Thank you for these videos. I've been watching your network setup videos in preparation to switch to OPNsense from Untangle since they are dropping the home user license. Thank you for your knowledge and hard work putting these videos together - I like your methodology as your networks are the same layout as I prefer to have mine.
You’re well me. Glad it matches up with your methodology! I’m working on a new video showing how one could go about virtualizing OPNsense on Proxmox (eventually hope to demonstrate a Proxmox cluster in a future video).
Faaar out! Used your other guides which were magic and then suffered through configuring the management VLANs myself. After multiple hours spent across multiple days and 2 factory resets, I got it done 24 hours ago only for this vid to come out today! Will definitely give the video a review and compare it to my config! Crazy timing!
Haha. I think several people trying to create management VLANs at the same time. The other day I got 2 questions about management VLANs on the same day, which doesn’t normally happen. Since I had those questions and others in the past, it prompted me to create this video in hopes it will be useful. There are slightly different ways you could go about it depending on the interfaces you choose and whether or not you wish to keep the original LAN interface as a backup so you don’t get locked out (could leave it disconnected until you need it, for example). It’s hard to show all possible scenarios so I pick one and roll with it. The beauty of building your own network is you can decide how to build it.
Great videos! They have really helped me out a lot setting up my home lab with opnsense. I am having trouble currently though migrating my tagged vlans to LAGGs. One from opnsense to a Mikrotik CRS317-1g-16s, then second one to a CRS310-8g+2s. While having a 3rd trunk to my desktop. Currently have them all working, tagged on LAN from OPNsense to the CRS310 but not when adding in the new switch. Mikrotik RouterOS is super frustrating lol I hate it.
Thanks! I’m glad you found it helpful getting your homelab set up. I haven’t tried configuring Mikrotik switches yet. Probably need to pick up a cheap one to try it out because I know they have their own quirks.
@@homenetworkguyIf there are videos that you can make, by purchasing one. That would be great! Could send out a general questionnaire to the community to ask whether enough ppl would be interested or not first. Good way to find out what kind of videos your community wants to see from you. That I see other creators do on here.
very nice and informative guide but question: imagine all my servers are on 10.x network (vlan 10) while home devices are on 100.x (vlan 100) and IoT on 200.x (vlan 200) So my day2day laptop is of course on HOME vlan 100 (as I need to everything: shares, printers etc). Now, if I want to access FW I have to switch my laptop to MANAGEMENT vlan (in my case vlan10) because for security reasons I restricted OPNsense to listen to only on vlan 10, right? kind of incovenient Or am I missing anything here?
You can create a firewall rule to allow access to the OPNsense UI on the management network for a device that’s on another network. Ideally you could have a machine (even if it’s just a Raspberry Pi) on the management network to administrate everything but for convenience you could allow a single device on another network to access the web UI. Poking holes into the management network is a small risk but it is worth the convenience (especially on a home network). This is what I have done but I’m thinking of using a Raspberry Pi on the management network so I can have my management network more isolated.
Random question about OPNsense, why does OPNsense come out of the box with remote (over WAN) access to the webgui enabled? IT also has an intense warning when you try and change this setting: Settings > Administration > Listen Interfaces
OPNsense only has open access to the web GUI on the WAN interface if you do not have the LAN interface enabled when you first install OPNsense. Soon as you enable the LAN interface, it enables the firewall/NAT features. The reason it allows the web interface if you only have a single WAN interface is enabled is that you would have no way to access the web GUI otherwise. It has a warning for that listen interfaces option because you have the potential for locking yourself out of the web GUI if you change the listen interfaces but don’t have the appropriate firewall rules in place to allow access.
What I like to do is only choose the interface that I use as my management network/VLAN so that the web UI isn’t available on other VLANs. You can block access via firewall rules but if you simply disable the listen interfaces you don’t need to create extra firewall rules for the interfaces you don’t want to be accessed by clients on your network.
i was wondering can you also set the ports on that switch to just port isolation, so it makes opnsese do all the routing? i was thinking of getting the tplink TL-SG1210MPE. many thanks for all your helpful videos btw!
