Welcome to the Home Network Guy forum!

Main Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Home Network Guy

That's a good catch. I may have made those rules mimic the rules I was using at the time of the writing of the article so I know I had working rules.

Rule 3 is redundant (unless accessing some other service on the DMZ interface that is running on OPNsense).

I need to go back to simplify and clean up those rules. Thanks for the feedback!
Tech Discussions / Re: IPv6 Confirmation
November 12, 2021, 11:19:18 AM
Sorry I didn't see this sooner. I think sometimes subsequent comments are not always emailed to me to reduce the number of email notifications.

I don't know if the track interface will work behind another firewall unless you can somehow use delegated prefixes from the other router you have on your network. The ISP provided modem/router is not always the most feature rich. They seem to only have the most basic features available for you to manipulate (hence why OPNsense/pfSense is awesome). My guide was written as OPNsense being the main router. When you run OPNsense behind another router, it complicates the set up and you may not have all features available to you or you have to go about configuring them differently because you are now on a network that's behind another network. Having OPNsense as your main top level router enables you do more since it's the main entry point into your network.

I know we have had some discussions on Twitter, but I wanted to reply for others to see.
Tech Discussions / Re: IPv6 Confirmation
October 17, 2021, 04:03:43 PM
No problem! Please report back since others may be interested in that info. I only have one Android tablet I could test with.
Tech Discussions / Re: IPv6 Confirmation
October 17, 2021, 07:56:29 AM
Thanks for the info! Does it obtain IPv6 via DHCPv6 or SLAAC? I think it was DHCPv6 support that was lacking in many Android devices (at least in the past when I was reading about it elsewhere on the web). That is why I mentioned enabling "assisted" mode since it will allow both DHCPv6 and SLAAC to assign IPv6 addresses so even the Android devices that don't support DHCPv6 should still obtain an IPv6 address. I wanted to make sure the guide would work for such devices which means you can't use DHCPv6 only.
Sounds like you have a good situation for being able to easily cool the room. I don't think you'll regret adding ventilation especially if you start adding devices which run a little hotter. Heat builds up easily in an enclosed room.

If you're running Cat6 for the cameras, you might as well run it for everything. It's not super expensive and you can run at 10Gbit speeds up to 55m (~180ft). The cameras and PoE would run fine on Cat5e (and everything else) but why not future proof a little bit and use a better quality cable (then you won't have to redo anything later).

Also if you are running through walls (and between floors which doesn't apply to you as a 1 story house), you should get riser rated cable since it doesn't spread fire as easily throughout your home. It will be called CMR in the description if not spelled out.
Below are some of my thoughts after building out my own home network over time:

1) It depends on how much it costs. I personally love having my modem, router, switches, and servers all in a centralized location where it out of sight. Not only that, it makes connecting everything together easier. If you decide later to move your ISP connection to a different location (if you rearrange your living room or remodel, etc), it is more of a hassle than if it's in a centralized location where it will likely never need to be moved again. If you want a quicker, cheaper solution that you may be able to accomplish yourself, running an Ethernet cable from the ISP or private owned modem/router to your centralized location will work as long as you don't exceed 100 meters (~328 feet).

2) If your network closet is completely enclosed, you most likely need some sort of ventilation especially if you are going to have servers in the closet. If it's just a network switch, you may not need it. PoE switches run hotter but if you don't have a heavy load on it, it might not get too hot. Some people install a fan in the top and bottom of their door to draw in cold air and blow out hot air. Others blow hot air into the next room. Since I am working to finish the basement in my house, I was able to build a 4.5 ft. x 6 ft. server room. I was fortunate in that I have a return air trunk that runs parallel to the one of the walls so I only needed to run a few feet of ductwork. I installed an AC Inifinity 6" inline duct fan which has a temperature control so it runs when it gets too warm. I am able to keep the overall temperature at 73-74 degrees or below without running the fan in its maximum power (only run it at 40% since that seems to be enough without generating too much fan noise). I have 2 servers, 3 switches, 1 router, 1 modem, a NVR, and a Raspberry Pi and it stays that cool with the fan/ventilation. I also put a passthrough vent down low on the wall near the door to allow more air to be drawn in. It looks clean and it works great. Since it's in my basement, it naturally stays cooler so that helps. In the winter, it will definitely stay plenty cool since it's on the corner of the house (I have a walkout basement).

One thing you will want to avoid is to blow the hot air outside your house. I've heard of others doing it, but when I researched it, some have said it's harder on your HVAC because it creates negative pressure. Also even though it's warm air, it is still conditioned air (still may be cooler than the outside air in the summer and in the winter, you don't want to blow the warm air outside of your home). Therefore, blowing the warm air into your return air vent works well.

