Видео

I had the default rules disabled (noticed they are grayed out) because I am no longer using the allow all rules to tighten up the rules (isolating the networks from one another).

I’m not sure why but for some users WireGuard can be difficult to get set up. Sometimes the ISP blocks the default port 51820, some users say creating a normalization rule worked for them (while others say they don’t need it, like myself), sometimes restarting the WireGuard service needs restarted (some uses reboot OPNsense), and when adding new peers you have to click Apply Changes or the new peers can’t connect. If you are actually connecting to your WireGuard VPN remotely and are actually connected properly (it’s hard to tell with WireGuard client unless you can see the handshake in the logs in OPNsense), it should be a matter of configuring firewall rules (assuming the LAN IPs are in the allowed IPs of the WireGuard peer). There’s several things that can go wrong but once it’s up and running it’s pretty solid in my experience.

Yeah, I know what you mean. I like using them in a lab environment when testing. You can technically assign the switch's IP address to be in the "management network" so that it's only accessible on that network (if the management network is untagged), but that's not always a good solution. I wish it at least had HTTPS for entering credentials. I haven't checked to see if there are any new firmware updates that adds any of those features. They added link aggregation in a firmware update so you would think it would be possible for other features as well. I use Grandstream switches for my primary network.

@@homenetworkguy Well another issue that users have reported is that the Management interface (MokerLink switch is this case) was accessible from other vlans as long as you know the IP. That's a real security issue in my opinion! Could be a firmware bug and I don't know if they fixed it this issue via firmware update yet but that's a real "No-Go" in my book. You could harden the security via main router/firewall rules but this is still very concerning for a managed switch!

A lot of devices are like that if there are no firewall rules on the router/firewall to prevent the inter-VLAN traffic (and there is no local firewall installed). However I do know that some managed switches don’t allow that traffic from another subnet/VLAN by default even if the firewall rules on the router/firewall allows it (I discovered this with the TP-Link switch I had a while ago). Anyway it’s certainly a concern with these switches if you’re worried about security.

@@homenetworkguy U might be right but this isn't the proper behaviour for any decent L2 managed Switch imo. I do remember that some cheap managed L2 switches from TP-Link were also locked to vlan1 for management without the option to change it but a wide open web GUI on all configured vlans is something else if u ask me and even the cheap TP-Link switches from 5+ years ago didn't had this issue if I remember correctly. I would also highly recommend to restrict WAN Access for this kind of switches (I actually do this with all my switches, even with my rather expensive L3 Cisco ones... Better safe than sorry at the end). Anyway thanks for ur test and feedback! If u ever find a cheap L2 managed 2.5G switch that got the option to configure a management vlan please let us know (https support and/or SSH support would be the cherry on top) 😉

For the TP-Link switches I had (the L2 switches, not their cheap easy managed switches), I had to create interfaces on the switch if I wanted to access the interface on different VLANs. I think the management VLAN could be set to but I'd have to go back to see. Not sure if this falls in the "cheap" category (since it's $219 on Amazon right now but sometimes can be lower like $199)-- I also recently took a look at the 12 port 2.5/10G XikeStor switch which allows you to set the management VLAN and has HTTPS. Someone said the interface and features reminded them of a managed Netgear switch (I haven't tried those models to compare it to a Netgear switch): ruclips.net/video/Jgz0o_1m3qw/видео.html

When I say you shouldn’t have multiple DHCP servers on the same network, I’m not referring to high availability but rather 2 different DHCP servers running on 2 different systems not in a HA configuration. There will be conflicts of IP address assignments if you have a rogue DHCP server running on the network if they’re using the same IP ranges. I imagine there are ways to mitigate this but I’m always speaking from a home network context (hence the name of the channel). You don’t really need have a minimum of 3 DHCP servers on a home network (I’m counting DHCP listening on multiple interfaces in OPNsense as one DHCP server). I’ve survived 25+ years of home networking using a single DHCP server. Typically I have other problems that are not DHCP related.

@@homenetworkguy that's exactly what I wrote about: one should have multiple DHCP servers for the same network, even if that network is a home network. The challenge, of course, is keeping them in sync. I keep my configuration packaged in OS packaging format in Git, so when I modify it, I bump the package revision and upgrade the configuration package on all the DHCP servers. Problem solved!

