Yeah it is a relatively large undertaking. This was basically summarizing years of learning into about 1.5 hours of video. I’m planning to do a more refined version soon (in a single video) so keep an eye for that. I won’t be including LAGG configuration since I’ll be using higher bandwidth network interfaces instead. As for general ports, I’m not sure of their purpose. It basically is similar to a trunk port but it can operate as either an access port or a trunk port (some switch vendors such as Grandstream call those ports hybrid ports). It’s better to set the port to access when you know it’s a client device that’s going to live on a particular VLAN and use trunk between all of your network infrastructure/servers that need to handle multiple VLANs. Are you wanting to put VLANs on the same interface used as the management interface? Basically a router on a stick configuration? That does work ok. OPNsense generally recommends separating the untagged and tagged traffic on 2 separate interfaces to improve overall security (but the insecure scenario seems very rare if you have both untagged and tagged traffic on the same network interface). You can always reassign VLANs to a different physical interface if you wish to move it later (just make sure you have the switch configuration correct if you move to different physical interfaces on the OPNsense system).

I'm going to try a separate interface with the guest VLAN first. I tried it earlier on a separate interface but I think my issue was not having the switch configured correctly. On the separate interface is there any reason why I shouldn't use a firewall rule to allow 'any' since the VLAN is going to have more restrictive rules?

I have used a LAGG in Proxmox in the past when I had slower network interfaces but I’m not quite sure what the best approach would be when running an OPNsense VM on Proxmox since you could create a LAGG on Proxmox or in the OPNsense VM (but if it was done in the OPNsense VM, it would probably be best to use pass through instead of bridges since Im not quite sure how that would work with the network switch configuration).

@@homenetworkguy I've got 2nd opinion from Copilot 2nd. She's telling me that my plan 'sound solid' 😅. I'm not so sure but I hope she's right. haha I'm still studying on which level to set the LAGG. Proxmox level or OPNsense level. Or both. But I'm not quite sure, what do you mean by 'Pass Through' and 'Bridges'? (Did you meant the 'vmbr' in Proxmox?) Since I have not bump into those options while setting up the LAGG in OPNsense. I'm still sticking to version 23 instead of 24 since I'm still learning. While for the LAGG load balancing protocol in OPNsense. Since this is for a failover situation. I wonder what happen if I switch the protocol to failover, load balance or etc. I don't think those are for our original intention in creating LACP LAGG to sync with our LACP LAG in Cisco switch. I've a bit overexcited and lazy lol.

Thanks!

Glad it has been helpful for you! I've wanted to cover the topic of using external VPN providers, but I find it hard to motivate myself to do it especially when I have a lot of other topics to cover. Part of the lack of motivation is the fact I don't use external VPNs on my network so I haven't had the need or desire to set up an external VPN (and all the complexities/tradeoffs that come with that type of setup). You should be to use internal DNS servers when you are using the VPN if you set up the clients to use the internal DNS which then will use some external DNS server whenever it cannot resolve a domain name. I do this with my WireGuard VPN running on OPNsense. It just uses the local DNS which then uses a couple of DNS over TLS servers like Cloudflare, Quad9 to resolve domain names.

You could do it all on one interface if you make it VLAN aware and configure your network switch to handle all of the VLANs. However that is less than ideal to have WAN/LAN on the same interface especially if it’s only 1 Gbps. If you had higher speed interfaces, the impact of the decrease in throughput will be less of an issue.

