Set up a Full Network using OPNsense (Part 2: OPNsense) 

Thanks! I like to use real world examples that I have done in my homelab/home network either currently or in the past. For certain topics that I don’t implement in my network, I still like to set it up in a test environment to make sure everything works as expected.

Thanks! Glad you enjoy the content! I just got started on RU-vid nearly 9 months ago even though I wanted to start it 2-3 years ago... so I'm just getting started. I don't have a lot of production equipment or time so I am keeping the videos simple, minimally edited, but hopefully full of good information. That means my video content will be much less polished than my written content. With video content, I can't quite go as detailed as my written content. Otherwise it would be hours long! haha.

Thanks! I’m glad they helped you with your home network!

can share how you upgrade your 2 WatchGuard fireboxes to OPNsense? I have 2 M series firewall boxes and would like to use it too, thanks

You’re welcome! I plan to go into detail in more specific topics as time goes on. I wanted to start with a general overview to show how all the pieces work together.

Thanks! In my Part 3 video, I apologized for grunting/coughing because allergies were making my throat scratchy and causing some minor drainage but I was able to cut that part out without affecting the continuity of the video. I appreciate those who are able to produce high quality productions. I’m just keeping it raw as a one man production, haha.

Haha, I even went less detailed than my written guide. I knew it would take some time to explain things in detail. I didn't want to bust this up into a bunch of videos right now because I wanted to keep each portion of the guide in a single cohesive video: intro of hardware, OPNsense installation/configuration, network switch configuration, and wireless access point configuration. I added the chapters to make it easier to skip around in the video.

@@homenetworkguy yeah this was the right move. So is it ok to do this step without taking my main network offline or do I need to have the modem plugged in and everything per part 1 of the tutorial to do part 2 properly. Otherwise this might be the last time you hear from me for a few years if I can't reach the tutorial 🤣

I probably didn’t make it clear at the beginning of the video but later I show just connecting a single PC to the OPNsense box. You can do it completely offline or connected to your existing network. This assumes you already have a router in place and you are setting up a new box. If you only have one box, you have to be offline until everything is installed. Good thing is that by default if you’re using DHCP on the WAN, everything should work out of the box if you’re plugged into the modem. It make take a few minutes to register your new MAC address (unless you cloned your old MAC address) to be able to connect to the Internet.

@@homenetworkguy Thank you, this was a very helpful guide! working through your website to finish up the other pieces and looking forward to those videos. If I didn't have this part 2 video I know I would have likely made mistakes so thank you for this. You definitely don't need to apologize as much as you do in your videos its very very useful! Great job!

Thanks! Glad you found it helpful to have video along with the written guide! I was recording the videos late at night for 2 nights in a row so I was pretty exhausted, which is why I had to go back a few times to fix my mistakes on the fly. Haha

Thanks! I appreciate the compliment! Helps keep me motivated to produce more content!

Thanks! I'm glad it helped you! I probably could have described certain things in more details but the video is already pretty long. I wanted to do a comprehensive overview and then later I can dive into specific topics (which is what I have been doing in written format on my website for the past few years).

@@homenetworkguy So the invert in your example was effectively a block? Or do have that wrong? Blocking private networks from accessing the lan/mgmt vlan? And also I doubt doing the switch vlan config would have worked anyways seeing as how all created vlans are blocked by default. I'm stupid, i should listen to the smart guy, I'm just getting started with a home lab.

@@ryanbuster4626 It's an allow rule. If the network traffic doesn't match any of the rules, the traffic is denied/blocked by default. That is why if you have no rules created for an interface, all traffic is blocked on that network. Ignoring the destination invert option for a moment-- if you only created a single rule that allowed DNS, only DNS lookups would be allowed on that network since all other traffic is blocked by default even though you did not create a block rule. Some people like to put a block all rule at the bottom of the firewall rule list but that is not necessary. So back to the allow rule with the destination invert option-- basically that rule is saying ONLY allow access to non-private IP addresses (which means only allow access to public IP addresses, aka the Internet). It is not blocking anything. It is only stating what is allowed and if traffic doesn't match that rule, it is blocked by default because of how the firewall blocks all traffic by default.

Thanks! Glad you found it helpful. The recording of that video was a bit grueling because of its length. I recorded it over a span of 2 nights so I was a bit exhausting, haha. I wanted to do a comprehensive video to show how it all works together instead of splitting it up with the goal in mind of covering specific topics like I am doing now with my newer videos.

Thanks! I’ve been using OPNsense since late 2017 in the earlier days of the OPNsense platform. I have enjoyed interacting with the OPNsense community over the years with my website and now RU-vid.

@@homenetworkguy I will be using your videos as the base for my team members to get up to baseline with OPNSense and networking. Looking forward to more content. 😊

Ohh nice! I have a bunch of written content on my site but RU-vid is a new endeavor for me so I don’t have a lot of content yet and I don’t yet have the time and resources to improve the production quality. I do all this in my free time and don’t have anyone else working for me (not counting my brother who designed my logos for my websites, haha. He is better at graphic design than I am).

Haha, thanks!