Yeah, that's a great solution for high availability, but I typically throw out the general warning that if you spin up another OPNsense or plug another device on the network which has its own DHCP server running on the network (that is NOT synchronized) that it could cause problems. What you are describing is syncing up the DHCP servers which is an intentional action to have redundancy on the network, which is not a bad idea for improving the reliability of the network when services or hardware fails, and shouldn't cause problems on the network when implemented properly. I've spun up VMs and or connected another OPNsense box to the network when testing and it would temporarily disrupt my network until I disconnected it because I accidentally connected the wrong interfaces or had some configuration incorrect.

Yeah there are lots of solutions out there you can run but the video is not focused on the option you described. Thanks for the suggestion though. I can look into to it further at some point.

@@homenetworkguy that'd be cool, another step-by-step video.

Sorry about that. I didn’t really intend to compare the difference between other brands. That is a good point about Intel vs Realtek for pfSense/OPNsense. I’m hoping to improve as I make more videos.

This is the Cloudflare dashboard so if you’re using Cloudflare as your DNS registrar, the account ID should be listed on the right hand side of the page after you click on your website domain name from the dashboard. I just checked and it looks the same.

Did you try disconnecting and reconnecting users on the network where the captive portal is enabled?

I rewatched part of the video to make sure I didn’t forget to include examples but I had a few examples in the video. If you have the same set of rules you wish to apply to multiple interfaces, consider using firewall groups- it reduces repetition of the same rules across multiple interfaces. If you wish to apply rules across the entire network, floating rules is a good option. I like using it for things such as allowing the iperf3 port on the entire network so I can speed test between all of my internal networks without needing to create rules all the time. You can use them for IP block lists to block malicious IPs across the entire network. I like allowing SSH across all internal networks as well so it works nicely as a floating rule. However floating rules do allow you to select specific interfaces to apply the rules. You can basically achieve the essentially the same thing with floating rules as firewall groups. One benefit of firewall groups is that you get autogenerated aliases for “address” and “net” like you do with other interfaces such as LAN address and LAN net.

Yes. I made this video like 1 week before the plugin came out. Haha. I personally prefer not to run it on the firewall because I worry about what happens if the reverse proxy gets compromised. The good thing about doing it this way is you can the proxy on a DMZ network and keep it isolated from the rest of your network. However someone assured me that it may not be that bad since it may be a less privileged user or the plugin runs in a jail or jail-like environment. I can’t recall the details off the top of my head.

Nice! These low power systems are pretty great to run pfSense and other software.

Thanks!

Some users stated they needed to do the normalization rule from the official OPNsense documentation. I’m not sure why but perhaps it’s for those who have ISPs which use different MTU values. Also make sure that port 51820 is not blocked by your ISP. On one network I set up WireGuard, I simply changed the port yo 51821 and it worked just fine. It’s annoying when ISPs block incoming ports like that.

@@homenetworkguy Thank you! :)

For a single 10G interface for speed testing and file transfers over the network, yes! So it’s fine as a desktop client or lightweight file server. If you’re doing IDS/IPS that’s is very CPU intensive with something like pfSense or OPNsense, not a chance. I’ve tried Zenarmor for example with OPNsense on an i5-1235U CPU which is much more powerful than the N100 and I could only get 4-5Gbps. If you’re not doing IDS/IPS, you should be able to route across 2 interfaces at 10G. Routing by itself is not as CPU intensive as IDS/IPS and VPNs.

@@homenetworkguy my use case would be a local home network with a nas and client pc w/ 10gps connections while the rest are basically all 2gbps. My internet will be 2gbps fiber.

Nice. As a client or light weight NAS, I imagine the N100 would be fine. I haven’t tested it with TrueNAS yet but it should be fine because it’s not the most CPU intensive especially if you’re not running apps on TrueNAS and for a home network.

Thanks!

Thanks! I appreciate you enjoy them!I’m working to ramp up quality as you can see in this most recent video. I have received several requests for a transparent filtering bridge guide. Seems like the demand for such a configuration has increased since Dave’s Garage released his video. I have yet to try it out, but I want to make sure I get it right when I do the video.

