Відео

Haha yeah. It still works! I like using it for illustration purposes sometimes since it’s so recognizable as an old school consumer WiFi router.

I also have the network switch configured for the 2 VLANs. The 2.5G interface is connected to the switch as a trunk port allowing all VLANs to pass. I configured 2 other ports to be on the 2 VLANs I set up in OpenWRT. The focus of the video was just a quick proof of concept of installing OpenWRT and being able to get full 2.5G throughput across 2 VLAN interfaces so I didn’t show all of the other details to keep the video at a reasonable length.

@@homenetworkguy ok great, thanks for clarifying ... so the switch is managed and the ports were specifically configured for VLAN 10 and 20 ... got any recommendations for managed switches? I've got few 8 and 5 port unmanaged that I'm looking to replace so I can do VLANs ... also, can this be done over WiFi ? (most of my VLAN needs are for IoT WiFi devices) TYIA

A lot of people love UniFi but I’ve been getting into Grandstream network hardware because they are more affordable and have more management options (every device has its own local web UI and you can centrally manage all of the Grandstream devices from a locally hosted controller, their cloud management platform, and their router/convergence devices- not to mention their APs can manage other APs).

That’s odd because the username and password should be the same for the same user when logging in via the OPNsense console or the web GUI. I’m not sure why there would be a difference. If you’re using two factor authentication you will need to include your 6 digit code at the beginning or end of the password depending on how you configured it.

I haven’t tested the full performance of the Pi 5 other than the basic setup which seems to handle routing across VLAN interfaces at 2.5G. The TP-Link would likely be the better all in one solution for router/WiFi but now there’s talk of banning TP-Link (just routers?) in the US due to vulnerabilities, potential ties to the Chinese government, etc so maybe it’s not a good idea to have the TP-Link router on the edge of your network. You could use it just as an AP if you’re trying to make use of hardware you already have instead of buying dedicated wireless access points. You may even install OpenWRT on the TP-Link as well if it’s supported. At least you could feel better about the firmware and keep it more up to date. If you went that route, you could use the TP-Link with OpenWRT installed on the edge of your network. A Pi 5 could be used to handle VPN, AdGuard, etc although I’m not quite sure of the VPN performance of the Pi 5. You might be happier using the Pi 5 for various homelab services as you mentioned (AdGuard, etc). Perhaps use Docker, etc to get some stuff up and running. For those type of services, I imagine the Pi 5 will do quite well. You could still use the 2.5G HAT if you think you need the extra bandwidth on your Pi 5 server. 52Pi makes a different version of the HAT I have which has both NVMe and the 2.5G NIC. Of course it share the PCIe lane so it’s possible you could lose some storage or network performance if you got that HAT but it should still be much better than using a microSD and the onboard 1G NIC.

@@homenetworkguy I see. I am using the 4b 4gb right now with wireguard and adguard with the AX11000 but the AX11000 acting as the router and I am routing my traffic from the router to the 4b. I am probably just gonna go that route with the Pi5 until the flint 5 comes out. Unfortunately, I can't install openwork on the ax11000 and the VPN capabilities of that router is only openVPN (along with ipsec and another one that's an old protocol). I tried openVPN and it's just so slow, that's why I went with the pi route. I might still give it a shot with the pi being the router and use the ax11000 as an access point or my other router, which is a real access point, netgear WAX204. Until the flint 3 arrives. Yeah probably going to get rid of the AX11000 with reports saying they send traffic to 3rd party servers. I saw this NVME + M.2 hat on amazon (just like what you have) by geekpi and I might go that route. I just like tinkering with the pi now that I got started with it lol. I know, an x86 NUC box would probably perform better and cheaper but it's more so the learning journey for me with the Pi and Linux. Crazy what this little thing can do!

Glad you found it beneficial!

If you’re in a cluster of different CPU types, then that is a situation where you don’t want ‘host’ if you plan to migrate the VM between nodes. The default CPU type in Proxmox enables AES-NI (that may not have been the case on older Proxmox versions).

