Thank you for these videos. I've been watching your network setup videos in preparation to switch to OPNsense from Untangle since they are dropping the home user license. Thank you for your knowledge and hard work putting these videos together - I like your methodology as your networks are the same layout as I prefer to have mine.
You’re well me. Glad it matches up with your methodology! I’m working on a new video showing how one could go about virtualizing OPNsense on Proxmox (eventually hope to demonstrate a Proxmox cluster in a future video).
@homenetworkguy Does it make sense to change the OPNSense IP address from its default LAN network (192.168.1.1) to the management network (e.g. 192.168.99.1) too? The switch and APs IP addresses have changed to be on the management network, right? On the firewall rule (allow access to the OPNSense web UI), why is the destination field set to the management address? Can the destination field be the management net? Not sure I understand management network vs. management address. If I understand this rule correctly, it allows the clients on the management network to access other devices on the management network like OpenSense web UI (192.168.99.1), switch (192.168.99.2), and APs (192.168.99.x).
It doesn't really matter what you use for the LAN network IP addresses but everything that's connected to that network needs to be within the same network address range (192.168.99.1-192.168.99.254) assuming you're using a /24 network size. It's not better to use .99 instead of the default .1 and vice versa. It's just an addressing scheme of your preference. But you do have to make sure you are doing it properly. If you change it to .99, all of the DHCP clients will automatically pick an IP in that range (assuming you also updated the DHCP settings as well), but for any static IPs on the various devices, you will need to change those to be in the .99 network. The management network is the network where you want to manage all of your network infrastructure/servers. It's the same as any other network/VLAN you are creating. It is simply called the "management" network since the intention is to put critical network/server infrastructure on that network and isolate those management interfaces from being accessed from untrusted devices. The management IP address of OPNsense is what I was allowing access to in the firewall rule. It was simply an example. You could allow access to the entire management network from a device that's not in the management network, but that is starting to defeat the purpose of having a management network (which is to keep all other devices on the network separated from the management network in an effort to protect your most critical part of your network).
@@homenetworkguythanks for the reply. If our management vlan were vlan 99 (192.168.99.0/24), where do we set the opnsense to be on the management network (I.e. 192.168.99.1) and remove it from the default vlan 1 network (192.168.1.1)?
OPNsense by default will automatically listen on all of the interface IP addresses configured on the OPNsense system so if you change the interface IP address to 192.168.99.1/24, you will be able access OPNsense on 192.168.99.1. If you have another interface with IP address 192.168.20.1/24, you will be able to also access OPNsense on 192.168.20.1. You can set the listen interfaces to only be the LAN interface (or whatever interface you want to use for management of OPNsense), but only do that once you know for sure you can access OPNsense after you change the IP address of the interface.
i was wondering can you also set the ports on that switch to just port isolation, so it makes opnsese do all the routing? i was thinking of getting the tplink TL-SG1210MPE. many thanks for all your helpful videos btw!
Port isolation just prevents devices within the same network from communicating with each other. It doesn't have anything to do with routing. Normally all devices within the same network/VLAN can communicate freely among the local network (that is how networking was designed). You can essentially configure the TP-Link switch to only allow one port in network/VLAN to communicate with the trunk port to OPNsense which essentially blocks other devices on the same network while still allowing access to the Internet or other devices on other networks (if firewall rules in OPNsense allow for that communication).
@@homenetworkguy i think i thats what i want. i would like to force each port on switch to goto opnsense then go back to the switch port thats needed. id at least like to have that as an option to test. i would also like the capability of assigning vlans to each port and see if i can achieve better results as well. currently i have regular switch, that has acess point with 2 vlans pluged into it, and also opsense lan port , and also server plugged into it. it seems to bleed threw at time threw fw rules. so im hoping ethier vlan switch or port isolation switch will help give opnsense better control.
very nice and informative guide but question: imagine all my servers are on 10.x network (vlan 10) while home devices are on 100.x (vlan 100) and IoT on 200.x (vlan 200) So my day2day laptop is of course on HOME vlan 100 (as I need to everything: shares, printers etc). Now, if I want to access FW I have to switch my laptop to MANAGEMENT vlan (in my case vlan10) because for security reasons I restricted OPNsense to listen to only on vlan 10, right? kind of incovenient Or am I missing anything here?
You can create a firewall rule to allow access to the OPNsense UI on the management network for a device that’s on another network. Ideally you could have a machine (even if it’s just a Raspberry Pi) on the management network to administrate everything but for convenience you could allow a single device on another network to access the web UI. Poking holes into the management network is a small risk but it is worth the convenience (especially on a home network). This is what I have done but I’m thinking of using a Raspberry Pi on the management network so I can have my management network more isolated.
You would have to unassign the LAN interface first and then create a LAGG with another unassigned interface. I suppose the MGMT VLAN would work on top of that LAGG but you would have to be careful not to lock yourself out in the process. I haven’t tried doing that so I would have to experiment to see how that goes. VMs are good for that sort of thing. Tinker with it and if it breaks, roll it back.