It's possible that is on me. I originally made the title "Basic Network Interface Configuration in Proxmox" but changed it to "Fundamental" because some users were expecting the video to be "simple" because of the word "basic". My original thought of calling it "basic" wasn't to indicate that it's simple process (although once you understand the concepts, it does become simple), but rather "the basics of how you configure network interfaces in Proxmox". Proxmox has a more advanced network configuration which makes use of a SDN (software defined network) which is why I was originally trying to use the term "basic" since that is how you had to configure network interfaces before the introduction of the SDN. I don't quite know how to break down the topic in more simple terms because essentially you have physical network interfaces in your system (the hardware) and you need to create bridges (in software) on top of those physical interfaces in which all of your containers and VMs can utilize as though they are physical interfaces. All CTs and VMs using the same bridge are essentially on the same network. You can create VLANs on the bridges if you make the bridges VLAN-aware. You can also pass through a physical interface to a VM so it sees the raw interface on the host but only one VM is allowed to use the raw hardware at a time (there are exceptions if you configure SR-IOV, etc). Passing through network interfaces is a little more involved but it has become easier since I don't think you have to enable IOMMU in Proxmox, etc since that is already enabled by default. You just need to enable it on your motherboard BIOS. I didn't discuss this topic in detail in the video because it's more advanced. Btw, I have a MS in Software Engineering, BS Computer Science, BS Computer Engineering, and about 20 years of IT experience and it still took some time for me to understand Proxmox (I've been using it for 3 years or so). It was a fundamental shift in how I managed all of my app/services/VMs for my network so it was a bit of a shock when I made the switch. I spent a lot of time researching Proxmox before I started using it because I was trying to justify if I had the proper use case for it. I almost regretted migrating my server to using Proxmox until I understood the benefits it brings. Now I can't live without it in my network since it powers the apps/services hosted on my primary network and my homelab environment where I can tinker and explore new things. Also I'm planning to do an updated full network build using OPNsense since that 3 part series was one of the first few videos I've done. Over time I've been working hard to improve the quality of the video/audio and the presentation of the technical topics. It requires a significant amount of practice and cost to improve the production and content quality.

You’re welcome! Glad it was helpful!

Hmm you should be able to log in once you create a second interface (assuming the IPs don’t overlap with the default LAN interface in OPNsense, a static IP set that doesn’t conflict with any device on your primary network, and the appropriate default firewall rules created on the MGMT interface). You would have to disconnect/reconnect your PC/laptop to get a new IP address, etc.

@ I’ll triple check the settings tomorrow but I know IPs don’t over lap, I can see the device from my router’s GUI but I can’t get to the IP address, I must have missed something on my settings

I went back and double checked everything it’s exactly like yours except for the last digits of the IP are different to avoid conflict with something else that already had .99 the device shows up on my main router, but I can’t even connect to that port if I connect directly to it with the laptop, what am I missing?

Hmm with the static IP configuration of the MGMT interface, you won’t be able to plug directly into it to manage it because DHCP is not enabled on that interface (intentionally because the idea is to plug the MGMT interface into your existing network so you don’t want 2 DHCP servers enabled). I’m not sure what could be the problem if you gave both the MGMT interface (configured as a static IP) and your PC connected to your existing network (both being on the same network). Also I’m assuming you have the firewall rules set up on the MGMT interface as well because by default it will deny all traffic which will prevent you from accessing the interface.

I followed your instruction to the letter even doing a fresh install going through creating all of the rules for the firewall and then plugging it into my existing network. It shows up in the list of clients on my network, but I can’t get to the ip I assigned with two different laptops and an iPad that are connected to that same network.

Haha thanks! I’m still learning a lot, but I try to become familiar enough with certain concepts that I feel comfortable enough to demonstrate it to others.

You’re welcome! Thanks for the support!

Nice! Glad you found it helpful. I do have some hardware related videos of some devices I’ve tried and tested. I’m going to be checking out some more Grandstream networking equipment within the next month or so, for example.

Yeah the LAGG is totally optional. It may only be useful if you have more than one device transferring a lot of data at one time across VLANs. This can be alleviated by using 2.5/10G interfaces instead of 1G since most devices still use 1G or slower connections. I’m planning to do a new full network build guide. I’m waiting until I can get some more Grandstream equipment so I can show off the configuration using that hardware. It should provide yet another example of what could be done since it will be slightly different than my beginners guide and the original full network build (it will be most similar to the full network build- but instead of using LAGGs, I will use higher speed network interfaces since that is generally a better solution to alleviating potential bottlenecks). LAGGs of course are also useful for redundancy in case a cable or network port goes bad (which should be pretty rare unless your device or cables are really old).

Thanks for the info. You've mentioned a new video series in another email. Couple thoughts which you've probably thought of already. If your including OPNsense install maybe do it with Proxmox. It's a bit different than a VGA install. If you really want to get creative include redundancy. Some videos from other people don't include all the steps like not mentioning the VIP interfaces and gateway setup with VIP. I'm guessing the project is going to get involved. If you need someone to proof read the documentation give me a shout. I bought a 7660 AP and replaced the AP I was going to use. Really nice suggestion. I'm thinking of selling my ASUS Mesh system and switching to Grandstream gear.