@@homenetworkguy Ah, yes... very true. Good point. Thanks!

I can’t recall if I mentioned in the video that you could use ‘host’ if you’re only standing up a single Proxmox system or not so that is a good point that’s worth mentioning if I forgot. I was planning to set up a mixed cluster when I did this video even though I was focused setting this system up like a standalone Proxmox server.

Yeah, that confused me too for a while. I believe the way you can look at it is this- it’s from 2 different perspectives. After saving the peer info, it is the allowed IPs of the peer connecting to the WireGuard server instance (it’s like a static IP address) but when you are creating the peer configuration, it essentially is the list of IPs that the peer is connecting to which are allowed through the WireGuard tunnel. The default of 0.0.0.0/0,::/0 means to tunnel all traffic from the peer through the WireGuard VPN. I used to do this on my phones but I noticed that on slow cellular connections, routing all traffic through my WireGuard VPN at home slows down the throughput that I could barely connect to anything unless I turned off connecting to the VPN. Now I just route my private IPs (10.1.1.1/24, 192.168.0.0/16) of my home network through the WG VPN so I can still connect back home securely but everything else uses the cellular connection. This is called split tunneling. It means that I won’t have the same network wide protections on my home network while I’m away but it helps with improving throughput while roaming. In this scenario you can decide to include your WG interface IPs (such as 10.1.1.1) or not for DNS resolution (you won’t be able to use hostnames on your home network via the WG tunnel if you don’t tunnel the WG interface IP running the DNS service).

​ @homenetworkguy Thank you for this explanation! After doing some testing with this in mind it all makes sense. Split tunneling really is very useful. And so easy to set up via the clients config. Cheers 🙏

Yeah I often like to set up the basics before connecting the WAN although it should be pretty safe to connect it to the existing especially if it using different IP address ranges (NAT helps minimize IP conflicts but if your WAN gateway is the same as your local LAN/VLAN interfaces on your OPNsense box, your WAN connection will not work properly because the interfaces directly attached to OPNsense take priority- it will try to use the LAN/VLAN interface IP instead of the WAN gateway IP).

@homenetworkguy I couldn't get it right still block, so just set up the third router as a static address, turn dns off. I would still like to connect opnsense. Anyway Merry Christmas.

Thanks! I have a note about this in my written guide (I can’t recall if I mentioned it in the video or not). I think it primarily occurs if you’re trying to access your router’s interface from a different interface/VLAN because by default it will use the IP address of the interface of the network where your PC is on. So if I’m on the network 192.168.20.x accessing the router’s interface of 192.168.1.1 using the domain name, it will default to using 192.168.20.1 instead of 192.168.1.1 (the router’s hostname has the IPs of all of the interfaces defined on the OPNsense system). Someone a while ago tried to described all of the complicated technical details of how he worked around that issue and I wasn’t fully able to understand what he was saying. Haha

@homenetworkguy thanks for the reply. In my case, I don't have any additional VLAN setup. I recycled the unbound service and everything started working. Lol. I don't know if this is just a delay on the unbound side.

Yeah there are a lot of tangents one could go down. Some people like more tangents and some prefer less tangents. I try to find a balance that most will prefer but I don’t always get the right balance. I totally forgot to mention clicking apply after making changes once the WiteGuard instance is set up. I only mentioned clicking apply after doing all of the initial setup. I realized that shortly after creating the video but I can’t go back and edit it. Glad the video was helpful!

Thanks. Glad it was helpful!

Yes great. You wouldn’t know if a guide exists of how to connect to a proxy server on one LAN network. (Transparent forward proxy)? This was my main reason to isolate the network.

Thanks! You’re welcome!

You should be able to pass it through like any other NIC as long as Proxmox recognizes it. However, the experience with a wireless adapter and OPNsense will likely not be the best experience. Driver support isn’t great for wireless. Not all adapters support ad hoc/hotspot mode and I believe only WiFi 4 (Wireless N) is supported as far as I know.