Thanks! I’ve started some work on Part 3 so hopefully I can get it done soon!

Thanks for the tip! I appreciate it!

Haha yeah. Started working on it. The thing with part 3 is that it’s going to depend a bit on the switch you are using as to the exact way you configure but overall the concepts are the same.

Thanks! It took some effort to record and edit.. and it’s still a bit raw and rough around the edges. Keeping it real, I suppose. Haha.

I’m glad it helped! I debated splitting up Part 2 but I wanted to show the entire config together to demonstrate the big picture. I could dive deeper into specific topics in the future like I do on my website.

Thanks! I appreciate the support! I’ll keep going!

Nice! Glad you found it helpful!

Thanks!

Thanks! I’m glad you found it helpful!

Thanks! Glad you found it helpful!

Thanks! You’re welcome! I hope I didn’t miss any details in the video (my written guide has even more details but I tried to keep the config to the bare minimum to have separate networks).

@@homenetworkguy It's great. I'm trying to get the VLAN concepts right in my mind. I'm using OPNSense with TP-Link Omada Switch, Controller and APs. Still get confused with the Tagged /Untagged thing haha

Yeah VLANs can be hard to grasp at first but once you get it, it will be one second nature. My written guide uses TP-Link and UniFi APs so you may want to look at that as well. I used different hardware in my video since that is what I had available (thanks to Jason’s Lab for sending me extra hardware).

@@homenetworkguy Will do! Thank you so much!

Thanks! I didn’t want to break up the comprehensive video because I wanted to show how everything works together especially for new users who may not be able to piece it all together. I may go into more detail on individual topics in the future. Also Part 3 and 4 will be much shorter than Part 2.

Thanks for the support! This channel is like a well kept secret, I suppose. Haha. I’m hoping to continually improve over time. I’m thinking I could go back and improve some of those longer OPNsense configuration guides.

You’re welcome!

Thanks!

You’re welcome!

Thanks! I appreciate it!

Thanks! I'm slowly working to improve the quality the more video that I do. This was one of my earlier videos.

Haha, thanks! More to come!

Thanks! You’re welcome!

Thanks! Yeah the switch and AP configuration will vary based on the hardware used. I plan to do more alternate versions of switches/APs as examples.

Thanks! Glad you love the video. You can bridge the 3 ports and create VLANs on top but generally it’s preferred to use a network switch instead. If you have a network switch capable of supporting LAGGs, you could put those 3 ports in a LAGG configuration. That may work better than bridging the 3 ports and would have the advantage of increasing throughput on your network if you have multiple devices that streaming/transferring a large amount of data at the same time.

Thanks! Glad you found it helpful! It took 2 nights of recording for several hours while my wife took the kids to visit her family for a few days. It was the best time to record such a lengthy guide. Plus I am still getting my feet wet on doing RU-vid videos. I didn’t want to split up the OPNsense configuration section even though it is lengthy because I wanted to show how everything works together- the “big picture” overview. I’m starting to work on some shorter videos on specific topics. I have 3-4 topics written down with some details to discuss and recorded one of them yesterday. So much more to come!

@@homenetworkguy I'm still working my way through it - cross referencing with the written article is extremely helpful. for e.g. the picture you have of what the different VLANs are intended for. Presumably putting a 'webserver' in the DMZ applies to self-hosting a website, rather than a home media server which would be on the management LAN?

DMZ is for anything you want to access remotely and is dedicated area separate from your network so if something gets hacked, it's not able to access other areas of your network. I typically put Cloudflare in front of hosted services or keep them behind VPNs. If you do not host anything, you do not need a DMZ. For apps/services hosted on your network, you could create a separate VLAN or put it anywhere on your network EXCEPT the management LAN. The management LAN (or VLAN) should be dedicated to only the OPNsense interface, your managed switch interfaces, wireless AP management interface, servers which have IPMI for management, etc. (core network infrastructure).

@@homenetworkguy Ok that makes sense, thanks for taking the time to explain things as I'd misunderstood.

Thanks! Glad you are happy for the video. I am going to do a more simplified version of this guide as well. I have the written version completed and I'm posting it as we speak. I plan to get into setting up VPNs like you mentioned but I have so many things on my plate.. just trying to work through various things to get it all done.

@@homenetworkguy Thank you and no worries on the time for the VPN setup, I get being busy. I'll probably still go with the more complex setup since that more resembles what I have going on in my network although tings got a little messy and I need to start over. Thanks again ans I sent you a little something for all your hard work.

It’s been on todo list to do more VPN guides such as setting up a single VLAN to use a VPN as you have suggested (I would probably be doing it anyway to test out my guides separate from my main network because I don’t want it to go down while I’m tinkering since my family wouldn’t be happy having an unstable network. Haha.) Thanks for the tip too! I appreciate it because it is definitely a lot of work!

Thanks! Glad you found it helpful. I apologize for the ‘smacking’… I’m still working on speaking in videos. It may help if I write scripts and read from a teleprompter but my time is so limited I’ve just been rolling with it in hopes that practice will help me improve over time (just like with my written content).