3) I had to redirect some of my Ethernet/coax cable from the closet under the stairwell in the basement to the server closet I built, and I used PVC pipe inside the walls. I could barely fit all of them in the size I chose, but I didn't want to use to wide of a pipe to weaken the studs. I chose the maximum size for the maximum recommended hole you can cut into studs. I only needed to run it through a couple of studs since it was close to the corner of a wall. Then I ran more PVC conduit (used gray plastic electrical conduit) above the ceiling in the server closet to my HVAC room so I can run the wires from the closet under the stairs, across the HVAC room and into the server closet. I used two 2" conduits, and I nearly filled both of them! I wish I had ran 3" conduit but I was able to do what I needed done with 2". I don't plan on adding too much more since I tried to plan ahead and ran a bunch of drops in my basement (20 drops -- 4 at 5 different locations). The 2 floors upstairs have 16 drops in comparison (that is what I had the builder to run -- I wish I had a few more ran, but I didn't want it to cost too much).

4) If you don't have the ISP connection to your house relocated, I know that a lot of people on Reddit show off their "lack racks" that are made out of Ikea furniture or custom built out of wood. With the price of lumber these days, it's probably cheaper to buy a low end server rack. For home use, cheap racks work great (or if you can find a solid used one that a business is throwing out). Being in the living room, I understand you would want it hidden. You would want to make sure it has some ventilation since routers can get pretty hot depending on what you are using.

One thing I didn't see you mention: since you are planning to run cables and use PoE switches, you may want to consider using wireless access point(s) that are powered via PoE. Since you have a small 1 floor house, you may be able to get away with one centrally located access point. If your closet will be near the center, you won't have to run a cable very far. You could just put the access point in your closet, but it could be better if it was mounted to the ceiling near the center of your house. If your house is more rectangular, you may need 1 AP on each side of the house (or if you want to extent coverage to your yard without getting outdoor APs but range may still be limited).
The main difference between associated an unassociated rules is when you make changes to the NAT port forward rule, it will be reflected in the associated rule. The unassociated rules won't get updated. You have to delete them to recreate them. I don't think there is a bug with how that works since it was intentionally designed that way for different purposes. I'm not quite sure when you would want an unassociated rule unless maybe you are worried someone will change the NAT port forward rule. However, if you did make changes and didn't realize you had an unassociated rule, it might make troubleshooting the rules more difficult.

Are your 2 private networks connected to the same OPNsense box or is one network on the ISP router and the other is on the OPNsense router? If they are on 2 separate routers, you should be able to create NAT port forward rules similar to if the WAN was connected directly to the Internet. This of course requires you uncheck blocking of private networks/bogons on the WAN interface (although I'm not sure if unchecking bogons is critical unless you are planning to use those specially reserved IP address ranges in your internal networks).
Troubleshooting / Re: Purpose of VLANs in OPNSense
September 10, 2021, 09:17:15 AM
VLANs are a way to logically divide up your network into separate smaller networks. It is useful when you want to put restrictions between devices on both networks. So you can keep your employees or guests in your house on a separate network so they can't access more critical parts of the network. VLANs can be used to improve security but by itself, it doesn't improve security. You have to have the proper firewall rules in place. VLANs + firewall rules provides you with improved security.

VLANs are not required to use but are commonly used because it saves money (it saves physical rack space, hardware costs, electricity, etc). You can accomplish the same thing without VLANs but you would need to have a separate network switch for each separate network. That is how they could separate networks before VLAN technology existed. They would use separate routers/switches to create physically separate networks.

VLANs allow you to be more efficient with your hardware. You only need 1 switch (but you can have more if you need more ports or if you want some PoE ports you can save money and buy a switch with fewer ports). You can create several networks using one router and one network switch. It will appear as though they are separate physical networks but they in fact are not on physically separate hardware. Another benefit of VLANs is you don't have to physically have every device that's on the same network plugged into the same switch. This can cause problems if you have switches in different locations in your office or home since you have to make sure the device is plugged into the proper switch. If you want to switch networks, you have to physically move the Ethernet cable. With VLANs, you can simply change which network a device belongs to by changing it on the switch itself without needing to move any cables. So you can reconfigure your network very easily with VLANs since there in increased flexibility.

If you have multiple interfaces, you could plug a small unmanaged switch (which is cheaper) in each port and have separate networks without VLANs or you could use 1 (or more) interfaces with 1 bigger network switch (depending on how many devices you want to connect) that supports VLANs and you can create 1 or more VLANs to start separating your traffic. VLANs add a little more configuration in OPNsense but it's not a lot different than setting up the physical interfaces. You just have an extra step of creating your VLAN tag(s) and then you assign the VLANs to a physical LAN interface. You will have extra configuration for your network switch. You create the same VLANs in your network switch (making sure that the port that connects to the router from your switch is set to TRUNK or allows all VLAN tags to pass through -- different switches have slightly different terminology but the concept is the same).

