pfSense/ OPNsense help

[Tech Junky]

I have a single AP so can't speak to the issue but the option is there and there was a recent fw release. They've been good about releasing new updates about every 90 days. You have to go check for them though on their website.

 

[ddaenen1]

I think I'm going to go with OPNsense because it gets more frequent updates unless you think there are reasons I shouldn't?

I am not sure that the quantity or frequency of updates makes something better then others. pfSense has much more online documentation, tutorials and community support - that is more valuable if you ask me. Besides, pfSense+ 23.01 runs on FreeBSD 14-CURRENT which is the latest branch and with that, contains all the latest drivers and security patches.

 

[coxhaus]

I think pfsense 23.01 probably has a hand up on Opensense now since pfsense is on FreeBSD 14 and the lastime I loaded Opensense it was FreeBSD 13.

 

[Thomas01]

pfSense has much more online documentation, tutorials and community support

This is really important for me but, I thought they can be applied to OPNsense?

 

[Thomas01]

What are some good private ip addresses?

 

[Tech Junky]

What are some good private ip addresses?

Depends on how many devices you need IPs for. The normal 192.168.x.x/24 is enough for most. Gives you 25x usable IPs for devices. Rfc1918 lists the 3 classes of subnets though being 172.16-31.x.x or 10.x.x.x. there's also something called cgnat that is a 100.x.x.x

 

[Thomas01]

10.x.x.x

Would 10.99.99.1 and subnet mask 24 work? How many devices would I be able to connect?

 

[L&LD]

254

 

[Thomas01]

254

?

 

[tgl]

A /24 netmask allows for 256 addresses, of which the all-low-order-bits-zero and all-of-them-ones addresses (that is, xx.xx.xx.0 and xx.xx.xx.255) are reserved per IP protocol spec. So you have 254 usable addresses no matter what the high-order bits are.

In practice, the 10.xx.xx.xx net is almost always used with a /8 netmask, because that's what the RFC specifies. That gives you ~16 million local addresses, which you don't need, but hey why not?

 

[Thomas01]

A /24 netmask allows for 256 addresses, of which the all-low-order-bits-zero and all-of-them-ones addresses (that is, xx.xx.xx.0 and xx.xx.xx.255) are reserved per IP protocol spec. So you have 254 usable addresses no matter what the high-order bits are.

In practice, the 10.xx.xx.xx net is almost always used with a /8 netmask, because that's what the RFC specifies. That gives you ~16 million local addresses, which you don't need, but hey why not?

So it should be 10.99.99.1 with a subnet mask of 8? This would give me the 16 million addresses?

 

[tgl]

... but hey why not?

... actually, a good reason why not would be if your ISP uses the 10/8 net on the upstream side of your router. Maybe you could make it work anyway, but it's pretty likely your router would get confused about where to send packets.

If you feel like you might need more than 250 local addresses, best practice is to use one of the 172.xx/16 subnets reserved for NAT by RFC 1918. In any case be sure it's not overlapping with whatever your ISP presents.

 

[tgl]

So it should be 10.99.99.1 with a subnet mask of 8?

If that number floats your boat for some reason, sure. Given that you're using 10/8 as your subnet, any address between (but not including) 10.0.0.0 and 10.255.255.255 is a valid device address within your subnet.

 

[Thomas01]

... actually, a good reason why not would be if your ISP uses the 10/8 net on the upstream side of your router. Maybe you could make it work anyway, but it's pretty likely your router would get confused about where to send packets.

If you feel like you might need more than 250 local addresses, best practice is to use one of the 172.xx/16 subnets reserved for NAT by RFC 1918. In any case be sure it's not overlapping with whatever your ISP presents.

I'm probably going to use subnet 24 to avoid any issues. I don't need more than 250 devices.

If that number floats your boat for some reason,

I'm just trying to use an ip address that I can remember so I can login easily.

 

[Tech Junky]

I'm just trying to use an ip address that I can remember so I can login easily.

Bookmarks work well or run ipconfig or clock on the network icon and hit status. There are tons of ways to get the IP for login. With Linux though you can add a loopback IP for management as well or bind secondary addresses to interfaces for server items that run on the same box like pihole for instance.

 

[Tech Junky]

Just to clarify you don't need to allocate the whole 10/8 or even 172/16 to use the IPs in that subset of RFC1918., Using a /24 or smaller or bigger subnet works just fine. If you need more than a /24 you just go with a /23 and change the subnet mask.

If your provider even used 10.99.99.x you wouldn't have an issue since it's only for management purposes of the CPE and not routable over the internet. The IP on your device would be a public IP or CGAT depending on the provider.

 

[ddaenen1]

This is really important for me but, I thought they can be applied to OPNsense?

Surely some of them can but the GUI's of both are completely different and i am not sure about functionality under the hood either. I only tried OPNsense briefly on a test rig but it didn't "click" so i got rid of it as fast as i installed it.

 

[Thomas01]

wired backhaul mode

I just ordered a switch so I can do wired backhaul. How do I this? Do I need to configure any setting or do I just connect an ethernet cable from the switch to wherever my 2nd AP is?
I ordered this switch: https://a.co/d/d624zmQ

 

[ddaenen1]

In my view the best configuration still remains to have all AP's directly connected to a switch and configure all AP's with same SSID and passwords for 2.4GHz and 5GHz. Having ofcourse AP's that link to eachother and negotiate the most optimal settings for the operating environment among eachother is perfect but even if not, better than any mesh, imho.

 

[CaptainSTX]

I just ordered a switch so I can do wired backhaul. How do I this? Do I need to configure any setting or do I just connect an ethernet cable from the switch to wherever my 2nd AP is?
I ordered this switch: https://a.co/d/d624zmQ

I guess my first question is why do you need a switch and not just directly connect the backhaul to a LAN port on the hardware that is set up as your router?

Second while this is a very nice switch at a reasonable price is their a particular reason you bought a switch with multiple ports capable of 2.5 gigs? Does your AP have a 2.5 gig port?