I forgot one suggestion on your new video. ISC DHCP4 isn't supported anymore, maybe show ISC Kea.

I've done a few Proxmox videos with OPNsense (I'm currently running OPNsense on my Proxmox mini-PC cluster at home). There's so much technical details in building a full network guide that I can't include too many extra things because it will make for a very long video (or require a bunch of separate videos like I did for my original guide). Finding a good balance for the full network build is challenging because many users have different needs/desires, but I try to hit on the core concepts and then do separate videos on more specific topics. As for HA, that is trickier to do if you don't have multiple public IP addresses and the easiest way to implement it is if you're behind another router since you can use multiple LAN IPs for the redundancy. If you have to have it behind another router on the edge of your network, that sort of defeats the purpose of having redundancy since your edge router could fail or need rebooted for updates. If you have a Proxmox cluster, you could do HA on there using a single VM so you wouldn't need to set up CARP, etc on the OPNsense box. HA in OPNsense also has issues with synchronization if you forget to migrate the changes you make to your configuration to your secondary OPNsense box. While the connection states are automatically synched, the configuration is not synched to prevent issues of automatically pushing bad/incorrect configuration to the secondary firewall (if you made a mistake with the configuration, it doesn't auto push the change and cause you to mess up both firewalls). Doing HA on a Proxmox cluster avoids that potential pitfall by only requiring maintenance of a single VM which then can failover to another node if the primary node fails or dies.

Thanks for the suggestion. ISC DHCP is deprecated. OPNsense still defaults to using ISC DHCP and the OPNsense team has said they imagine it will be around for quite a while due to how Kea is being slowly developed, etc. Since Kea DHCP is still being worked on, it's not technically feature complete. Everyone panicked when they heard ISC DHCP is being deprecated so Reddit was flooded with users trying to migrate to Kea (and several of them having issues with certain features). I'm still planning to use ISC DHCP until I'm forced to change it if there are serious security concerns or major bugs that won't get fixed. I'll probably still use ISC DHCP in upcoming guides as long as OPNsense still makes the default option. If they feel Kea is complete and stable enough to set as the default, I will start showing guides with those default options. However, I would like to do a separate video on Kea at some point especially since it's supposed to be the future of DHCP. Btw, thanks for subscribing as my first member! I noticed the other day.

I’m glad it helped you out! Thanks!

You would plug both interfaces into the switch. For the untagged LAN interface, you don't need to do anything on the switch assuming it's already set to the default untagged VLAN1. For the 2nd interface with the VLANs, you set all of the VLANs on that interface as you normally would for a trunk port. The 2nd interface can have untagged traffic, but if you don't configure the parent interface of the 2nd NIC, there won't be a 2nd untagged network that you need to worry about. This effectively separates the tagged and untagged traffic on the OPNsense box. You could further enforce that only tagged traffic be allowed on the 2nd interface for the network switch but it's not completely necessary since OPNsense isn't going to be routing or doing anything with the untagged traffic on the 2nd interface. OPNsense recommends separating out the traffic to help improve security because in rare scenarios (which likely requires the use of a poor quality network switch and firewall rules to be written with the source of "any" instead of "IOT net", for example) a user on the parent interface could potentially be allowed access to the other VLANs effectively circumventing the network isolation of VLANs (VLANs only isolate at Layer 2 but not Layer 3 which is why a router can allow traffic between VLANs depending on the firewall rules, etc). I haven't seen anyone say they had this scenario happen to them, but it has been described as a known rare possibility. Avoiding the scenario completely is the easiest way to preventing this from ever happening.

@@homenetworkguy Thanks. I guess I was overthinking it. Although I wasn't too sure if I had to configure the parent interface. I appreciate the response. I'll carry on once I get home from work.