@@homenetworkguy I was indeed also triggered by the video from Dave's Garage, but there are some minor hickups in that video. I managed to set it up(as a vm in proxmox on a MS-01), and i use that setup now in a test environment at the moment, but i think that i clould be done better 🙂

Sorry. It’s also probably how I had to cut the video in certain places and how I end sentences with an inflection when I’m not supposed to. I’m trying to improve this over time. It’s tough speaking to a camera. Some people make it look easy. Haha.

@@homenetworkguy No, man. You are fine. No need to apologize. Your video is fine and so is your accent. Being humble is a nice attitude to have, so 👍. Your video is great. I didn't notice anything about any cuts. You're fine. You took time to do something useful for the internet. Useful stuff. Thanks!

I’m assuming you have the DHCP server running on each of the interfaces? You have to make sure you don’t forget to check the box at the top of the DHCP page for each interface if you’re using the default ISC DHCP (I have forgotten to do that sometimes). It’s not enabled by default as you likely saw in the video. One other thing I can think of is that the VLAN configuration is not quite right. That can cause issues with getting IPs assigned.

@@homenetworkguy I’m assuming you have the DHCP server running on each of the interfaces? correct. You have to make sure you don’t forget to check the box at the top of the DHCP page for each interface if you’re using the default ISC DHCP (I have forgotten to do that sometimes). It’s not enabled by default as you likely saw in the video. dhcp is enabled for all vlan interfaces with the dns server pointing to my pihole. One other thing I can think of is that the VLAN configuration is not quite right. That can cause issues with getting IPs assigned. That was my first assumption and then came back to your video to rehash the vlans set up and firewall rules. Will zenzrmor block traffic if I set it up to monitor the lan and vlan networks?

Zenarmor shouldn’t block everything by default but you could try minimizing points of failure by setting up the bare minimum settings and then work from there. I’m trying to think of other things that could go wrong (without being able to view all of your configuration in more detail).

@@homenetworkguy Tried removing the vlans from zenanrmor but that didn't do anything. I do have a snapshot of a fresh install with vlans, firewall rules and dhcp leases configured but that's my last resort for now (cant remember if i took the snapshot with the pppoe credentials or not). Here is a wall of text also know as my settings Vlan Interfaces: Enable Interface - enabled Prevent interface removal - checked ID - n/a Device - n/a Description - n/a Block private networks - unchecked Block bogon networks -unchecked IPv4 Configuration Type - static IPv4 IPv6 Configuration Type - track interface MAC address - blank Promiscuous mode - unchecked MTU - blank MSS - blank Dynamic gateway policy - unchecked IPv4 address - using subnets .10 (impi), .20 (iot), .30 (guest) and .40 (dmz) IPv4 gateway rules - disabled Parent interface - nothing selected Assign prefix ID - 0 Optional interface ID - 0 Manual configuration - unchecked Vlan firewall rules DNS rules for iot, guest, dmz andf ipmi: Action - pass Disabled - unchecked Quick - checked Interface - vlan netowrks Direction - in TCP/IP Version - IPv4+IPv6 Protocol - TCP/UDP Source / Invert - unchecked Source - vlan net Source advanced - default settings/not messed with Destination / Invert - uncheck Destination - vlan address Destination port range - dns&dns Log - unchecked Category - n/a Description -n/a No XMLRPC Sync - Schedule - none Gateway - default Private network rules for iot, guest and dmz: Action - pass Disabled - unchecked Quick - checked Interface - vlan networks Direction - in TCP/IP Version - IPv4+IPv6 Protocol - any Source / Invert - unchecked Source - Vlan net Source advanced - default settings/not messed with Destination / Invert - checked Destination - private networks Destination port range - any Log - unchecked Category - n/a Description -n/a No XMLRPC Sync - Schedule - none Gateway - default IPMI network does not have this rule

The OPNsense configuration looks reasonable but I did notice that if you're using IPv6 with Track Interface, you need to set a prefix delegation like /60 or /56 (whatever your ISP allows) and then for each interface, you will need to assign the prefix ID for each interface so that each interface can have a unique IPv6 subnet. Also have you tried using the parent interface with no VLANs to see if you get IP addresses via DHCP assigned? In your config above, it appears you are only using VLANs. It may be worth trying the parent physical interface with no VLANs and plugging a device into a port on the switch that is not assigned to any VLANs (which is often called VLAN1). If that works, you know that DHCP is working properly without the VLAN configuration. Then you can check over the VLAN configuration on the switch (and OPNsense but it doesn't look wrong so far assuming you assigned the VLAN to the proper physical interface).