Faaar out! Used your other guides which were magic and then suffered through configuring the management VLANs myself. After multiple hours spent across multiple days and 2 factory resets, I got it done 24 hours ago only for this vid to come out today! Will definitely give the video a review and compare it to my config! Crazy timing!
Haha. I think several people trying to create management VLANs at the same time. The other day I got 2 questions about management VLANs on the same day, which doesn’t normally happen. Since I had those questions and others in the past, it prompted me to create this video in hopes it will be useful. There are slightly different ways you could go about it depending on the interfaces you choose and whether or not you wish to keep the original LAN interface as a backup so you don’t get locked out (could leave it disconnected until you need it, for example). It’s hard to show all possible scenarios so I pick one and roll with it. The beauty of building your own network is you can decide how to build it.
Great videos! They have really helped me out a lot setting up my home lab with opnsense. I am having trouble currently though migrating my tagged vlans to LAGGs. One from opnsense to a Mikrotik CRS317-1g-16s, then second one to a CRS310-8g+2s. While having a 3rd trunk to my desktop. Currently have them all working, tagged on LAN from OPNsense to the CRS310 but not when adding in the new switch. Mikrotik RouterOS is super frustrating lol I hate it.
Thanks! I’m glad you found it helpful getting your homelab set up. I haven’t tried configuring Mikrotik switches yet. Probably need to pick up a cheap one to try it out because I know they have their own quirks.
@@homenetworkguyIf there are videos that you can make, by purchasing one. That would be great! Could send out a general questionnaire to the community to ask whether enough ppl would be interested or not first. Good way to find out what kind of videos your community wants to see from you. That I see other creators do on here.
atm i have a opnsense running as a vm on a synology as a test setup. i wanted to create a guestnetwork with your video. when i connect with my devices, i am assigned an IP from the correct ip range. but i fail to get internet access.... i am rather sure, that i have the same settings as you did in ur video for the firewall. where could be another error?
2 possibilities off the top of my head: DNS configuration and firewall rules. Sounds like your DHCP configuration is working (at least with assigning IP addresses). Make sure your firewall rules allow access to the DNS server on the guest interface (or other DNS server).
@@homenetworkguythank you for your blazing fast reply! to test the dns issue, i set the dns manually on the devices, unfortunatly that didnt do the trick... i will probably delete everything and start from scratch, perhaps i made an error i am unable to find now
Random question about OPNsense, why does OPNsense come out of the box with remote (over WAN) access to the webgui enabled? IT also has an intense warning when you try and change this setting: Settings > Administration > Listen Interfaces
OPNsense only has open access to the web GUI on the WAN interface if you do not have the LAN interface enabled when you first install OPNsense. Soon as you enable the LAN interface, it enables the firewall/NAT features. The reason it allows the web interface if you only have a single WAN interface is enabled is that you would have no way to access the web GUI otherwise. It has a warning for that listen interfaces option because you have the potential for locking yourself out of the web GUI if you change the listen interfaces but don’t have the appropriate firewall rules in place to allow access.
What I like to do is only choose the interface that I use as my management network/VLAN so that the web UI isn’t available on other VLANs. You can block access via firewall rules but if you simply disable the listen interfaces you don’t need to create extra firewall rules for the interfaces you don’t want to be accessed by clients on your network.
Can you please show this with your cisco switch as well? Been struggling for a couple of weeks and every time I think I've succeeded, something breaks, the interfaces can't communicate with each other and I get locked out.
I could possibly create something but I would need some time to do it. I would like to do some of those more specific use cases to help those with similar switches, but I'm curious how many users have that sort of switch. I know the Cisco interface is a bit more challenging to understand and configure because I had to spend some time figuring out how to do VLANs on it.
I have followed your series, Set up a Full Network using OPNsense, part 3, to the letter with the difference that I only use my physical NIC's. Same topology as you. How hard can it be😳 Any progress on your thoughts about a Patreon membership page?
It’s possible that I missed a minor detail in the video but I’d have to go back and try it out again to see if I did which takes some time. It’s hard keeping track of every detail when recording/editing. Haha. I switched over to using Ko-fi from Buy Me A Coffee and it supports memberships. Also I have an ad-free membership set up on my website for a minimal monthly fee. RU-vid also supports memberships. I’ve considered Patreon but there’s just so many platforms that it gets hard to manage them all (that’s not counting all the social media accounts). I want to set up a better forum too as well as change to a more privacy respecting commenting system. So many things to do! I have a pile of sponsored products I need to demo/try out (I prefer showing what products can do vs doing formal reviews- it’s more fun and less marketing!)
@@homenetworkguy I don't think you've missed anything, it's probably more that I don't grasp the concept of lan and vlans yet. In OPNsense, the various interfaces, IoT, Guest etc. work. It is when I connect my Protectli to the switch that it starts breaking. Tagged, untagged, port selection then it gets wrong Help me make it work and I'll buy you lots of coffee😂