I'm quite not sure what you mean about using the uplink port.. as for recommended multi-gigabit switches, Grandstream recently released their 2.5/10G switches which I'm pretty excited about because that is one type of switch that I felt like they were missing from their product line. I'm hoping to demonstrate using one of them once Grandstream sends me a sponsored unit. They have a smaller version and a larger version. They do PoE as well which is perfect for their APs which utilize 2.5G interfaces: www.ipphone-warehouse.com/grandstream-gwn7821p-8-port-layer-3-multi-gigabit-poe-network-switch/ www.ipphone-warehouse.com/grandstream-gwn7822p-24-port-layer-3-multi-gigabit-poe-network-switch/ IP Phone Warehouse currently has the larger switch on sale for the same price as the smaller switch which is pretty awesome! The shipping is kinda high but their sale prices make up for it. Plus you may be able to get it without sales tax depending on where you live. If you don't live in the US you may have to find different distributors that Grandstream has. I'm a fan of Grandstream because they have a lot of management options for their products (and nice user interfaces) and you're not forced to use a locally hosted software/hardware controller or a cloud controller (but you can use those options if you like). Every device has its own web UI so you never have to worry about being locked out or any sort of adoption issues with a software controller-- there have been times when I was unable to get into some UniFi switches/AP that I was managing for someone).

You’re welcome. For any router set up you’re going to want at least 2 network interfaces. You could technically do it with a single interface but performance will not be great since everything has to share the bandwidth of that single interface. When using only 2 interfaces you’ll have to use the same bridge that you access the Proxmox web UI as the LAN interface of the OPNsense VM.

I haven't throughput tested the N100 build as much as the C3758 system.. I should probably do that at some point. I do like that the C3000 series has ECC RAM when using it for applications where you want the maximum reliability (such as a Proxmox server, router/firewall, etc). One thing to note is that performance is not very good in OPNsense (and likely pfSense) compared to running speed tests on the Proxmox host itself and other Linux distributions. If you only want up to 2.5 Gbps to route across VLANs but use 10 Gbps on the backend (to connect the Proxmox host to fast storage say on a separate TrueNAS system), the C3000 series will work just fine. The C3000 series also has some hardware acceleration that could help with VPN and other encryption performance (I think it can be enabled in OPNsense but not sure which VPN services make use of the hardware based encryption). Performance of the N100 could be better for OPNsense because the single core performance is a lot higher than the C3758, but I haven't tested out the throughput yet so that might be the case to get the N100 if you wish to have maximum performance when routing traffic across VLANs. I try to minimize sending traffic across VLANs by multi-homing my NAS and other devices so they can live in more than one network. I also make use of a separate dedicated 10G network just for sending data between the nodes in my cluster and my NAS.

@@homenetworkguy Thanks for such a detailed response. :) I'd definitely be interested in more performance testing on the C3758, but I'm sure you have a very tight schedule for producing videos. ECC is definitely a selling point, especially when the price for the whole build vs the N100 rack mount is about the same. If I got the C3000 one here, it'd fit on top of my 9U under-desk rack quite well. > One thing to note is that performance is not very good in OPNsense (and likely pfSense) compared to running speed tests on the Proxmox host itself and other Linux distributions. This is odd. Have you tested the speed with PCIe passthrough of the NICs? OPNSense might not handle the VirtIO NIC drivers as well. I"ve so far managed to avoid inter-VLAN routing on my local network. I've been slowly wrapping my head around VLANs, but it all seems to be going well so far. I really need to watch your current full OPNSense setup guide. I used the older one to get up and going, and didn't have any VLANs at first. The setup you describe with 2.5 Gbps LAN and 10 Gbps WAN without inter-VLAN routing sounds like exactly what I want, so this would be a good fit.

Thank you!

I’m glad that was helpful!

@@homenetworkguy Anytime. Glad I found you and your website. The explanation here was well structured, clear, and thorough . Now using your website to troubleshoot other issues! Great stuff

@@karlgimmedatforfreemarx Thanks! I'm working on a written version of this transparent filtering bridge. It just takes time for the topics which have a lot more technical details included.

Yeah I found a script someone wrote that determines which version of virtualized CPU you can use. It was helpful for mixed cluster node hardware because I could pick the lowest common denominator between all nodes to ensure I can live migrate without issues in different CPU types.

ZFS so you can take snapshots of running CTs/VMs. You could also do that with ext4 with thin provisioning. Bridges so your CTs/VMs can connect to your physical interfaces. They cannot use physical interfaces directly unless you use PCIe passthrough (for VMs) which means nothing else can use the physical interfaces (SR-IOV can allow multiple VMs to use the same physical hardware directly if supported by the hardware).

