• 6 Posts
  • 78 Comments
Joined 2 years ago
cake
Cake day: March 18th, 2024

help-circle


  • I might not understand what you mean, but doing the best I can figure out, the output from the endpoint mini PC running ip route is:

    192.168.10.0/24 dev enxc84d4422aa48 proto kernel scope link src 192.168.10.157 metric 100

    From the OPNsense firewall, the trace route looks like this (I would have expected to see the switches that it hops to in between, but I don’t see them here):

    I can’t find any option to print routing tables in my switches, both of them Netgear GS305E switches. I don’t see any mention of it in the manual either. I suspect that what you asked me to do was lost on me.


  • I watched and rewatched tutorial videos, traced my cables and ports, and configured the port settings until I was able to ping the gateway on this VLAN. That’s as far as I’ve gotten. Over the course of today, since posting this thread, I’ve rechecked those settings a handful of times, and they still appear to be correct as far as I know. If I delete the extremely permissive firewall rule that I set up for the VLAN, I lose the ability to ping the gateway, which seemingly validates the rest of my setup and leads me to believe that this is a configuration issue in OPNsense rather than the configuration of my switches…but I don’t know what I don’t know, and I’m still learning this stuff.

    I understand that you’re recommending what you think is best based on your experience, but as I’ve been trying to learn self hosting with a semi-simple goal in mind, the extra complexity that folks keep recommending around just about every facet, because their needs or desires are greater than mine once they’re more seasoned than me, does make it all more difficult to take in during the learning process. Maybe I’ll want to go more advanced some day, but for now, the goal is to host fewer than a dozen services off of two different devices that live under my office desk and consume under 100W between them. I want VLANs for this as a means of separation in case the security of my exposed services is compromised, but with this smoke test, I want to prove that I understand the basics of doing so, so it’s currently feeling defeating that I don’t. I don’t want to sound like I’m not appreciative of any help you can offer, but I do still believe that simpler is better for me at this point.

    My firewall mini PC has four ports, but only two of them are active; LAN and WAN. I got that much working without much fuss and replaced my ISP’s provided router. There were two dumb switches between the firewall and the office, but once that was working, I replaced them with managed switches; when they’re not yet configured, they’re indistinguishable from dumb switches. I’ve been over my OPNsense configuration a dozen times in this thread by now, but let’s just say this new VLAN is set to be as permissible as I know how to make it, coming very close to my default LAN interface settings as far as rules go. They ought to be identical. The two smart switches are set up such that port 5 is “in” and 1 is “out”. Living room 5 connects to the firewall. Living room 1 connects to the office switch’s port 5. Office switch 1 connects to the end point mini PC. Living room ports 1-5 are untagged for VLAN 1; ports 1 and 5 are tagged for VLAN 10. Office ports 2-5 are untagged for VLAN 1; for VLAN 10, 1 is untagged and 5 is tagged, and port 1 has a PVID of 10.

    I spelled all of that out in hopes that I did something stupid that I don’t know how to spot but maybe you do. Every device on VLAN 1 is working as it should with internet access. The one device on VLAN 10 only has access to the gateway and nothing else, despite the most permissive “allow everything” rule I could set up.






  • Thanks! I appreciate step by step guides with explanations, but as we’ve both covered, the guides I followed have now fallen way out of date. Has OPNsense always moved this fast with ripping out components and paradigms and replacing them with others? Do you have an up to date video guide that you could refer me to so that I get more "how"s and "why"s along with each setting to help understand it better?

    Unlike some other settings in OPNsense, there’s nothing like “Legacy” or “Deprecated” to indicate that Dnsmasque is being phased out, and when I see “new Rules”, I suspect that it’s so hot off the presses that it may not be fully working yet. Their replacements are both ready for prime time? Blocking ads by DNS wasn’t a goal I had in mind for this project of mine, but I can’t say I haven’t been tempted to increase scope to cover it.

    My switches are both GS305E Netgear switches, and the word “trunk” doesn’t show up anywhere in the manual. What I do have are VLAN 10 ports tagged when they face the firewall or another managed switch; and untagged when they face the end device; as per Home Network Guy. That was what got me far enough along that I was able to ping the gateway. Before that, my pings went completely unanswered.

    Unfortunately, most of my networking experiments end up sectioned off to the weekend, because I try to minimize any damage I might do to my home network during the work week (I work from home) and disruption for my wife trying to enjoy the internet herself. All that to say that I might be back here again asking for help, but it will be on a hell of a lag. You definitely gave me some homework to do, too.


  • A ping against that address works on the VLAN 1 desktop. It returns “Network is unreachable” on VLAN 10. I’m not quite sure what you mean by DNS settings on the host. I’m using DHCP, and DNS appears to be automatic as well. I’m on Debian KDE, for what that’s worth, and historically in my life, I haven’t touched DNS settings basically anywhere; maybe I could count how many times I did on my fingers, but it definitely wasn’t recently for this project. Presumably the problem isn’t only DNS, because these two computers on different VLANs can’t ping each other by IPv4.


  • Looking at the live view, a ping against Google shows both my and Google’s IPv6 addresses when done from my desktop on VLAN 1, but the logs show nothing of the sort when done from my mini PC on VLAN 10, which isn’t surprising, since the error returned from the terminal is “Temporary failure in name resolution”, meaning the error is before it even knows what Google’s IP address is. I don’t know what step I might have missed for that to be the case.

    If you look at my screenshot, those are the settings of my VLAN’s firewall rule, and if there’s a difference between that and the one on the LAN interface, other than the field labeled Interface Name, I don’t know what it is. The LAN interface has a firewall rule for IPv6 as well, but the Home Network Guy tutorial skipped that one, and it still reached the internet. His tutorial was for allowing internet access without reaching the other private networks, but I believe I understand the Invert setting that he checked, and I did the opposite of that specifically for this test.










  • I’m not happy with Bazzite for this purpose. Its previous purpose was to be a game console, but I’m reassured by the recommendations for Debian.

    Then use a GUI. The extra memory used is trivial and your system will be way over-powered for a reverse proxy to a home network anyway.

    It will be more than just a reverse proxy, but I suspect it will still be more than powerful enough for the extras. Thanks.

    Are you going to update frequently?

    Yes, just so long as I’m the boss. I don’t want any downtime that I’m not in control of.

    Your DNS servers would be the ones where you register your domain.

    The tutorials I’d been looking at were showing them overriding the DNS servers at the domain registrar with servers from Cloudflare or elsewhere. Is that just because there may not be an automated way to update the IP dynamically with the domain registrar, but there is for Cloudflare?


  • I think the tunnel method you’re suggesting is different than what I’m after, and a lot of the “complexity” in learning this stuff is coming from all the different methods we have available to achieve similar results. I ought to be able to just expose 443 once I’m fully up and running, and it will route to the various services through the reverse proxy and subdomains. My “zero trust” separation for security ought to be my VLANs. So if I’m not going exactly that route, where would my DNS servers come from, and why would I need something other than what’s there by default?

    I know the CLI is effective. My daily driver has been Kubuntu since 2017, and I dabbled with Ubuntu for a decade before that. But I’m so much slower on the command line, because I have to think so much harder about each command, and the outputs are often unintuitive to read and parse out what I’m looking for.