​@@homenetworkguy No worries! I'm most likely a little averse to noises as no one else picked up on it ^^ I have been struggling to get a wan IP assigned, prolly caused by a lack of information on the proper syntax for the DHCP client identifier from my Swiss ISP as I'm having the issue on both proxmox and a bare metal installation. The guide however was def helpful and a nice referral to have on a secondary monitor up to that point!

Thanks for making aware of that issue because once I started looking for it, I noticed that I did it more often than I thought I did so I became self-aware and self-conscious (but that is good because it will help me improve!). Yeah, normally DHCP just works with most ISPs but there could be some special configuration you have to do depending on your ISP.

You’re welcome! I’m glad it helped you achieve your networking goals!

@@homenetworkguy sorry for the questions. I’m having an issue with Plex since isolating my networks. Plex is reporting indirect play. I’ve setup an alias with my devices IPs that uses Plex and allowed it to communicate to my unraid server. But keeps coming up with indirect play?

@@Apollopayne25 Perhaps your external IP address is being used instead of your internal address? It could be using NAT reflection. I’ve seen some ads plex.direct to the private domains for Unbound DNS under the Advanced settings but I’ve never had to do that. I make sure I add all my LAN network addresses to Plex and create the firewall rules to allow access to Plex. I use the local network hostname to access it.

I apologize for the long delay but your message showed up as in review and I don’t always check that option much (it’s filtered out of my normal comments). I glanced at the video on that spot and it’s possible you found some minor inconsistencies with me having to do long recording sessions and being exhausted in the process. Haha. You are correct that you should assign the LAGG the same way you create the other VLANs. I apologize for the confusion. Basically once an interface is assigned whether be a physical interface, a LAGG (which is a group of multiple physical interfaces), or VLANs (logical interfaces that are assigned to physical interfaces), you can treat them the same once you assign the interfaces. You can apply DHCP configuration as well as firewall rules for each interface.

You're welcome! No you don't have to use the LAN as the parent interface. In my example, you would just use a single interface (igb2) instead of both igb2 and igb3. I am also using igb1 for the LAN and igb0 for WAN. Alternatively, you can use igb1 for both the LAN and VLANs (a router on a stick configuration) but I was showing setting up a dedicated LAN interface for management access to OPNsense and separating out the VLAN traffic on its own interface. You do not have to do it this way since there are several ways to configure your network.

@@homenetworkguy Thanks for the great help and this extensive tutorial! If i don't need a dedicated managment port, would i add all three ports to the LAGG and later the vlans? Thanks a lot!!

@@thomasgebetsberger4620 Yes, you can add all 3 ports to the LAGG if you desire. I recommend adding the 2 interfaces you're not currently plugged into to the LAGG first, then move your connection over to the LAGG and then add the 3rd interface because you would end up dropping your current connection (but it's also good the LAGG on the other 2 ports are functioning properly before adding the 3rd interface to the LAGG so you don't get locked out of your router/firewall).

@@homenetworkguyThanks for the answer and help - i really appreciate it!! Keep up the good work!

Thanks! I appreciate it!

Yes, I wouldn’t use a LAGG if you only have 3 ports (unless you wanted to use 1 for WAN and 2 for the LAGG but then you won’t have a dedicated interface for a management network for OPNsense or other network infrastructure devices). LAGGs (link aggregation) are used for 2+ interfaces not for a single interface. The reason I didn’t assign the parent LAGG interface is that I wanted to only allow the VLAN traffic on the LAGG since I have a separate interface for untagged traffic for network management purposes. I thought I explained that part in the video but maybe I overlooked describing what I was doing. The LAGG portion of the video is optional if you have extra interfaces you wish to increase bandwidth across your VLANs (only useful if you have more than 1 device on your network saturating your network).

Thanks! I know a lot of people prefer to keep their old consumer grade routers and use them with OPNsense, which makes sense to try to save cost and reuse existing devices. You can set the routers in AP mode to use them purely as wireless access points. If you don’t have a managed switch, the best you can do is have the consumer routers in AP mode and place them on a single network. If your OPNsense has multiple network interfaces, you can create separate physical networks (not VLANs) and still have network isolation using unmanaged switches connected to each interface. You could put one consumer router in AP mode on each of those networks if you want 2 separate WiFi networks. This scenario less than ideal because you need separate physical switches and APs for each network rather than having a single managed switch and a single AP which properly supports VLANs (of course you can use more than one AP for increased coverage but you don’t need to dedicate one AP for each separate network). It’s surprisingly cheap to get started down the path of network segregation. A cheap basic managed switch can be had for $30-50 USD and a wireless AP that supports VLANs can be found for less than $100 USD if you don’t necessarily want the fastest AP. Otherwise it may be closer to $150. It’s definitely the way to go for the long term. Easier to manage and very rock solid.