Thanks! My goal was to show an alternate way to set up a dedicated MGMT interface to prevent lockout. You don’t need to worry about the private IPs and bogons for the transparent bridge because that should be dealt with my the existing router on your network. The transparent bridge is not acting as your primary router but just as a firewall filtering traffic on your network.

I’m glad it was helpful!

Not sure.. but are you trying to disable secure boot as mentioned in the video? I realized after I made that video when someone pointed it out but you can set up the VM so that it doesn't have secure boot enabled, which eliminates the need to go into the VM BIOS menu. Simply create the VM as described but when selecting OVMF (UEFI) BIOS, you need to uncheck the "Pre-enroll keys" option to prevent enabling secure boot. I discuss this in my addendum video: kzbin.info/www/bejne/h6XKpGmqo6umiK8

I’m not sure that it blocks them because KZbin makes that challenging to do with simple DNS blocks. However DNS blocks work for many other ads though. Many users like to use the Brave web browser for blocking KZbin ads or web browser plugin. I sympathize over the desire to block ads but as a content creator, it helps me if you don’t block them. 😉

You would need to first establish some sort of VPN connection between the 2 locations and then you could use it to access another PC in a different location. See: tinypilotkvm.com/faq/cloud-access

I could but every other guide I’ve seen shows how to do it only with 2 ports. That’s another reason why I wanted to show it with 3 if you have a 3+ port device (besides the fact it’s nice have a physical dedicated interface to manage devices).

Hmm that’s odd. Did you try connecting to the Internet after you first installed OPNsense? The default installation should be a working setup assuming your Internet provider uses DHCP. Once you verify that works, then you can move on to making slow incremental changes. You can’t disable the firewall rules or you’ll block all access to the Internet and other internal networks/VLANs. (Unless you disabled the packet filtering engine completely to disable the firewall).

@@homenetworkguyI redid everything and it is now working. Thank you so much!

Glad that you got it after redoing everything! Sometimes you might end up tweaking a setting or forgetting to tweak a setting so doing it over a 2nd time can be beneficial for getting it working!

I’ve heard of that happening to others. Are you trying to access the OPNsense UI from another VLAN? Just curious since that could cause a problem because the hostname defaults to the gateway IP address of the current network. I solved the problem on my network by adding a hosts entry on my system to point the hostname to 192.168.1.1 so I could access it from 192.168.20.10 for example (I no longer do this since I have a separate machine on my management network). Someone also mentioned on Reddit that they set the listen interfaces to include the VLAN they were accessing it from (if you’re not using the default of “All Interfaces”) and they made sure they had the firewall rules to allow access (which I assume you do as well or you wouldn’t be able to access it at all).

@@homenetworkguy No matter what I do, I cannot get this thing to work. My domain is now fully transferred to cloudflare, I have been through this tutorial 9 times at least and the best I could do, was what I previously described... NOW, through trying to work this process out, I fully borked my opnsense box which was totally my fault as I attempted to diable the bridged interfaces on my box, which got me locked out, and unfortunately, I did not have a clean snapshot from BEFORE I bridged the interfaces, so in the last 24 hours, I have had to fully rebuild my opnsense box from scratch. I am now back up and running WITHOUT bridged interfaces, and the network is intact. From the new install, once I got all set up and everything sorted, I jumped back in to this tutorial and no matter what I do, I cannot log into my opnsense gui using my host/domain name. Everything else checks out. I have an A record on cloudflare, I created an API token AFTER creating the A record. I got dynamic DNS working just fine (or so it would appear), but for the life of me, I cannot ping my domain at all, which means I cannot access the gui from the host/domain name. What in the heck could be wrong here? I am missing something and am going nuts trying to figure it out.