It sounds like your firewall is allowing all connections for all of your interfaces. If you want your traffic to be isolated, you will need to add rules to block traffic between the interfaces while still allowing traffic to the Internet (unless you want an offline network which is handy for security cameras for instance if you worry about being exposed to the Internet).
The problem is that the "WAN net" alias does not mean "allow access to the Internet". The Internet essentially consists of all non-private IP addresses (except for a few other specially reserved IP ranges). Your external WAN address is only on 1 network out of billions/trillions on the Internet. That's why when you create rules you essentially need a "allow all" rule near the bottom of your rules which basically is like "allow all other" as in allow all other traffic out to the Internet (and other internal networks if you do not have any blocks in place).

So on the NA interface, you could have something like:

Block NA net to NB net
Allow NA net to any HTTP/HTTPS
Troubleshooting / Re: Opnsense content filtering
September 07, 2021, 09:47:17 AM
Thanks for reporting back! I haven't tried to mess with web proxies especially since it seems like it works best for unencrypted traffic which isn't helpful most of the time since most everything is encrypted. I use Sensei also and it works well especially after they fixed a lot of the netmap issues that caused problems early on (at least with my hardware). I like being able to look at my traffic aggregated and broken down as well as block certain traffic.
Thanks for providing your proposed network diagram. That helps me visualize what you are trying to do.

I notice that for each "segment" (network) you are creating, you are placing a router in front of it. While that can work to provide each network some access to the other networks where you are plugged into, you don't have to use that approach. It complicates the access between the different networks. It may even require static routes on your routers so traffic can be routed properly between all the networks if you wish to access other devices.

A simpler approach would be to put your ISP modem/router into bridge mode, run a router such as OPNsense (which in write about often) and then create all your networks using your OPNsense router. Since everything is connected to one router, you can manage all the access/firewall rules from a single router (instead of having 3-4 routers). For wireless, you could connect one of your existing routers and put it in AP mode so you can only use its wireless functionality (or your could buy dedicated wireless access points which gives you more freedom where to place it).

If you want to try to make your network function with the hardware you have, you may end up having to use separate routers with separate networks since you don't have equipment to utilize VLANs or a single router like OPNsense. It may require setting up static routes, and I don't know if your routers provide many settings for establishing firewall rules to keep your networks separated and protected while also allowing specific access to various services you have hosted on your network.
You're welcome. I had mine turned off for a while so it doesn't spam the firewall logs. I have it on now and where possible, I tried to update many of my rules to use IPv4+IPv6 so the rule will apply to both protocols because I want essentially the same firewall restrictions for both protocols. It doesn't always work out perfectly because some of my aliases refer to IPv4 only networks or IP addresses so it wouldn't apply to IPv6. However the broader rules which use the predefined network interface addresses should work for both protocols since OPNsense knows both addresses on the interface/network.
I wrote about firewall aliases so when you want to dive deeper, you could check it out.

As for testing if you can connect to your other devices to ensure everything is blocked, you could trying pinging them from the console/command prompt. Type:


Using the IP addresses of your machines (or hostnames). If they are on the same network or your firewall rules aren't blocking the device, you'll get a response back. So if you know the device is on the same network, getting a response is ok. If it's not on the same network, you shouldn't get one back.

If you have any services running on your systems like a web server, you could try accessing those as well to see if you can get a connection. It depends on what you have running on your network. If you can't access something that's on another network (like a printer, file sharing/sync server, Apple TV, Roku, Xbox, PlayStation, etc.), then your rules are blocking properly.

You can also check the live firewall logs to see if your rules are blocking any network traffic. That might be the easiest way but you have to be a little familiar and comfortable with the live firewall log. You can filter the log to just the one network or device you are trying to access so you don't get flooded with as many log entries. It's hard to see what's going on if you have a lot of network activity and you don't filter it.
It's ok if you want intrusion detection on the LAN instead of the WAN but you have to make sure you don't select the VLANs instead of the physical LAN interface(s) since it will mess up your VLANs. But if you want to put it on the WAN and use Sensei on the LAN, that will work too. I like the graphs and charts and other information that Sensei provides. It does things that intrusion detection doesn't do, but I think they can complement each other. I don't have a guide on how to set up Sensei since the documentation on Sensei's website is pretty straightforward but I did do a comparison between the home and free versions.

That "Administration Rules" page lists all of the rules you have downloaded. Those are not the rules which have been triggered on your network. It shows the default action of allow, block, or disabled. You have to go to the "Administration Alerts" page to see what has been blocked on your network. You also need to make sure you have "IPS Mode" checked on the "Administration Settings" page.
You can disable IPv6 entirely by going to the "Firewall > Settings > Advanced" page. It's the first option.

Devices/software will only prefer IPv6 if it's enabled on your network since it cannot communicate via IPv6 if it's disabled.