Port isolation just prevents devices within the same network from communicating with each other. It doesn't have anything to do with routing. Normally all devices within the same network/VLAN can communicate freely among the local network (that is how networking was designed). You can essentially configure the TP-Link switch to only allow one port in network/VLAN to communicate with the trunk port to OPNsense which essentially blocks other devices on the same network while still allowing access to the Internet or other devices on other networks (if firewall rules in OPNsense allow for that communication).
@@homenetworkguy i think i thats what i want. i would like to force each port on switch to goto opnsense then go back to the switch port thats needed. id at least like to have that as an option to test. i would also like the capability of assigning vlans to each port and see if i can achieve better results as well. currently i have regular switch, that has acess point with 2 vlans pluged into it, and also opsense lan port , and also server plugged into it. it seems to bleed threw at time threw fw rules. so im hoping ethier vlan switch or port isolation switch will help give opnsense better control.
You would have to unassign the LAN interface first and then create a LAGG with another unassigned interface. I suppose the MGMT VLAN would work on top of that LAGG but you would have to be careful not to lock yourself out in the process. I haven’t tried doing that so I would have to experiment to see how that goes. VMs are good for that sort of thing. Tinker with it and if it breaks, roll it back.
Can you please show this with your cisco switch as well? Been struggling for a couple of weeks and every time I think I've succeeded, something breaks, the interfaces can't communicate with each other and I get locked out.
I could possibly create something but I would need some time to do it. I would like to do some of those more specific use cases to help those with similar switches, but I'm curious how many users have that sort of switch. I know the Cisco interface is a bit more challenging to understand and configure because I had to spend some time figuring out how to do VLANs on it.
I have followed your series, Set up a Full Network using OPNsense, part 3, to the letter with the difference that I only use my physical NIC's. Same topology as you. How hard can it be😳 Any progress on your thoughts about a Patreon membership page?
It’s possible that I missed a minor detail in the video but I’d have to go back and try it out again to see if I did which takes some time. It’s hard keeping track of every detail when recording/editing. Haha. I switched over to using Ko-fi from Buy Me A Coffee and it supports memberships. Also I have an ad-free membership set up on my website for a minimal monthly fee. CZcams also supports memberships. I’ve considered Patreon but there’s just so many platforms that it gets hard to manage them all (that’s not counting all the social media accounts). I want to set up a better forum too as well as change to a more privacy respecting commenting system. So many things to do! I have a pile of sponsored products I need to demo/try out (I prefer showing what products can do vs doing formal reviews- it’s more fun and less marketing!)
@@homenetworkguy I don't think you've missed anything, it's probably more that I don't grasp the concept of lan and vlans yet. In OPNsense, the various interfaces, IoT, Guest etc. work. It is when I connect my Protectli to the switch that it starts breaking. Tagged, untagged, port selection then it gets wrong Help me make it work and I'll buy you lots of coffee😂
atm i have a opnsense running as a vm on a synology as a test setup. i wanted to create a guestnetwork with your video. when i connect with my devices, i am assigned an IP from the correct ip range. but i fail to get internet access.... i am rather sure, that i have the same settings as you did in ur video for the firewall. where could be another error?
2 possibilities off the top of my head: DNS configuration and firewall rules. Sounds like your DHCP configuration is working (at least with assigning IP addresses). Make sure your firewall rules allow access to the DNS server on the guest interface (or other DNS server).
@@homenetworkguythank you for your blazing fast reply! to test the dns issue, i set the dns manually on the devices, unfortunatly that didnt do the trick... i will probably delete everything and start from scratch, perhaps i made an error i am unable to find now
Thank you for these videos. I've been watching your network setup videos in preparation to switch to OPNsense from Untangle since they are dropping the home user license. Thank you for your knowledge and hard work putting these videos together - I like your methodology as your networks are the same layout as I prefer to have mine.
You’re well me. Glad it matches up with your methodology! I’m working on a new video showing how one could go about virtualizing OPNsense on Proxmox (eventually hope to demonstrate a Proxmox cluster in a future video).