Wow, sounds like a lot of struggle. I always hate when I’m faced with such scenarios because it can be maddening to figure out. Did you try accessing your router’s hostname before doing any certificates? If you can’t access it by the hostname with the default certificate then it’s certainly not going to work with the Let’s Encrypt certificate. You should be able to reach your hostname out of the box. The default hostname is OPNsense so you should be able to reach it by that hostname before you change the defaults. As for pinging the router hostname, you need to allow ICMP to reach the interface you’re pinning. So you will need to add a firewall rule if you’re not using the default allow all rules. Also an A record isn’t necessary to reach the router hostname internally on your network. Are you putting your public or private IP in that A record? You’re not supposed to put private IPs in and a public IP isn’t necessary unless you’re wanting to access it externally (if you use a VPN to get into your home network you still don’t need the A record for your router- you would only need the external IP, of course, to get to your VPN). I have a separate hostname (A record) I use just for the VPN with the public IP but my router hostname doesn’t have an A record for it. Maybe that’s messing stuff up if it’s trying to resolve to a public IP instead of using your local IP address. NAT reflection may help in that scenario but you would need to enable it because I don’t think it’s enabled by default. Trying to think of all possible issues so that’s why I’m throwing ideas out there.

Yeah, I understand. A lot of projects have not made it successfully. However, this campaign seems pretty secure-- at least for the first 5,000 units since they told me they secured enough raw materials to make the metal case for that many units. They said they expect to be able to scale up from there but it will be interesting to see how smoothly it goes for them. I hope it does go well because it is such a nicely polished product for a reasonable price. There are some design tradeoffs with the hardware at that price but it's a good balance for many remote administration needs.

Sure! You don’t need to use VLANs. VLANs are helpful if you want to separate and isolate certain devices on your network for security reasons but you can use it as a simple flat network (meaning only a single LAN network).

@@homenetworkguy Because I bought a N100 NUC where I want to run a lot of self-hostef stuff, OPNSense included. The connection will be simply this: My PC <-- NUC /w VM/LXCs --> Router So I can only have LAN and WAN Thank you very much :D

Since you only have 2 ports, you will need to use the default bridge in Proxmox (that is used to access the Proxmox web interface) as the LAN in the OPNsense VM as I demonstrated in this video. Then the other can be used as the WAN interface. You can't use PCIe passthrough on the network interface used as the LAN because you need it to access the Proxmox web interface, but you could passthrough the 2nd network interface to the OPNsense VM if you like for the WAN, but it's probably not necessary depending on how fast your Internet speeds are. You should be able to connect an unmanaged network switch to the LAN interface and still have access to both Proxmox and OPNsense web UIs as well as any other device connected to your LAN assuming everything is configured properly.

It's been so long since I've done that video that I'm not sure it's necessary to configure VLANs on that page. I tried to document the process in detail before doing the video so that I wouldn't miss any important steps. I don't actually use that switch on my network but I only used that switch since it was the only extra managed switch I had that I could use for demonstration purposes. Now I have switches from several vendors that I can use for demos/guides. I'm planning to do an updated full network build guide at some point soon with different OPNsense/network hardware and a slightly different network architecture to demonstrate more examples.

@@homenetworkguy You're right. i rebuilt my vlans and completing the Port VLAN Membership auto filled the Port to VLAN.

Nice! I was hoping that was the case. Some switch configuration pages offer different ways to configure the VLANs since they show different information. It’s possible you could do it from the port VLAN section as well but the process would vary slightly.

I have other guides which show some IPv6. For some of the rules when you are using build in firewall aliases or using “any” as a source/destination, you could likely just make the rule use both protocols IPv4 + IPv6 and it would cover both protocols at the same time in the same rule. I’ll try to include more IPv6 in the future but I personally don’t use it the same way as IPv4 because my ISP uses dynamic prefixes which is frustrating and complicates things when you want to use static IPs on your internal network (OPNsense does have dynamic IPv6 address aliases) but it doesn’t solve every problem.

Thanks! Im glad it was helpful! I’m planning to update my Full Network Build using OPNsense series with the latest version of OPNsense, different hardware, and a slightly different network architecture (than the full network build guides). It will be somewhere between this guide and the full network build series but with some additional topics included perhaps.

You’re welcome! Glad it helped you configure Zenarmor on the bridge!

I’m glad you found it useful! Pi-hole is a pretty simple solution.

Yeah that part is a bummer. Once you have the ISO image copied onto the device it will transfer data at 480 Mbps (minus overhead) instead of 100 Mbps because it installs over the USB cable (USB 2.0), which makes it a little better as far as transfer speeds are concerned.

Thanks! I appreciate it!

Haha thanks!

That’s great! Definitely would like to see more affordable options in this space and it seems like there has been a few of them produced recently.

