rule Adjustments - on that tab I see two SID rule adjustments, both showing Alert and only the top one enabled.
So I changed that enabled one to Drop. My fingers are crossed!
So I went looking and you are right - I did have it set for my interfaces/LAN and not WAN, so I changed it
Do you have an article where you give steps for setting up Sensei? I remember reading about your logic on this extra layer, but I didn't know how to do what you were speaking of.Then I saw in Services: Intrusion Detection: Administration Rules where one was repeatedly showing an Alert, but I remember setting all my rule's Policies to Alert/Drop and just Drop when only one choice was given. I see where I can click to edit this "alert" and change it to Drop in the Rules tab, but I thought Policies were more of a covers it all better place to make these settings.... So now I'm confused again (1) how come I'm getting alerts and not drops? And how come my policy isn't dropping when a rule is triggered? And from where do I fix this
just lost in OPNs again - I think I'll write a country music song about the woes of OPNsense.In Policy I found a new-to-me Tab - Rule Adjustments - on that tab I see two SID rule adjustments, both showing Alert and only the top one enabled.
So I changed that enabled one to Drop. My fingers are crossed!
#78
Other Random Things / Re: Newbie Q -How to use OPNs ...
Last post by JiveTalking - August 30, 2021, 04:56:03 PMQuote(.0 and .255 are reserved for special use such as network broadcasts).
Oh, this explains why when I was setting the DCHPv4 FW rule for my em2 I got an error
Thanks for explaining!QuoteSometimes devices/software will prefer to use the newer IPv6 protocol if it's enabled. You have to keep that in mind when creating firewall rules. If you want to restrict the traffic for both IPv4 and IPv6 network traffic, you need to apply the rules to both protocols.
Hum.... even if I un-enabled IPv6 on OPNs?
I do not want to eliminate IPv6 I just want to block/stop it for now, while I'm learning. I know it's the next great thing, but I what to start old-school while I learn about it all. Newer-ish tech always brings new security issues, and I don't want more to learn about just now.
"register DHCP leases" - Your reply regarding this helped me a lot!
I printed out the tables under Interfaces: Diagnostics:, and have sussed out all my currently plugged in devices via their IP's and their subnets. I just have 2 IP's which I'm guessing are IPv4 & IPv6 from my ISP or something similar. I may, after I pass Firewall rules swamp, actually follow your steps and map them.
Thank you ~
#79
Proposed Network Designs / Re: Half done - half hoped for...
Last post by JiveTalking - August 30, 2021, 04:32:56 PMThanks for the reply Dustin,
This is good to know... whew! Your reply helped me to realize something - where other's want devices connected and able to share things across their home network, I do not. This is because my LAN --> switch --> Office has all I want to share Next 2 switches will be used exactly the same, but in different rooms, and that is to watch media, check email and search the web, in a limited more secure fashion. I want division between these interfaces and my LAN - so both can be their own network or their own switches/interfaces as you say.
What is an Ethernet Drop? - I thought that's what my switches were, at least in my imagination
I did just this last night - and it looked good, that is to say my laptop which connects to the internet from my office made a wired connection em2.
But wait, I could not reach the internet.... browser never resolved, command line could not find packets, I could not update my system :/
On the surface my em2 interface Firewall rules look the same as my em1/LAN except for -Destination- I was instructed to put LAN net in there to prevent my switch devices from connecting to my LAN devices.... This sound good so I change that one setting different from my LAN's settings.
But the term Destination and then LAN net sounds like my em2 switch is heading to my LAN and not avoiding it. So I changed the setting to "Any" and now I can reach the Internet, but I really have very little security - sigh
- any thoughts?
~ Beth
QuoteInstead of having a separate switch in each room, you could have one switch in your closet. However, it means you would need to run an Ethernet drop for each device in all the rooms. It is easier to manage to have 1 centralized switch, but if your house isn't wired and you aren't willing or able to run more wires, the approach you are taking will work also!
This is good to know... whew! Your reply helped me to realize something - where other's want devices connected and able to share things across their home network, I do not. This is because my LAN --> switch --> Office has all I want to share
Next 2 switches will be used exactly the same, but in different rooms, and that is to watch media, check email and search the web, in a limited more secure fashion. I want division between these interfaces and my LAN - so both can be their own network or their own switches/interfaces as you say.What is an Ethernet Drop? - I thought that's what my switches were, at least in my imagination
QuoteFor testing purposes, you could mimic that allow all rule in your em2 interface to see if you can get access to the Internet. If that works, then you can work on locking down access between your interfaces. If you don't use VLANs, the configuration will be more simple but if you plan to setup VLANs, you have to set them up on the interfaces in OPNsense and your network switches. You also have to be careful not to lock yourself out when changing the VLANs on your switch/OPNsense. You will need to be connected to a port that's not on the VLAN you are trying to set up (VLAN 1 is a safe default since that is untagged traffic).