Some people like their management network to have full control over the entire network (which you can totally do if you want to do that- nothing technically wrong with that!), but I prefer to still limit access somewhat (it’s possible for any network on your local network to get compromised so it’s still good practice to limit access- of course if your management network is compromised, that is pretty bad). However there are some things I give the management network full access to such as ICMPv4. I like to block ICMPv4 on some of my networks like the DMZ network but it’s nice to have it allowed on the management network because I can ping any device on the network to see if it’s accessible. I actually use floating rules to allow access to a few things across the entire network so I only need one rule instead of duplicating the rules on several interfaces for multiple networks. Examples include SSH access between clients and servers on different networks and allowing iperf3 on all my networks so that I can run speed tests anywhere on my network without needing to create a bunch of firewall rules. The great thing about defining firewall rules is that you get to decide how locked down or how open you want your network to be so it can meet your needs which may be different than my needs. I try to provide various examples to show how you can write different types of rules.

So with your configurations here, I am guessing any vlan I want a pi-hole on, I will have to install a pi-hole for that valan. Some vlans I have no problem just sending off to quad9. @@homenetworkguy

You can use 1 Pi-hole server for multiple VLANs. You would just need to create firewall rules to ensure devices on the different networks can reach the Pi-hole server.

The IP-link part of the guide was a deal maker for me thank you.

Are you having trouble with DNS working for multi-WAN? Depending on how you set up your multi-WAN configuration you may need to make use of policy based routing via firewall rules. I haven’t experimented with multi-WAN configurations but it’s on my todo list.

@@homenetworkguy I followed this guys video on how to setup multi-wan fail over(ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-CcXYiFj9mBA.html) and it worked great, but then I wanted to setup the unbound DNS and had to remove the DNS settings in System->Settings->General that was relying on detecting WAN failure. I'll keep a look out for your video when you get a chance to check it out. Thanks for your response and help!

Thanks! Glad you found it helpful. Not sure why you needed to enable that “all in allow” rule. Hard to know for sure without seeing the details of the rules. As for the opening ports, you are having trouble with NAT port forward rules? Keep in mind that some ISPs block certain ports so you would have to use tunnels/proxies to get around that. Same goes if you’re behind CGNAT.

I had to make a choice when I started using OPNsense several years ago. User interface was one reason but I liked the community I found with OPNsense. There are a few features I like as well that is unique to OPNsense (some offered by 3rd party plugins). I started documenting my experience with it since there was much less good documentation several years ago. I think the situation has improved a bit over the last couple of years as I am seeing more being produced by others.

Thank you so much my favorite article and big reason to get a router/firewall. “How to create a basic DMZ” love the concept of separating networks an having a dedicated NIC/network for hosting services to the web.

You’re welcome! Glad you found it helpful!

Glad you found the series helpful! 1. No. The rules from the originating interface is adequate for allowing access to devices on other interfaces/networks. 2. You don’t have to “move” the OPNsense box to the management VLAN since it visibility/access into all attached network interfaces (for lack of a better explanation). Simply create the management VLAN on whatever interface you want (just make sure you configure the switch for that same management VLAN). The trick is to make sure you’re connected to an interface you’re not currently changing so you don’t get locked out. So stay connected to the default LAN interface, set up the management VLAN on OPNsense and your network switch. Then try plugging a device into that network to verify you can access OPNsense. Then you can get rid of the LAN interface. Always make sure you have access on the new interface before you modify or remove the interface you’re currently connected too. One thing you need to make sure is that the web UI is listening on your management VLAN (if you follow my instructions, I only allow the web UI listen on the management interface which is the LAN network but you can use the management network instead). I prefer to use the untagged LAN as the management network because everything defaults to it so it’s the path of least resistance. I just make sure I assign all of my unused ports to my GUEST VLAN and I don’t have to worry about anyone plugging into my management network (it’s rare that anyone outside of my home plugs into a wall jack since most use WiFi and I don’t use WiFi on my management network). I hope this helps!

@@homenetworkguy awesome, thank you for the reply! so in this case by staying connected to the interface you mean the physical LAN port on the opnsense box? I am trying to also set up a LAGG and i've gotten it to work. so theoretically, if i put the management VLAN on the LAGG, and then I delete the lan interface, would I be able to remove the LAN cable between my opnsense box and the switch? just trying to understand this conceptually.

@@hawsroyYes, if you are plugged into the LAN interface and you change the interface configuration, you are likely going to kill your access to the box. That is why you need to verify that your management VLAN works by plugging into that VLAN and checking if you can access OPNsense before you get rid of the LAN interface (or simply don't plug anything into it). You could leave the LAN interface with nothing plugged in as a fall back in case you change your VLAN configuration and mes something up. Doesn't hurt to have guaranteed access to the OPNsense web UI.

@@homenetworkguygotcha okay that makes sense. thank you. i think i would elect to keep the LAN interface along with its connection to the opnsense box for that very reason. i am still a tad confused about the IP in that case however. maybe this is a silly question, but would i ever be able to put the IP of the opnsense box on the management VLAN's subnet? the thing with changing the IPs that is confusing me is that it seems once you change the ip, you cant go back without resetting. with the VLAN setup and communication, at least you can swap ports, etc. but once you change the ip and have the wrong setup with vlans, its done-zo, as i found out the hard way... i foresee it going like this in my case, please correct me if i am making any major mistakes: install opnsense, set up defaults > add VLANs including management VLAN to the LAGG > make firewall rule allowing home to management vlan access (since i dont need absolute security and want to be able to access from the home network. i don't have a dedicated interface for the management vlan, i just like the challenge of setting it up :D ) > configure switch with appropriate VLANs, including management VLAN > change IP of opnsense box to management VLAN subnet > connect physically to a port with the untagged management VLAN (or use something on the home network in my case) and see if i can access the new opnsense box. then would come the issue of the switch, at what point would i want to change its IP? I guess i am confused on how to configure the switch with a VLAN. it is a tplink TP-SG2016P. i am thinking it sounds like i would want to make sure i have everything else set up properly, and then change the switch ip.