You might need a more powerful system than the Protectli I featured in the video depending your needs for IDS/IPS, etc. Perhaps the Minisforum MS-01. Also running bare metal or PCIe passthrough even with the Protectli allows you to get closer to 10Gbps (unless you are using IDS/IPS). What I have been doing on my own network is avoid routing large amounts of network traffic through the firewall across VLANs. Instead, I have been multi-homing my systems so I can access my NAS or other storage backends on each of the VLANs where I need the fast data transfers (all of those systems have multiple network interfaces which makes this possible). Besides reducing the workload of the firewall, it also simplifies firewall rules on the OPNsense firewall since you do not need to create rules to access systems which live on the same networks/VLANs.

@@homenetworkguy Thanks, Have no plans to use IPS/IDS, Just want 10Gbps with NAT for a typical home setup Router: 1x 10G for WAN 1x 10G for Switch Switch: 1x 10G for Uplink 4~6x 1G links for end user devices. Netflow is a bonus but not a must, just to check top talkers. That's all. Thinking of Minisforum MS-01 or VP6670. My ISP will provide the SFP : Huawei OptiXstar S800E XGS-PON SFP+ ONU(SC/APC)

Haha yeah.

Thanks! I plan to do a new version of my full network build guide soon to use an updated OPNsense version as well as different hardware. I think he has much better hair than I do.. I'm slowly losing my hair as I get older. haha.

@@homenetworkguy He had hair transplantation. Thanks for sharing the knowledge.

Thanks! I’m planning to do an updated full network build guide soon with the latest OPNsense version and different switch/AP hardware. I have done some videos on DNS such as using Pi-hole but I could do more. For the updated full network build, I may simply show how to set up DNS over TLS since that is pretty simple to do. I haven’t messed around with AdGuard Home but I may in the future. On my home network, I just use Zenarmor. It blocks some ads (and it does much more than that) but maybe not quite as aggressive as other ad blockers. However, I’m not obsessed with blocking as many ads as possible so I don’t mind it. I find it irritating if I have to keep unblocking legitimate things because blocking certain domain names prevents access to certain websites/apps/services.

Hmm I haven’t looked into defguard. Thanks for the suggestion.

Perhaps so, but I don’t know what the low level settings are for “Other” vs “Linux”. I haven’t had trouble leaving it at the default so not sure of the benefit. It would be interesting to know since I can’t seem to find that info in the Proxmox documentation (it just says low level optimizations such as the BIOS clock).

Yeah I’m sure. I should add my Aliexpress affiliate link. I sometimes to both Amazon and Aliexpress. Amazon is convenient, quicker and easier to return items (at least for US customers). Sometimes things off Aliexpress arrive in less than 2 weeks. One of my shipments took 11 days.

You could do everything with a single interface if you like! I like using more of the interfaces available because it means less bandwidth is shared. Also for certain things such as clustering Proxmox, it’s recommended to dedicate an interface just for the cluster traffic (on its own network). If you have fewer ports and you have multiple networks/VLANs set up, you can just assign the CTs or VMs to whatever network you like. You have to make sure the network switch is set up for VLANs. The key thing to consider is that you need to use bridges instead of using pass through so multiple CTs and VMs can share the same physical network interface.

I haven’t tried using Pi-hole for DNS for WireGuard clients but you can specify the Pi-hole DNS server in the WG client DNS settings. You will need a firewall rule on the WG interface to allow access to the Pi-hole DNS server.

@@homenetworkguy Im curious about this as well. I dont use a pihole but cannot get to any of my systems by name through WG. When I am actually on the network everything is fine

I haven’t tried using Pi-hole with WireGuard in a long time but with using Unbound DNS without Pi-hole, DNS resolution with WireGuard works. I need to try this sometime with Pi-hole (on a lab network) to see if it works or if perhaps additional configuration is necessary.

Thanks! Appreciate the comment! I have lots of ideas and so little time to execute it all but I keep moving slow and steady!