Sounds like a beep code to indicate some sort of hardware problem. I’d have to look on their site to see if they have a list of beep codes for troubleshooting. I’ve had the VP6650 for over 7 months and it’s been solid. I have it 24/7 in a Proxmox cluster.

That’s weird. I’m not sure of the best alternatives that support core boot. Perhaps it’s a RAM incompatibility issue or hard drive failure (although I wouldn’t expect a drive failure if you bought it new from Protectli).

Thanks! It helps keep me going knowing others enjoy the content- even the content with less views. I have heard! They sent me an email when they released the pricing. That’s reasonable pricing because it’s between $4.69 and $6.58/mo and if you keep it for longer (like 6+ years it can be less than $4.69/mo). Stay tuned because I’m going to be doing an updated full network build using Grandstream with OPNsense and then I’m going to mimic the configuration for a full stack Grandstream build to show the differences. Grandstream is going to be sending me some new hardware they are releasing. I’m excited about it because I love the management features and the price compared to other vendors.

Unfortunately it doesn’t currently support audio. I’m not sure if the hardware is capable of that and just the software needs updated or if it’s due to the choice of hardware to make it more budget friendly.

You’re welcome! If you use unmanaged switches, you can’t create separate networks (VLANs) on the switches, but if you have extra network interfaces on the OPNsense box and multiple unmanaged switches, you could create separate physical networks if you are wanting to isolate certain devices on your network. You can repurpose your current wireless router just for WiFi if you like but you’d want to turn off the router features (to enable AP mode) so your wireless devices are double NAT-ed.

​@@homenetworkguyThank you for your time to reply! I understand the network interfaces. The opnsense box will have 4 in total, so I should be able to do that. I just have the one unmanaged switch right now to play with. If I were to turn off the DHCP on my current tplink router instead of just setting into AP mode, and hook that up into one network out so I can connect my 2 upstairs pc in while having wireless, would that work while I have another network interface send to a wired omada network for my tenant, and another network interface to my switch with my servers plugged into that? Would that omada need DHCP off as well or keep DHCP off on it? Thank you for your time and guidance! I really appreciate your effort and instructions helping out newbs like me on networking with these videos and feedback.

I totally understand using what you already have since it works and saves on cost. If you're using OPNsense to manage all DHCP for each interface, you will need to ensure the other devices don't also have DHCP enabled. I believe you can still use the Ethernet ports on a consumer grade router when it's in AP mode. It just turns off the routing features (disables NAT, etc) and operates like a standalone wireless AP (that have additional Ethernet ports to connect other devices). You could always try it and reset it back if it doesn't work. I think what you are proposing should work since you'll have 1 interface for the WAN on OPNsense and the 3 other interfaces will have the wireless router, the Omada network, and a switch for your servers. Then you can control access between the 3 networks using firewall rules.

Thanks so much! I have been more focused on KZbin this year than my website, but I'm working to get caught up on some of my website content. I like having both written and video formats since they appeal to different audiences and for some users like yourself, you find value in both! I recently transitioned my website to be ad free so I gave up that revenue source (in favor of affiliate links/Patreon) in order to have a clean user experience to benefit the community. I'm planning to create a new full network build guide using the newest OPNsense version as well as different hardware than my previous videos to stay current on the latest OPNsense user interface as well as continue demonstrating different hardware configures and network architectures. It will be somewhere in between this beginner's guide and the more complex original guides I made. I also want to refresh the guide because I have better quality video and audio as well as more hardware in my lab to demonstrate examples (thanks to sponsors since I can't currently afford to buy a bunch of extra hardware for content creation).

You're welcome!

You're welcome! That's odd you can access the OPNsense web UI on the LAN but nothing else on the LAN network via firewall rules. I know that some users have issues configuring WireGuard due to various things and I haven't been able to pinpoint all of the reasons why. Some users stated they had to create the normalization rule described in the OPNsense documentation to prevent network packets from being fragmented on the WireGuard tunnel (I believe that is the problem), but other users (including myself) do not need to do that. It probably depends on the MTU used by the ISP when you are trying to connect remotely to your home network. Some users said they have to restart WireGuard or reboot OPNsense after adding peers (although it should work when you click the "Apply" button after adding new peers).