Ah, the community of burnt fingers. Be warned that the following advice is from a one eyed man with massive astigmatism. But I did just burn away an all-nighter ripping apart two VLAN switches, two AiMesh routers (AX88U Pro and AX5400 back connect by VLANS over Ethernet), and one heavily abused Miniforums PC N300 PC with only two Ethernet ports. The VLANS come from having only one Ethernet cable coming up from the basement through a small hole installed by the ISP tech where the both the Aimesh back connect Ethernet cable and the cable modem live. This arrangement allows for the essential separation of LAN ethernet from WAN ethernet which can never be the same. Skip the VLAN elaboration unless constrained by physical cabling of which neither OPNsense nor the primary AX88U Pro are aware as they are on access ports. But this arrangement lets me keep the network equipment in the basement and the two AP mode routers in good position above ground for WIFI coverage.
The all-nighter came from OPNSense having an odd sense (pun intended) of configuration file updates. When performing any form of configuration update, check the documentation first, especially for DHCP which uses a particular weird merge with different rules by field (or empty the HOST table them reread the whole thing from a csv/xml file).
The worst by far is in updating the network addressing scheme as it is split between Interfaces (for LAN usually) and DHCP if using DNSMASQ by default like Merlinwrt does in router mode. That was my unknown unknow. Make sure to configure the LAN gate in the LAN interface definition or your LAN will mysteriously fail to reach the internet. There are freaky conditions where it will appear to work if testing OPNSense WAN BEHIND the ASUS router in router mode because you may have a residual Opnsense LAN gate definition that uses Merlin's default LAN address. Grr...2am to 8am. Just remember to check or set the LAN gate address. WAN usually takes care of itself for the ISP DHCP.
Usually you want the OPNSense LAN to be IN FRONT of the ASUS router (presumably the ASUS router is in AP mode) for production mode, but you can test OPNSense from behind (plugged into the routers LAN) just to confirm Opensense can reach the Internet.
But why use a crappy ancient class C 192.168.n.0 address scheme with license restrictions long since obsolete? Here is a possible scheme a nearly blind home lab person might use:
1. unroutable.subnet.type.addr/16 (255.255.0.0)
where unroutable might be 10 for old time class A 10.0.0.0/8 (use 16 instead), and subnet might be 0 for a 10.0.0.0/16 (255.255.0.0) primary network.
2. You can have up to 254 subnets, go wild as you like: 10.0.0.0/16 to 10.254.0.0/16.
3. You can have up to 254 device types (PC and Printers, IOT devices, media devices, guest networks, etc as you like) for 10.0.1.0 through 10.0.254 (skip device type 0 to avoid possibility of 10.0.0.0 itself), eg. 10.0.10.x for network equipment, 10.0.20.x for NAS, 10.0.30.x for media servers etc.
4. You can have up to 255 device address per type from 10.0.x.0 to 10.0.x.255 (if you refrain from device type 0 as mentioned above)
5. Examples: 10.0.0.1 for the network itself. You can view the network as a type 0, but the address 1 avoids 10.0.0.0. This would be the LAN gateway address.
10.0.10.1 for a primary router, 10.0.10.2 for smart switch 1, 10.0.10.3 for smart switch 2, 10.0.20.1 for a NAS device, 10.0.30.4 for a plex or jellyfin server, etc.
Possible refinement: I use device address ranges to extend subtypes like 10.0.50.0.x for phones with 1-50 for Android and 51-99 for Apple. Alternately subtypes could be in the type position like 10.0.30.x for Android and 10.0.31.x for iPhone. My current scheme defines 23 types supporting over 60 device addresses.
There is no magic here, but once you have the two host bytes (last two address fields free), you can do what you want. I put my device type scheme into spreadsheet for quick reference and I assign all device addresses in DHCP (also kept in a separate csv file). When I get a new device it immediately goes into DCHP. I even name my mystery devices in DHCP and have a define typed (10.0.150.x) to track them down later. My DCHP pool itself is very small (usually address ranges of 4 to 9 devices) for visitors or any new devices. This is a huge win for new devices before being assigned in DHCP and it is a big security feature if anyone is sneaking into my DHCP pool - they will be obvious at first glance. The type fields are meant to be consistent even between subnets and VLANs. Feel free to roll your, but there is no need to be a slave to old style 192.168.n.0/24 addresses. BTW, the reason that the universe invented network masks is so even the dumbest device can plug and play through DHCP. There are no compatibility issues.
My other conclusion about OPNSense and network managment in general, is that it is a somewhat random collection of interrelated data that can and occasionally will bite you with unknown unknows. For once, I do intend to buy a reference book for learning and deeper cross checking than only slogging through online documentation. OPNsense has a crazy number of terms if you dig into it. OTH, if you simply set up the LAN gates and DHCP correctly, it is no worse than Merlin to get started, just a lot uglier but still usable GUI. And now you have decoupled routing and related activities from the particular router which do change with distressing frequency. I also picked up an unexpected performance improvement even just doing speed testing.
P.S. A discussion for a different thread: So far I have done nothing new with OPNSense that Merlin and AMTM scripts did not do and do much more slickly when it came to the GUI. But they are tied to the router and whatever is going on with it. I perfer hardware independence and reduced attack surface per device. And it appears that Merlin (the Canadian, not the firmware) has a somewhat dim view of turning Merlinwrt into a network management system with a zillion AMTM scripts running like unbound, skynet, enhanced DHCP, etc. If I had to maintain the code base, that would make me nervous too. I will probably reinstall a few scripts related to hardware performance only.