@homenetworkguy is openwrt better with this? Compared to opnsense?

Thanks! Yeah.. I just got whatever leftover tree my kids didn’t want in their rooms (they each get a small tree to put on their nightstands). My wife and I go Covid before Thanksgiving and then it was cold nasty weather outside so I barely got decorations up outside. My wife had a surgical procedure earlier this week so I was working hard to get the video done before all that and Christmas in case I didn’t have time to do much else before the end of the year. Lots of school parties and Christmas plays.

Hope you guys are better now; once again thanks for everything.

They definitely did not make their customers happy with the decisions they made. That is why I strive for local only devices that work with open software like Home Assistant. Longevity is much more assured.

You’re welcome! It’s hard to find a balance of being too basic or being too technical when explaining a relatively complex technical topic (when you are new to it).

Haha yeah. It’s fun to say when talking about budget friendly things. I’ll be taking a look at another switch soon which has almost the same number of ports but also has PoE. The price is not much more than the PoE version of this switch and has a more refined user interface. It can also be centrally managed like UniFi products.

Thanks! I’m planning a new one soon which will have an updated version of OPNsense as well as different network hardware and slightly different network architecture. It should be higher quality because I have more experience creating videos and I’ve been working to improve video and audio quality over time

Great! I’m glad the video helped you figure out your rules!

The Dark Base 13 PSU is 170mm. At 08:27, it is the Light Base 900 which is deeper and taller than the 600. I let my brother try the 600 case since I don't need to the extra case right now so I can't say 100% that a 210mm PSU will fit in that one. However, there is no brackets in the case preventing deeper PSUs. With the 900, it will definitely fit because I just measured it. It might be a little bit of a tighter fit on the 600 since the PSU/power cables will eventually smash into the bracket separating the compartment in the back and the AIO/fans on the left side of the case (when looking from the back side).

@@homenetworkguy I had a hunch it was too good to be true, I was hoping that the cable management flapper door could be persuaded with a little die grinder. Maybe Be Quiet! will have a workaround. thanks for reply.

Well it should fit just fine in the larger Light Base 900 case since it has a good bit of room for everything. There’s no bracket that gets in the way for deeper PSUs- only the divider bracket between the left and right side but i measured 210mm and I don’t foresee any issues. I just don’t currently have the 600 model to measure to see if it fits but I do know that the case is not as deep or tall as the 900. They’re nice cases for sure though! I really like my be quiet! cases.

@@homenetworkguy I just can't accomidate that extra 24L of volume in the space i need it to live in. Heck, I'm not even sure if I can get away with going from 45L to 60L. Sigh, back to the whiteboard, thanks for your reply.

I’m not sure why anything would need to change since mine is still renewing and I’ve had it set up for the last year or longer.

@homenetworkguy a really of topic question do you now an good tutorial ( a home user can follow) to accomplish a working caddy in opnsense with external and internal proxies ? I now do it with nginx in a lcx container but this adds an additional service to run. Would be nice to integrate it in opnsense. I know that nginx is also available in nonsense but dahm so much more settings 😂😂

@homenetworkguy i got the certificate to work. Found out in the logs that i had fill in a domain name in the certificate section under common name.

If you’re using OPNsense as a transparent filtering bridge it likely means you are using a separate router on your network so if you want to use Pi-hole you would configure your router’s DHCP server to use the Pi-hole server. The transparent filtering bridge allows all of the traffic that you specify to pass through.

@@homenetworkguy In the modem i got from the cable company there is also a dhcp server wich i can disable, and than use pihole for it . Thnx!

I liked Duplicacy a lot better than Duplicati because I had issues with database corruption with Duplicati. It was also pretty slow to backup/recover in my experience but that was several years ago. Perhaps it is better now than it was back then. After I built a dedicated TrueNAS box instead of having my bulk storage hosted on my Proxmox host, I decided to move to Storj (which is owned by the same company as TrueNAS) since it was cheaper to store data than Backblaze B2 (but there is a small fee for downloading lots of data but it is still less than the amount you save per month for storage). Storj integrates nicely with TrueNAS and I just set certain datasets in TrueNAS to backup to Storj at various intervals.