@@hawsroyYou don't "put OPNsense box" in the management VLAN. Instead, you create the management VLAN and make sure you have the web interface listening on the management VLAN interface (and uncheck the other interfaces except for LAN and the management VLAN. The LAN will be your backup management interface unless you don't want it but you have to make 100% sure you can access it from your management VLAN). Your management VLAN is just like any other VLAN. It has its own set of IP addresses. If you plug a system into that management VLAN and you can access it from the PC, you have it set up properly on your switch and OPNsense. Then you can create a firewall rule for the HOME network to access the OPNsense web UI. Plug your PC into the HOME network and verify you can connect to the web interface. Do all the things before you do anything with the LAN interface. Configure everything from the LAN interface until you have everything working properly and you won't lose access. If you want your network switch to be in the management VLAN, create a new interface on the switch for the management VLAN. You can create multiple interfaces similar to OPNsense where you can access the switch.

Sorry for the delay. Your comment got held for review (probably since you included an IP address). I'm not quite sure where the issue would be especially since I have not used OPNsense as a transparent filtering bridge because it typically use it as a router/firewall for my network. I happened to see this show up in my RU-vid feed so it might be useful for you: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-dTUvlFfThPw.html

Sure thing! I actually recorded a video a while ago but I keep bumping it for other videos. Haha. I also need to make sure I got all the steps done properly in the video I recorded since I was less familiar with the Grandstream switch when I first bought it.

@@homenetworkguy thank you so much!

What do you plan to use the extra SSD for? Just curious. I could do some videos on the plugins/VPNs. I still have a lot of content I want to produce but there is limited time, unfortunately. haha. Thanks!

The Gowin R86S-P2 and R86S-B3. The updated model is the T-series model (and the U-series if you want 10G SFP+ interfaces). www.aliexpress.us/item/3256805527003342.html?spm=a2g0o.productlist.main.1.468auSKluSKlFc&algo_pvid=b1d253a9-0b5c-4cb1-8744-8b47efed5c32&algo_exp_id=b1d253a9-0b5c-4cb1-8744-8b47efed5c32-0&pdp_npi=4%40dis%21USD%21316.02%21316.02%21%21%212285.00%21%21%40210318c216920471175831112e0620%2112000034092503094%21sea%21US%212678938111%21A&curPageLogUid=LL5ghG9PoQ2h

Yea because the gateway for each interface is a private IP address. I’m not familiar with UniFi’s firewall but I’m assuming it excludes the interface IP in the “LAN LOCAL”. For NTP, you can just do the same thing as DNS. For my network, I combine the DNS/NTP into a single rule by using an alias which has both ports 53 and 123.

@@homenetworkguy what if I specify two DNS addresses for this vlan to use under the "Service - DHCP v4" section. do I still need to have this allow DNS/NTP rule? Since this vlan clients should be able to access its own gateway, will they be able to reach the DNS server I specify?

⁠If the DNS servers are on another internal network and you have a rule to block all private IPs, you would need a firewall rule to allow access to the DNS servers. If they are external to your network, you shouldn’t need any. It really depends where your DNS servers are located and how you have configured your firewall rules. That’s why it’s hard for me to say exactly what you need to do.

Yeah it depends on the ISP what prefix delegations they support (if at all). I just recently released a more simplified network build guide if you want to start with that and then build more off of that.

I don’t go into those details in this video since it is focused on getting the network up and running with OPNsense. By default all incoming connections are blocked by default. I recommend being cautious if self hosting a web server to ensure it’s well protected and isolated from the rest of your network to minimize issues if you get compromised. For example you could put Cloudflare in front of the web service and restrict your OPNsense firewall rules to only allow Cloudflare IP addresses.

You’re welcome! As for a LAGG, you can use them in multiple places: between router/firewall and switch(es), between 2 switches, and between a switch and a server which has multiple network interfaces.

@homenetworkguy gotcha, I was wondering between what devices you were configuring LAGG in this video, it's pretty long but I'll just rewatch it anyway since it's full of information and I probably missed a few stuff. Do you do videos homelab hardware? Like setting it up and stuff, I'm trying to figure out how to ground my rack properly.

In the video the LAGG is between the OPNsense router/firewall and the network switch. I do some homelab type videos but haven’t covered grounding the rack. I haven’t done that on my rack but I debated how I would go about it. My server closet is on the corner of my walkout basement so I could put a grounding rod outside without a ton of work (I think) but I’m not sure if that’s the best way because the outlets have their own grounds so if there was any potential electrical differences between the 2 grounds then that might be bad too. I’m not an expert on that topic. I thought maybe I could just ground it to an unused outlet that’s on the same circuit as my rack if that is possible and safe.