@@homenetworkguy I can imagine :) If it's not on your list already, one thing i've been searching for recently is baremetal mini-pc hardware for opnsense installations. I have hear alot about N100 chips but a video with updated info would be awesome!

Cool. I have several mini-PCs I could line up on a table and discuss the pros and cons. A few I’m currently using on my main home network so I can’t take them down for illustration purposes. Could be useful for those looking for some guidance. I would probably need more variety of hardware to have a more comprehensive view. I should keep that in mind for the future.

You could use a KVM over IP device. Some of them even have the ability to reboot the machine. If you really need that capability built in, you’ll need more enterprise like gear. I avoid enterprise gear due to noise, power consumption, large/heavy footprint, etc. However, I did buy an old used server grade motherboard for my TrueNAS box that does have IPMI. I don’t use it all the time since I mostly use the web interface or SSH to get access. IPMI is nice though when you need it.

@@homenetworkguy adding an additional device will add to the complexity, and they are also not for free either. I'd like if Intel would release one of these CPU's with support for vPro Enterprise, which would solve the problem once and for all. And just to make tings even better support for ECC. I like Enterprise stuff (when I can afford it) as it works. But especially a firewall should as a minimum have a serial port which can be used to access the bios.

That would be nice if it was available on all systems, but for home use, I can live with KVM over IP to access the BIOS screen but I rarely need to do that. I used a cheap Qotom mini-PC OPNsense for almost 6 years and only needed to access the BIOS for the initial installation. I just used this build as an example OPNsense box but I won’t be using them for that purpose in my lab other than for demonstration purposes.

I have noticed that some users have a real struggle getting WG setup even with following the directions. I’ve tried to help with everything I can think of and sometimes the issue isn’t fully resolved. I am curious what is different for some users’ configuration that makes the WG VPN not work properly. Have you checked all of your firewall rules? If you can make a successful handshake, it should be a matter of setting up the proper rules on the WireGuard interface to allow the appropriate access.

I banged my head against the wall for an hour before I realized I had a typo in the WAN firewall rule and typed the port# for WG wrong.

What do you consider crazy expensive? For example there is an IOCrest 4 port card that’s $82: a.co/d/cjjdyal If you get StarTech, they’re over $200 on Amazon which is expensive. I sometimes get NICs from Aliexpress because they are cheap and there are more options to choose from than Amazon. Of course it’s hard to say how many are genuine but they have all worked at advertised speeds when I tried them.

Probably not intentional but I don’t use the Proxmox firewall since I use OPNsense to firewall the network (and I use local ufw firewalls on all my Linux containers/VMs). If you have box checked to enable the firewall, there are no rules defined by default so it doesn’t offer any protection. You have to add rules in Proxmox if you want to further restrict access. I suppose it is yet another layer of protection if you want to use it in addition to everything else.

For the hardware or software? I may test a Proxmox build but not sure if it will be worth a full video or not. I’m going to be doing a Proxmox build in an upcoming video and some examples using Proxmox using a mini PC with the Intel Atom 3758.

Thanks for the heads up! Same motherboard I’m assuming? I will have to test and see about stability cause RAM and motherboards can be finicky. I had to bump voltages on my old Ryzen 7 1700 motherboard when I maxed it out with 64 GB of RAM on my old Proxmox server. I found like the only post on the Internet which mentioned bumping voltages for that CPU/motherboard (haha), and it made it rock solid.

@@homenetworkguy I have the ITX/DC variant so it should be similar. The bios doesn't give a clear use of the XMP profile regarding memory voltage. Running a dual i226-v nic and it works great for a 2.5G FW solution. But it's not a platform I'd recommend for a dual 10gbe fw due to pcie limitation. You can tap out the pcie lanes from the m.2 slot with a converter but it's not pretty.

Yeah I noticed you don’t have the option to select an XMP profile (I didn’t dig deep into it) like some motherboards. When I test it some more I’ll see if it stays stable or not. Yeah I mentioned in the video that dual 10G wouldn’t be good even for the PCIe 3.0 x2 (which your ITX board doesn’t have) but it can handle a single 10G NIC just fine assuming it’s a PCIe 3.0 card.