Faaar out! Used your other guides which were magic and then suffered through configuring the management VLANs myself. After multiple hours spent across multiple days and 2 factory resets, I got it done 24 hours ago only for this vid to come out today! Will definitely give the video a review and compare it to my config! Crazy timing!
Haha. I think several people trying to create management VLANs at the same time. The other day I got 2 questions about management VLANs on the same day, which doesn’t normally happen. Since I had those questions and others in the past, it prompted me to create this video in hopes it will be useful.
There are slightly different ways you could go about it depending on the interfaces you choose and whether or not you wish to keep the original LAN interface as a backup so you don’t get locked out (could leave it disconnected until you need it, for example). It’s hard to show all possible scenarios so I pick one and roll with it. The beauty of building your own network is you can decide how to build it.
thanks for explaining that we can remove the LAN interface, I was a bit afraid as it was the parent of the different Vlans.
No problem! Not everyone is aware that you can have an interface with only tagged VLANs on it so I thought it was worth mentioning!
Exactly what I needed. Thank you!
Glad it was what you needed! I know a few people have asked me questions recently about it.
Great videos! They have really helped me out a lot setting up my home lab with opnsense. I am having trouble currently though migrating my tagged vlans to LAGGs. One from opnsense to a Mikrotik CRS317-1g-16s, then second one to a CRS310-8g+2s. While having a 3rd trunk to my desktop. Currently have them all working, tagged on LAN from OPNsense to the CRS310 but not when adding in the new switch. Mikrotik RouterOS is super frustrating lol I hate it.
Thanks! I’m glad you found it helpful getting your homelab set up. I haven’t tried configuring Mikrotik switches yet. Probably need to pick up a cheap one to try it out because I know they have their own quirks.
@@homenetworkguyIf there are videos that you can make, by purchasing one. That would be great! Could send out a general questionnaire to the community to ask whether enough ppl would be interested or not first. Good way to find out what kind of videos your community wants to see from you. That I see other creators do on here.
@homenetworkguy Could you also just uncheck "Enable Interface" for LAN instead of completely deleting it?
As long as you can access the OPNsense web UI from another interface, you can disable any interface that you are not using.
very nice and informative guide
but question: imagine all my servers are on 10.x network (vlan 10) while home devices are on 100.x (vlan 100) and IoT on 200.x (vlan 200)
So my day2day laptop is of course on HOME vlan 100 (as I need to everything: shares, printers etc).
Now, if I want to access FW I have to switch my laptop to MANAGEMENT vlan (in my case vlan10) because for security reasons I restricted OPNsense to listen to only on vlan 10, right? kind of incovenient
Or am I missing anything here?
You can create a firewall rule to allow access to the OPNsense UI on the management network for a device that’s on another network. Ideally you could have a machine (even if it’s just a Raspberry Pi) on the management network to administrate everything but for convenience you could allow a single device on another network to access the web UI. Poking holes into the management network is a small risk but it is worth the convenience (especially on a home network). This is what I have done but I’m thinking of using a Raspberry Pi on the management network so I can have my management network more isolated.
Random question about OPNsense, why does OPNsense come out of the box with remote (over WAN) access to the webgui enabled? IT also has an intense warning when you try and change this setting: Settings > Administration > Listen Interfaces
OPNsense only has open access to the web GUI on the WAN interface if you do not have the LAN interface enabled when you first install OPNsense. Soon as you enable the LAN interface, it enables the firewall/NAT features. The reason it allows the web interface if you only have a single WAN interface is enabled is that you would have no way to access the web GUI otherwise.
It has a warning for that listen interfaces option because you have the potential for locking yourself out of the web GUI if you change the listen interfaces but don’t have the appropriate firewall rules in place to allow access.
So should I disable this through the settings menu (changing Listen Interfaces to include all but WAN) or using a firewall rule?
What I like to do is only choose the interface that I use as my management network/VLAN so that the web UI isn’t available on other VLANs. You can block access via firewall rules but if you simply disable the listen interfaces you don’t need to create extra firewall rules for the interfaces you don’t want to be accessed by clients on your network.
i was wondering can you also set the ports on that switch to just port isolation, so it makes opnsese do all the routing? i was thinking of getting the tplink TL-SG1210MPE. many thanks for all your helpful videos btw!