If both PCs are on the same network/VLAN, the traffic stays local to the network and does not need to pass through the firewall.

@@homenetworkguy Greate :-) So in conclusion if I have 10GB interface on PC1, PC2 and Switch... but I have 1GB interface on the router(firewall), the trafic between PC1 and PC2 will be at 10GB, right ? Thanke a lot again

@@MrDenisJoshua Absolutely if they are on the same network on the same switch. If you are on the same network but on 2 different switches, then you could bottlenecked based on the speed of the interface between the 2 switches (if they are connected at 1 Gbps, then you will be limited to that speed). Those are some gotchas to consider when data is moving across networks through your router/firewall and also between other switches.

@@homenetworkguy I will be on the same switch :-) I just think to buy a switch that have also 10GB interfaces ans connect the PC to my NAS using this interface. But the router is a Mini PC with 6 X 2,5GB eth interface... so for this reason I ask befor buy :-) Thanks a lot for the information.

That’s odd because OPNsense shouldn’t really interfere with that by default unless you had firewall rules blocking HTTPS. Keep in mind that Realtek network interfaces can potentially cause issues due to poor driver support. OPNsense does offer Realtek drivers which would help reduce issues that may occur.

Devices on the same network won’t be routed through the OPNsense firewall- only traffic going across networks. If you want to block traffic within a network, you need to have a firewall installed on individual systems (a local firewall). For Linux that could be iptables (or my favorite, ufw, which makes it easy to use iptables).

Can I use something like port isolation to block traffic between two local devices? How do large scale business handle this situation where clients aren't visible to each other? This is something I haven't thought about until now.

@@MPHxthexLegend Yes, you can use port isolation on the network switch to block access within a network. Sorry I forgot to mention that possibility!

In OPNsense, you can create VLANs on the LAN interface (VLANs need a physical interface to attach to- in the case of virtualization, the virtualized interface is acting like a “physical” interface). Then you set up your network switch/APs with the appropriate VLANs that are attached to the LAN interface of OPNsense.

Someone else mentioned something about the LAGG interfaces before and I quickly glanced at it. I may have messed up the screen capture portion when I was recording (I may have forgot to do the LAGG step and then went back and did it later). Unfortunately that makes for a few inconsistencies with the LAGG assignment. It was a long recording session and I was pretty exhausted (I was trying to film it during a 2 day window when my wife was out of town and I had more time to dedicate to recording longer sessions). Even though there are a few inconsistencies with the screen capture, I believe all of the steps are correct so it shouldn’t matter in the grand scheme of setting up OPNsense. Eventually I may produce a new version of this guide since I’ve improved my workflow a bit and slowly working to improve overall quality of my videos as time goes on.

Awesome, thank you. I've set up my network with this guide

I show it in the 3rd video but you will need to connect one of your untagged ports on your switch to igc1 (the one I configured as the untagged LAN interface). This will allow you to have access to the OPNsense interface as well as your UniFi controller for management (assuming the management interface is set to untagged). In total you will have 3 Ethernet cables connected from your switch to your OPNsense box. Devices that are on any of the VLANs should be able to get the proper IPs once everything is configured. If I had switches from several different manufacturers, I could demonstrate how to configure each one because they all do things a bit differently (or sometimes use slightly different terminology).

@@homenetworkguy Oh right, my setup is a bit different so I missed that LAN is also connected to switch, so the switch will be a part of LAN network, is that okay?

Yes, that is perfectly ok. It lets you manage the switch itself and any other systems/network infrastructure that you want on the management network (if you are using the LAN for your management network).

@@homenetworkguy I do use it for management, thank you, that clarified a lot!

@@homenetworkguy If with setup like yours, someone wanted to move management on separate vlan. Would it be as simple as allowing managment by LAN and this vlan, changing igc1 port to this vlan instead of LAN and then disabling LAN for management? Is there any hole in this thinking or concerns? I have a feeling this doesn't achieve much as the default network will be this management vlan so nothing changes not sure tho..m

The addresses are completely arbitrary (you can use any private IP address range you like). I like making the 3rd octet match the VLAN ID but that’s not necessary. Basically each VLAN interface will be its own subnet (you can determine the size if you need more than a /24 network which allows 254 usable IPs).

@@homenetworkguy Thank you tons. your complete guide has help me developing understanding of the networking in application. Mega Like to your efforts. I am probabaly watching this video 3rd time and might need to watch many times in future.

​@@homenetworkguy could be also be kind enough to give a overview/purpose/explanation of what you are trying to do at the last segment of the video with defining new rules. to be precise what is the significance ofwhen you said "we need atleast two rule to isolate a network" and 2nd rule added where source is __LAN/User/DMZ/IPCAM_net and destination __LAN/User/DMZ/IPCAM_address. Could you please help in understanding what is _net and _address, since it was not clear at the first place in VLAN creation.