The default installation of OPNsense with no tweaks and no power savings tweaks in the BIOS, it sits at like 24-25 Watts. The case also has 2 fans it’s powering. Fanless systems would use less power. I imagine there could be some power savings settings that could be enabled to further reduce the power consumption. Still much less than most desktop hardware running as a server (some of my old servers were using 65-90 Watts idling).

Nice! But you likely won’t get more performance with using VMs on Proxmox. In some cases it can decrease performance (like using bridged network interfaces with OPNsense). Maybe I’ll test it soon to see how it goes.

Thanks! I’m excited for the improved quality! Took me a while to get there but it’s worth the investment. Also thanks for linking to me! Are you using passthrough for the NICs? You won’t be able to get full 10G using bridges. I’ve noticed it takes a faster CPU (such as the i5-1235U in the VP6650 that Protectli sent me) to get close to 10 Gbps and in some cases, only passthrough could reach it. I’ll likely be doing some more testing on throughput performance now that I have two N100 systems to play with. I previously didn’t have any experience with them but know that lots of people love the N100 for OPNsense builds.

@homenetworkguy I tried both, actually: passthrough and virtio, even bare-metal... which is driving me crazy because I assumed it should be able to handle 10G, but still, it goes downhill in the iperf3 test very quickly. I can share images with you if you want to! I'm super interested in your testing results as well.

@JonatanCastro Interesting. I know that I can get 10G bare metal with Linux using iperf3 (I’ve already done that prior to my video). I have yet to test OPNsense performance with the N100 but that will be soon.

@@homenetworkguy exactly! I also installed Proxmox on the N100 and I was able to get the full 10G as well

I’m assuming you’re referring to the Proxmox host getting 10G (Linux based) and not the VMs?

Thanks! I plan to continue doing more! Glad you appreciate the improved production quality. The "budget friendly" (relatively speaking) Panasonic LUMIX G85 has far exceeded my expectations in video quality. No comparison to my old iPhone footage. I also got some new LED studio lights as well that are less bulky (but not quite bright) and more energy efficient than the traditional, cheap studio lights I was using.

Yeah, you can buy 4 port i226 NICs if you want that on the board. If you put it in the PCIe 3.0 x2 slot, you should be able to get the full throughput on all 4 network interfaces. I'm actually glad the board doesn't include the 4 2.5G NICs because it allows me to have more PCIe lanes to play utilize and I can put a 10G NIC on that board instead of the 4 2.5G interfaces. The N100 only has 9 total PCIe lanes and you can only utilize 3 of those lanes via the PCIe slots (the NVMe/WiFi module slots, USB ports, etc utilize the remaining lanes).

Yeah I'm getting closer to creating an updated full network build to essentially replace the original ones I did almost 2 years ago. Video and audio will be improved from the original, and I am getting a bit more comfortable recording on the camera (it is very challenging for me compared to written content, haha). As for security services, etc, I mostly use the same things. I don't use Suricata on the WAN. I just use Zenarmor and CrowdSec in addition to the basics: isolating networks via VLANs, allowing/blocking traffic across VLANs via firewall rules, local ufw firewall on all my Linux systems/containers/VMs, SSH keys with strong passwords, software updates, etc. Defense in depth security practices. All of it works together to maximize security. There's always room for improvements, of course! I try to balance security with usability of my network. I try not to lock things down so tight that it's a pain to use my network especially since it's a home network and not a corporate network. Glad you love the content! Thanks for following along!

First of all, 1 of the 5 ports will need to be connected to Proxmox and that port will have ALL VLANs assigned as a trunk port so the traffic can pass through to Proxmox. A trunk port can have as many VLANs as you want to pass through to other switches, routers, wireless access points, and servers (all of which need to be VLAN aware devices). Each non-trunk port can only be assigned to a single VLAN. In Proxmox you can create a virtual bridge (with or without VLAN tags) that you can use as a virtual network within the Proxmox server or Proxmox cluster- if you wish to have CTs/VMs on their own virtualized network (this can be helpful for lab networks, etc).

@@homenetworkguy the last sentence is what I want to do; create virtualized CTs in 3 Vlans, 1 each for Caddy, Apps, and Arr stack. I created a Vlan aware Bridge that wasn’t connected to any NIC, and all was working fine, but the setup is causing OpnSense to crash / restart. I’m now thinking of using my last remaining Nic, making a VLAN aware bridge, creating 7-8 VLANs and trunking them to my Mikrotik Hex which will only have 4 available ports, to be used to separate physical devices such as office, Iot, guest etc. The only 3 VLANs to be used for Caddy, Apps, and the Stack. Am totally lost here.