I did just this last night - and it looked good, that is to say my laptop which connects to the internet from my office made a wired connection em2.
But wait, I could not reach the internet.... browser never resolved, command line could not find packets, I could not update my system :/
On the surface my em2 interface Firewall rules look the same as my em1/LAN except for -Destination- I was instructed to put LAN net in there to prevent my switch devices from connecting to my LAN devices.... This sound good so I change that one setting different from my LAN's settings.
But the term Destination and then LAN net sounds like my em2 switch is heading to my LAN and not avoiding it. So I changed the setting to "Any" and now I can reach the Internet, but I really have very little security - sigh
- any thoughts?
~ Beth
#80
Other Random Things / Re: Newbie Q -How to use OPNs ...
Last post by Home Network Guy - August 30, 2021, 02:16:02 PMSure!
IP addresses are assigned to every device on the network including routers and network switches.
A subnet is a network which has one more devices. The modern notation used for IPv4 networks is called CIDR (instead of using Class A, B, or C networks). For home networks it is common to use the 192.168.x.x addresses so a subnet could be defined as 192.168.0.0/24 or 192.168.1.0/24, etc. The /24 indicates that the last digit can be used for device addresses so for 192.168.0.0/24, you can have devices assigned to 192.168.0.1-192.168.0.254 (.0 and .255 are reserved for special use such as network broadcasts).
In OPNsense, you will see 2 gateways by default if IPv6 is enabled. One gateway on the WAN is used for IPv4 and the other is IPv6. IPv6 is the new protocol for IP addresses that allows for a much greater amount of IP addresses than IPv4. It is ok to have both enabled. Sometimes devices/software will prefer to use the newer IPv6 protocol if it's enabled. You have to keep that in mind when creating firewall rules. If you want to restrict the traffic for both IPv4 and IPv6 network traffic, you need to apply the rules to both protocols.
If you wish to see the names of the devices, you need to set the option to "register DHCP leases" and "register DHCP static mappings" on the "Services > Unbound DNS > General" page. This doesn't always guarantee you will see the hostname. I've had some devices not show up but most do. If you really want everything named better, you could create a static DHCP mapping for a device (once you have identified it) and you can set an IP address (outside of your DHCP IP address range you have set for the network) and a hostname. Sometimes the manufacturer will show up below the MAC address which could possibly help identify devices. Most devices provide a way for you to view the IP address (and sometimes the MAC address). That will help you find out which device has which IP address.
Please let me know if this info helps and if you have more questions!
IP addresses are assigned to every device on the network including routers and network switches.
A subnet is a network which has one more devices. The modern notation used for IPv4 networks is called CIDR (instead of using Class A, B, or C networks). For home networks it is common to use the 192.168.x.x addresses so a subnet could be defined as 192.168.0.0/24 or 192.168.1.0/24, etc. The /24 indicates that the last digit can be used for device addresses so for 192.168.0.0/24, you can have devices assigned to 192.168.0.1-192.168.0.254 (.0 and .255 are reserved for special use such as network broadcasts).
In OPNsense, you will see 2 gateways by default if IPv6 is enabled. One gateway on the WAN is used for IPv4 and the other is IPv6. IPv6 is the new protocol for IP addresses that allows for a much greater amount of IP addresses than IPv4. It is ok to have both enabled. Sometimes devices/software will prefer to use the newer IPv6 protocol if it's enabled. You have to keep that in mind when creating firewall rules. If you want to restrict the traffic for both IPv4 and IPv6 network traffic, you need to apply the rules to both protocols.
If you wish to see the names of the devices, you need to set the option to "register DHCP leases" and "register DHCP static mappings" on the "Services > Unbound DNS > General" page. This doesn't always guarantee you will see the hostname. I've had some devices not show up but most do. If you really want everything named better, you could create a static DHCP mapping for a device (once you have identified it) and you can set an IP address (outside of your DHCP IP address range you have set for the network) and a hostname. Sometimes the manufacturer will show up below the MAC address which could possibly help identify devices. Most devices provide a way for you to view the IP address (and sometimes the MAC address). That will help you find out which device has which IP address.
Please let me know if this info helps and if you have more questions!