@@Dutta1605 One of the biggest reasons for using VLANs is to separate your devices so you can better secure your devices (for instance, putting all of your most vulnerable devices in the IoT network helps to protect other parts of your network). In order to make this happen, you need to set up the proper firewall rules to isolate each of your networks from each other. This does not happen out of the box-- you have to define the access you want to allow or block. I created a dedicated video on how to isolate networks in OPNsense if you want to watch it since I go into more detail than in this overview video: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-TjXkWSjYqlM.html

Thanks! The terminology for VLANs can be confusing. All VLAN traffic is technically “tagged” with the VLAN ID, but when you configure network switches there is the concept of having “tagged” and “untagged” members. “Tagged” members are used on ports on a switch for devices which are VLAN-aware such as connecting to another switch, router, wireless access point, and virtualization servers. “Untagged” members are for devices that are connected to the switch that do not need to know of the concept of VLANs and you simply want the devices to belong to a given VLAN. The switch automatically tags the traffic of the “untagged” members with the appropriate VLAN ID and will also remove tags on the receiving end. I hope this helps to clarify the terminology. In OPNsense, thing of each physical interface as having “untagged” traffic since they are not VLANs. They are simply LANs (real, not virtual networks). VLANs operate on top of physical interfaces and all of the VLAN traffic is “tagged” with the appropriate VLAN IDs by the switch.

@@homenetworkguy So, my understanding is when you define vlans (in your video section 38-40 min) with vlan tags e.g. 10,20,30 with parent lagg0, all vlans on lagg0 are tagged (?) And when, if OPNSense lagg0 is physical connected to a switch (with corresponded bonding0), all corresponded vlans (10,20,30) in switch should be defined as tagged on switch bonding0 interface, is that correct? //Robert

Yes, on the switch configuration, for the “tagged” members, include the ports that are connected to the OPNsense box, other network switches, wireless APs (if they support VLANs), and virtualization servers (if you’re wanting to use VLANs). Everything else that you want to put on the various VLANs (PCs, printers, media/game devices, etc) you include them as “untagged” members.

@@homenetworkguy Thank you, solved my issue accessing externa switch-ip on another vlan. Btw, what about backup and restore to another opnsense device? Can I "clone" working config to another opnsens device? Like backup config on router1 and restore on router2 (same brand and device) due to different MAC addresses?

Nice! If you backup your config and restore on an identical system, you can migrate pretty quickly and easily. The main thing you might have to do after restoring the backup is download all the same plugins on the new system (it will let you know if the plugins are missing). The configuration will already be in place so once you download the plugins, they should work properly.

I also have 3 floors and use 2 APs for the main part of the house but also a 3rd AP for a concrete block wall storage room which has a corrugated ceiling (since it’s below my garage). I can definitely understand the WiFi signal not penetrating the walls with those building materials. A mesh system may work ok if they can penetrate the walls (since they need to communicate with each other) but I use UniFi wireless access points which are all wired to my network via Power over Ethernet. I can roam pretty seamlessly between them. Since all of the APs are wired to the network, they have a better network connection than a mesh system would have since most wireless mesh solutions use a wireless backhaul rather than a wired backhaul.

@@homenetworkguy i think i used the wrong word. I am currently using a FritzBox + FritzReapeters but they are wired and are cponfigured as aps, the FritzBox (Router) steers the clients. I need accesspoints that communicate with each other and do the same. Thanks for the awesome content btw

You’re welcome! If you use APs such as UniFi (the non-mesh units), they don’t need to communicate together for you to seamlessly roam between them. I don’t have mine “meshed” together and I can walk into my storage room for example and it just switches over immediately. I’ve even testing streaming live security camera feeds while roaming without dropping the video (on rare occasions there might be split second freeze). I think it works quite well. That was what I was mentioning before- mesh may not work as well as individual APs that allow you to roam because communication has to occur between the mesh units so you have to make sure it can penetrate the walls for that wireless communication. The bad part about wired APs is you have to run cables if you don’t already have some in place already.

@@homenetworkguy okay that is good to know, i thought about going unfi for a long time, i might need to buy some already and try them out

There are other brands that would work as well but most of my experience so far is with UniFi. I may try some other brands in the future since there are cheaper alternatives and the hardware is easier to obtain. Sometimes it’s hard to find UniFi hardware in stock.

Yep! Haha

Yeah the VLAN configuration will be dependent on the switch you’re using but in general the concepts are pretty similar. Sometimes they are represented a bit differently in name and function in the user interface. I’m familiar with TP-Link but I was given a Cisco small business switch so I had to spend a little bit of time figuring out how the configure it properly. I think I understand the interface config (but haven’t had the chance to test it yet).

​@@homenetworkguy Thanks, been 2 weeks without internet I'm not sure. I've been using a TP-Link router the interface is slightly different though SG116E, been through everything on opnsense and swtich 3 times now :p

@@ryanc2258 if you’re running OPNsense connected to another router, that changes the scenario a bit. I assume the modem (or a modem/router in bridge mode) is plugged directly into OPNsense so it can be used as the primary router. There are other issues to consider when running a router behind another router. Also I recommend perhaps adding one feature at a time and build up to your final desired network configuration. I started with a single, flat network. Then added a VLAN and some firewall rules. Then I add more VLANs. Started messing with DNS configuration. Then added VPNs and IDS/IPS. Slow progression. Made it easier for me to learn each feature separately. This video throws everything out at one time which might be overwhelming if you’re new to implementing such configuration. I plan to dive into specific topics in the future like I do on my website.