​@@homenetworkguy I don't have a truenas server at the moment, but that may come in the future. I'm going to use duplicatie until I find something else. Thnx!

Thanks! Glad you found it helpful!

Valid points. I just like making projects and tinkering so it was fun for me to see what is possible. What I demonstrated was not very feasible on older Raspberry Pi’s. This is what homelabbing is all about. I certainly would not recommend this solution for the average user. That is why I never say in my project videos, “you should do this!” but rather it’s like “look at what you could do if you like to build things!” I just like to demonstrate things I find interesting in hopes others will find it interesting too! 🙂

You are correct. Any device on the same network/VLAN will be able to communicate freely since that is how networks were designed to function. If you want to limit further access there are a couple of options: 1. Use a firewall on each host. For example on some Linux distributions such as Ubuntu, you can make use of ufw firewall to limit access by creating firewall rules on the system. I do this in addition to firewall rules on OPNsense to have multiple layers of security (defense in depth). 2. You can create VLANs inside VLANs. They are sometimes called private VLANs or Q-in-Q VLAN tunnels/stacking. I haven’t tried it but this would require additional switch and OPNsense configuration which is not what you’re looking for. 3. For physical clients on the network that are wired to your network switch, you can make use of port isolation which allows you to limit which ports a particular port isolation allowed to communicate with. You basically only allow the port of the client device to communicate with the trunk port connected to OPNsense which effectively means the device cannot communicate with other devices within the same network. The traffic is blocked at Layer 2 (I believe) by the network switch.

Thanks! I thought you might find it interesting. I saw your video where you tested the 5 Gbps NIC which got me thinking if there was only a dual 2.5G NIC HAT then you could have 2.5G for both WAN and LAN which would be great. With only a single 2.5G NIC, you can only take full advantage of the throughput on a router if you have it as the LAN (with VLANs configured). It was nice to see 2.5G routed between the VLANs. Anyway, I searched for dual 2.5G NICs and found this: a.co/d/eKP6AT0 Also found this GeekPi one but it uses the USB ports for the extra bandwidth so it would be interesting to see the throughput when all of the interfaces are utilized: a.co/d/hMgyZTa

It’s less than ideal and requires a more complex configuration. This is roughly what you need to do: 1. You need a managed network switch capable of supporting VLANs. You would create a separate VLAN just for the WAN interface on your network switch. 2. You need to ensure that VLAN ID is passed through the switch port (referred to as a trunk port) where your Proxmox server is connected. 3. Make sure the default bridge that’s created during the Proxmox installation is set to being VLAN aware. 4. When assigning network interfaces to the OPNsense VM, for the WAN interface of the OPNsense VM, create a bridge with the VLAN tag set to the same one you used on the network switch for the WAN interface. 5. Add more network interfaces to the VM after you create the VM (don’t start the VM until you add all the desired network interfaces). For the 2nd network interface for the VM, simply add the default bridge for the untagged LAN network (it’s likely vmbr0). 6. If you plan to have more VLANs you can create them in OPNsense like you normally would with a bare metal installation. Make sure you have the network switch configured for the appropriate VLAN IDs. If you’re new to everything, this configuration is not for the faint of heart. It takes time and effort to learn all the concepts necessary to implement this sort of thing. It took me a few years to grasp it all, but I learned it by making slow incremental steps.

Without seeing more specific configuration, it sounds like a firewall rule issue but I’ve seen some people have trouble getting network access even though they have a proper handshake, which always make me wonder what the issue(s) could be. When you say you have only the WG rules, what do you mean exactly? You can basically mimic your other rules for other network interfaces which allow access to the Internet assuming all of the other configuration is correct.