Port isolation just prevents devices within the same network from communicating with each other. It doesn't have anything to do with routing. Normally all devices within the same network/VLAN can communicate freely among the local network (that is how networking was designed). You can essentially configure the TP-Link switch to only allow one port in network/VLAN to communicate with the trunk port to OPNsense which essentially blocks other devices on the same network while still allowing access to the Internet or other devices on other networks (if firewall rules in OPNsense allow for that communication).
@@homenetworkguy i think i thats what i want. i would like to force each port on switch to goto opnsense then go back to the switch port thats needed. id at least like to have that as an option to test. i would also like the capability of assigning vlans to each port and see if i can achieve better results as well.
currently i have regular switch, that has acess point with 2 vlans pluged into it, and also opsense lan port , and also server plugged into it. it seems to bleed threw at time threw fw rules. so im hoping ethier vlan switch or port isolation switch will help give opnsense better control.
Could you technically use that old LAN port as part of the LAGG, after you set up the mgmt vlan and delete the LAN interface?
You would have to unassign the LAN interface first and then create a LAGG with another unassigned interface. I suppose the MGMT VLAN would work on top of that LAGG but you would have to be careful not to lock yourself out in the process. I haven’t tried doing that so I would have to experiment to see how that goes. VMs are good for that sort of thing. Tinker with it and if it breaks, roll it back.
Can you please show this with your cisco switch as well?
Been struggling for a couple of weeks and every time I think I've succeeded, something breaks, the interfaces can't communicate with each other and I get locked out.
I could possibly create something but I would need some time to do it. I would like to do some of those more specific use cases to help those with similar switches, but I'm curious how many users have that sort of switch. I know the Cisco interface is a bit more challenging to understand and configure because I had to spend some time figuring out how to do VLANs on it.
I have followed your series, Set up a Full Network using OPNsense, part 3, to the letter with the difference that I only use my physical NIC's. Same topology as you. How hard can it be😳
Any progress on your thoughts about a Patreon membership page?
It’s possible that I missed a minor detail in the video but I’d have to go back and try it out again to see if I did which takes some time. It’s hard keeping track of every detail when recording/editing. Haha.
I switched over to using Ko-fi from Buy Me A Coffee and it supports memberships. Also I have an ad-free membership set up on my website for a minimal monthly fee. CZcams also supports memberships. I’ve considered Patreon but there’s just so many platforms that it gets hard to manage them all (that’s not counting all the social media accounts). I want to set up a better forum too as well as change to a more privacy respecting commenting system. So many things to do! I have a pile of sponsored products I need to demo/try out (I prefer showing what products can do vs doing formal reviews- it’s more fun and less marketing!)
@@homenetworkguy
I don't think you've missed anything, it's probably more that I don't grasp the concept of lan and vlans yet. In OPNsense, the various interfaces, IoT, Guest etc. work. It is when I connect my Protectli to the switch that it starts breaking.
Tagged, untagged, port selection then it gets wrong
Help me make it work and I'll buy you lots of coffee😂
atm i have a opnsense running as a vm on a synology as a test setup.
i wanted to create a guestnetwork with your video.
when i connect with my devices, i am assigned an IP from the correct ip range.
but i fail to get internet access....
i am rather sure, that i have the same settings as you did in ur video for the firewall.
where could be another error?
2 possibilities off the top of my head: DNS configuration and firewall rules. Sounds like your DHCP configuration is working (at least with assigning IP addresses). Make sure your firewall rules allow access to the DNS server on the guest interface (or other DNS server).
@@homenetworkguythank you for your blazing fast reply!
to test the dns issue, i set the dns manually on the devices, unfortunatly that didnt do the trick...
i will probably delete everything and start from scratch, perhaps i made an error i am unable to find now
Nice. But why that much Memory usage . 6 out of 8 Gigabytes. On a fresh install. Wow. This is more then double compare to a Pfsense instal😢l
I was using one of my virtual machines which has Zenarmor installed. It wasn’t a fresh install. A fresh install uses less than 1 GB of RAM.
Ok good to know