Is the container on a different VLAN then the Proxmox host? If so, don’t forget you need to specify the DNS server in the settings for the container because it will default to the same DNS server as the host (which could be 192.168.1.1 by default depending on the network IP addresses you’re using). I sometimes forget to change the DNS server when I create a new LXC on a different VLAN than the Proxmox host.

That would be a good idea to test out the firewall/malware protections of that product.

Sure you can have 2 instances running for redundancy (plus when you reboot one of your servers, it doesn't take down the DNS on your network). For the DNS configuration, you could configure the DHCP settings for interfaces in OPNsense to use the Pi-hole DNS server(s). Then have Pi-hole use the Unbound DNS IP address as its upstream DNS server. Then Unbound DNS can be configured to use DNS over TLS to Cloudflare for external DNS requests. So it would be like this: client -> Pi-hole DNS -> Unbound DNS -> Cloudflare DNS over TLS.

@@homenetworkguy thx for the reply, I have 2 more questions: when you say "have Pi-hole use the Unbound DNS IP address as its upstream DNS server" where in opnsense unbound will I find that ip address? are is it the clouldflare dns address? also when I run resolvectl my current scopes show none and your shows DNS, resolv.conf mode shows foreign and your show stub. thx again

Unbound listens on all interfaces by default so the IPs you can use is any of your network interfaces as the upstream DNS server for Pi-hole. If Pi-hole lives on the LAN, use 192.168.1.1 as the DNS server for Pi-hole, for example. Don’t confuse internal DNS with external DNS. You’re basically creating a chain of DNS servers and inserting Pi-hole in the middle. I prefer to keep DNS more simple than that by not using Pi-hole (I use Zenarmor in OPNsense). I created this demonstration for those who like to use it. The more complex you make DNS, the more likely you will have issues if something goes wrong or fails. As for the second question. Not sure what you are saying unless you’re not getting the DNS server appropriately assigned by DHCP. If you’re using a static IP on the device, you would have to specify Pi-hole as the DNS server since it wouldn’t obtain it from DHCP from OPNsense.

@@homenetworkguy it's starting to make more sense now. thanks again

I haven't tried this since I mostly just use my phone to connect back home but occasionally my iPads. However, I've seen where you can adjust the iptables on the server side to enable client side isolation (www.lautenbacher.io/en/lamp-en/wireguard-prohibit-communication-between-clients-client-isolation). That is for Linux. FreeBSD would be different since it doesn't have iptables like Linux. I'm not sure you would do this command line in FreeBSD or if it could be accomplished via certain firewall rules on the WG interface. Also you could create multiple instanced of WG and have clients connect to different instances (it may be possible to allow devices on different WG to communicate via firewall rules-- similar to how you would to allow traffic across VLANs). This would be an interesting area to explore. I have a lot of things on my todo list... a never-ending todo list (which is great for content creation).

Look for a video called "Beginner's Guide to Set up a Full Network using OPNsense" on his channel and skip to 18:33. Follow that section, and then come back here for rule cloning.

Exactly. Everyone has their own set of firewall rules to allow the access they want on their own networks. I can’t show everyone how to create their exact rulesets. I can only provide examples. However there are some basic rules you will need to allow access to your network/Internet. I walked through each rule in the video but I have more detailed examples in my other guides. If you want your WireGuard clients to have exactly the same access as you have on your other networks, you can create similar rules or clone them so you don’t have to create them all from scratch. Creating rules for your WireGuard interface is exactly the same as any other network interface you have configured for your network.

Look for a video called "Beginner's Guide to Set up a Full Network using OPNsense" on his channel and skip to 18:33. Follow that section, and then come back here for rule cloning.

I have written versions of this on my website but I need to do a video on it. I believe in certain videos I mention sometimes what you need to tweak some settings if you’re using OPNsense behind another router. Definitely would be good to do a guide on it.

@@homenetworkguy we are looking forward to it, it would be nice to know how to configure opnsense in bridge mode .. please do the installation in hyperv