I’m not quite sure I fully grasp all of the details you are describing and you didn’t mention which bridges are used by the OPNsense VM. If you created a bridge on the hypervisor where OPNsense is and you don’t assign that bridge to be used by OPNsense, you won’t be able to control access via firewall rules because it’s not being managed by OPNsense. I’m afraid you’re trying to have a private network via bridges on the hypervisor that aren’t being managed by OPNsense. If OPNsense is not aware of that network bridge and configured appropriately, you can’t control access via firewall rules.

Believe it not, I’ve never had a microSD card fail but I don’t typically use the microSD in high write scenarios on the Pi. If you use the squashFS version, it’s a read only filesystem so there will be no additional writes after you image the microSD card! But you would need to compile your own firmware to include all the packages you will want installed ahead of time.

Thanks! Yeah even the cheapest one at $50 USD is a bit high once you start adding HATs, etc.

Yep! Works great. I realized that you have a 2.5G NIC + NVMe HAT which is nice. Also I saw a dual 2.5G + NVMe but one of the NICs uses the USB ports so I’m curious how much throughput you could get when utilizing all of the network interfaces at the same time.

@@homenetworkguy The test result from this colleague is 800Mbps, but it's experimental data. The testing environment at the time was likely a gigabit switch and approximately 20cm of Category 6 Ethernet cable, using iperf3. However, I'm not sure about the performance of the two network cards under full load simultaneously, but it can be inferred that it might be similar to the throughput of a single network card, as the Raspberry Pi's own PCIe interface speed limit is already capped there.

Cool. I was thinking it would be nice if there was a dual 2.5G (with nothing else sharing the bandwidth) because Jeff Geerling tested a 5 Gbps NIC and could get near full 5 Gbps throughput (when PCIe gen 3 is enabled). A dual 2.5G NIC HAT would allow nearly full 2.5G WAN and LAN and not just LAN (you can’t use it for 2.5G WAN when you have a single 2.5G NIC because the LAN is limited to 1G using the onboard NIC- so you can only take advantage of the 2.5G NIC when used as a LAN interface on a router when using VLANs).

​@@homenetworkguy Absolutely, a dual 2.5G NIC setup without sharing bandwidth would indeed be ideal for maximizing throughput. Jeff Geerling's test results with a 5 Gbps NIC are quite impressive, showing that with PCIe gen 3 enabled, you can achieve near full 5 Gbps speeds. A dual 2.5G NIC HAT would offer the advantage of utilizing both WAN and LAN at nearly full 2.5G speeds, which is a significant upgrade from the 1G limit of the onboard NIC. This setup would allow for more efficient use of high-speed internet connections, especially when VLANs are employed to separate traffic on a router. It's a great way to future-proof your network infrastructure for higher bandwidth demands.

Thanks! Sounds like you are wanting to implement a ‘kill switch’ when not on the VPN. I know many OPNsense users discuss setting that up. I haven’t tried it since I don’t use external VPNs.

@@homenetworkguy That is exactly what i mean. I will search the internet for that, and hope i find something😀 Maybe an idea for an next video🤔

When I was having trouble getting the package built on the OpenWRT website (because the custom firmware builder tool sometimes breaks), I temporarily set up a WAN interface using the onboard WiFi as a client on my primary network so I could download the driver package for the 2.5Gbps interface. There are options in OpenWRT to use the WiFi as an access point but I haven’t tested it on the Pi 5. I’m not sure how well that would work but if you only need to connect couple of WiFi devices it might be ok.

I’m not sure why this process doesn’t work for everyone because I’ve had some that say it works great and others say they have trouble with it. My only caveat I can think of is if you’re trying to access the web UI from a different VLAN than the one you’re currently in because the router hostname has all of the interface IPs associated with it so it defaults to using the IP address of your VLAN interface. So you could add an entry to the hosts file on your computer to point to that IP or just allow access to the web UI from the VLAN your PC is on.

@@homenetworkguy It resolving my isp back to router url. I used host file to fix it thank you

Lots! OpenWRT is based on Linux while OPNsense is built on top of FreeBSD. OpenWRT is very lightweight and was originally designed to installed on consumer grade routers to replace the stock firmware. OPNsense can run on any general purpose PC. OpenWRT can be run on ARM based hardware and OPNsense doesn’t have official ARM support. Much more could be said.