Most of the time, the interfaces go in order but sometimes they could be mixed up (as was the case with my old Qotom box). There in the option of doing the automatic interface assignments based on what you have plugged in. You start off with no Ethernet cables plugged in and then when doing the automatic assignments you plug one cable in at a time and OPNsense can recognize which interface is now plugged in. Alternatively some boxes the ports are labeled so you can just look at those. Some manufacturers such as Protectli will actually state which interfaces are assigned by default in OPNsense (if you get the free sticker labels when you order from them). The VP series models of Protectli for instance are labeled 1-4 so it’s easy to know which interface is which (interface one is igc0 or igb0 for instance). So you would have igc0-igc3.

You should be able to. You would just have some additional sets of setting up your virtualization server. I plan to do that in my next video using Proxmox. I won’t show the full network process but will mention once it’s set up you could proceed with any other guides I have done just like it was bare metal.

@@homenetworkguy dang so there’s a few things I do have to different I get my wireless ap no joke in 15 mins 😂 honestly would be appreciated if you showed it tbh because honestly I do feel like most poeple in the homelab community I think will virtualize it more then a a bare unit imo also it’s easier to do it to make a high availability setup that way imo and consolidates gear way easier.

@@homenetworkguy bet ima just wait till that video to make my setup then just be safe because i dont want to lock my self out of the internet some how lmfao

@@homenetworkguy hey just one more question can I plug in my virtualize opnsense into my ont? Directly and just get rid of my isp router or do I always need a router between? Like ont-dummy router- virtualize opnsense or can I just do ont-virtualize opnsesne as my router/firewall and later do a Ha setup with it?

@@InsaiyanTech You should be able to. Some ISPs require you to use a VLAN on the WAN interface but that is possible to configure in OPNsense. Some users have to use PPPoE for fiber connections which can also be set up in OPNsense. Performance is not the best on bare metal with PPPoE since it's single threaded but one way around that issue is to virtualize the network interface for the WAN interface.

Odd. When you select RAID0, you don’t see the drive in the dropdown list to select it? You have to disable the other drives you’re not using as well so you only have one disk selected. I’ve used ZFS with OPNsense on the VP2420 without issue.

@@homenetworkguy when I selected ZFS I would select stripe. but when I went to choose a drive it wasn't reading any drives. when I went to UFS it found the drive.. I ended up using UFS and i'm to new and don't want to risk reinstalling anything and messing anything up.

@@Ykhavari Not sure why that is the case but you will be fine with UFS. I ran it for 6 years on the same box without anything crashing on it and I did many OPNsense updates too.

@@homenetworkguy if I wanted to try and switch to ZFS would all i have to do is reinstall opnsense? or is there a certain way since it gives you that warning when you initially install it

@@Ykhavari Yeah you would have to re-install OPNsense using ZFS if you want to use ZFS in the future

I typically run it on mini-PC hardware but I do know that you will have a bad time if you are using unsupported hardware. Not all of that is OPNsense’s fault since it’s built upon FreeBSD. I haven’t had to “restart” rules before but I will note that if you have an active session, adding a new firewall rule doesn’t kill your current states. Likely this is the default behavior to minimize being disruptive when adding new rules by killing all of the active states. If you need a rule to apply immediately to any active connections, you will need to manually kill the states or kill the connection on the client device. I’m not sure about the static routes issue because I’ve only tried using it once when experimenting with different configurations. I have found OPNsense to be pretty stable since I’ve upgraded the same machine for over 5 years without it failing.

That’s because there’s not much in the way of settings in OPNsense. You basically select the interfaces, choose the protocol, and the hashing method. Did you create a LAGG on your network switch? A LAGG has to be configured on both sides (either the router and switch or between 2 switches). Otherwise, you will create a loop because of connecting 2 cables to the same switch. Good news is that I’m planning to do different versions of the video showing how to configure a network using different brands of switches. UniFi will be in one of those videos.

Unfortunately I messed up the order when I recorded the video… a few people have mentioned that. You don’t need to enable the parent interface to add VLANs to it. This holds true for a single interface or a LAGG. I thought I explained at some point that I’m only using the LAGG for VLANs only and I’m using a separate untagged (no VLAN) interface as the management network.

@@homenetworkguy Trying to do the same. Having issue where unifi switches go offline once the lagg ports are tagged with vlans on the switch config. Lan port is left as default to pass all untagged. Thats why I'm wondering if is the lagg config, enable/disabled or the fact there is no ip for the lagg interface?

No benefit at all. Personal preference, haha. I like the WAN interface to be on either the left or right side rather than in the middle since I like to use the remaining interfaces for internal networks/management purposes. Maybe I’m just old school with consumer grade routers where the WAN interface was off to one side and often was designated a different color.

@@homenetworkguy oh gotcha. Thanks for replying