You’re welcome! Haha. It definitely helps to be very familiar with how OPNsense and Proxmox functions. I would not personally attempt to virtualize OPNsense without a solid understanding of how both software platforms function. I only attempted after years of experience with both. It has been solid. I currently have a basic Proxmox cluster which allows me to live migrate the OPNsense VM to another node without losing my network connectivity when I need to reboot the Proxmox node that OPNsense is on.

For the CM5? It would be nice to see at least dual 2.5G Ethernet interfaces (even on a Pi 5 HAT) because I know Jeff Geering tested a 5Gbps NIC and it got almost the full 5 Gbps on the PCIe bus. Of course if you are sharing that with NVMe bandwidth, performance won't be so great but if using the device more for the higher network throughput, a USB drive or microSD card could still be used.

Thanks! Yeah definitely a good idea to do even on home networks to minimize the attack surface and the impact of exploits of vulnerabilities.

Thanks! It was a fun experiment to mess around with. Jeff Geerling tried a 5 Gbps NIC and could get almost 5 Gbps so someone needs to make a dual 2.5Gbps HAT so you can have 2.5Gbps for both WAN and LAN! Edit: I just checked real quick and found this dual 2.5Gbps HAT (www.amazon.com/PCIE-2-5G-Ethernet-HAT-High-Speed/dp/B0CZHZJ89S)! I need to try that out sometime! haha. Ideally it's probably better just to set up 2 OPNsense boxes in HA or have a virtualization cluster where you can failover the VM to another node.

I don’t recall saying that since it’s been a while but that is where my focus is. I know it’s used by serious organizations. A lot of homelab community software and hardware is used by serious businesses so I think it’s ok to focus on the homelab community even though it is also used by serious businesses and government agencies. It doesn’t diminish the software/hardware simply because it is used by homelabbers.

Yeah it is a relatively large undertaking. This was basically summarizing years of learning into about 1.5 hours of video. I’m planning to do a more refined version soon (in a single video) so keep an eye for that. I won’t be including LAGG configuration since I’ll be using higher bandwidth network interfaces instead. As for general ports, I’m not sure of their purpose. It basically is similar to a trunk port but it can operate as either an access port or a trunk port (some switch vendors such as Grandstream call those ports hybrid ports). It’s better to set the port to access when you know it’s a client device that’s going to live on a particular VLAN and use trunk between all of your network infrastructure/servers that need to handle multiple VLANs. Are you wanting to put VLANs on the same interface used as the management interface? Basically a router on a stick configuration? That does work ok. OPNsense generally recommends separating the untagged and tagged traffic on 2 separate interfaces to improve overall security (but the insecure scenario seems very rare if you have both untagged and tagged traffic on the same network interface). You can always reassign VLANs to a different physical interface if you wish to move it later (just make sure you have the switch configuration correct if you move to different physical interfaces on the OPNsense system).

I'm going to try a separate interface with the guest VLAN first. I tried it earlier on a separate interface but I think my issue was not having the switch configured correctly. On the separate interface is there any reason why I shouldn't use a firewall rule to allow 'any' since the VLAN is going to have more restrictive rules?

@ yeah switch configuration can be the hardest part of configuring VLANs. It’s pretty simple to do in OPNsense. Generally speaking it’s best to have firewall rules as restrictive as possible. I prefer to use the source of LAN net (or whatever the interface name is) rather than a source of ‘any’ even if there is only one network on the interface.

Thanks for all the suggestions, good learning curve on firewall rules I'm new to using. I found my issue of not connecting to the Internet from the new interface I created. The log error I was seeing pointed to the Firewall NAT Outbound rules section. OOPS no NAT rule for the new interface to be allowed to connect to the WAN/LAN router I have between the Internet and the two HA OPNsense WAN ports. Hope the weekend is going well for you. Onto part 4 and connect my Grandstream you suggested to the new interface