itallrounder
Goto Top

OPNSense Firewall mit Mikrotik Switchen Inbetriebnahme

Guten Abend zusammen,

ich habe mich durch etliche Tutorials von @aqui gearbeitet, bekomme mein Setup aber leider dennoch nicht ans laufen.

Das ist mal eine grobe Skizze des geplanten Netzwerks:
mikrotik-switch1.drawio

Aktuell läuft die FritzBox 7590 AX an einem Telekom SVDSL mit 250/50 MBit/s.
In Zukunft wird die FritzBox an ein ONT angeschlossen, an dem ein 1Gigabit LWL Anschluss anliegt.

Die OPNSense Firewall beheimatet kein Modem (benötige ich das überhaut für einen LWL Anschluss?
Neuer Anschlusstype: AllIP Fiber, DualStack IPv4 und IPv6
Benutzername: XYZ, Kennwort: XYZ, Protokoll: PPPoE, VPI/VCI: 0, VLAN: 22

Die OPNSense soll zukünftig diverse VLAN's bereitstellen, damit das Heimnetzwerk etwas segmentiert ist.
Die VLAN Interfaces dafür sind bereits angelegt.

Meine Mikrotik Switche sollen eigentlich nur die VLAN's für die Endgeräte bereitstellen. (NAS, Mikrotik cap AC, Intel NUC Server, PC, Konsolen, etc.)
Dennoch habe ich mich für einen L3 Switch mit "Router OS" entschieden.

Mein aktuelles Problem:

Weder von der OPNSense kann ich den Mikrotik Switch Pingen, noch dass der Mikrotik die OPNSense erreicht.
Ebenso erhalten am Mikrotik angeschlossene Clients keine DHCP IP von der Firewall.
Vor erst habe ich nur die Konfiguration vom CRS112 vorbereitet und teste auch mit diesem.
Erst wenn das läuft kommt der CRS326 und die beiden cap AC dazu.

Angebunden sind die Geräte wie folgt:
OPNSense IGC0 -> FritzBox LAN 3
OPNSense IGC1 -> Mikrotik CRS326 SFP2 (2,5GB RJ45 Transceiver)
OPNSense IGC2 -> Mikrotik CRS112 SFP12 (2,5GB RJ45 Transceiver)
(Ja bei der OPNSense handelt es sich um 4x 2,5 GB Interfaces.

Ich vermute irgendwo einen ganz trivialen Denkfehler in meinem Design.

Als OPNSense Hardware kommt die folgende zum Einsatz:
Amazon - Hamsing Celeron J4124

Konfiguration des Mikrotik CRS112 Switches:
[admin@MikroTik] > export compact hide-sensitive
# mar/29/2023 23:35:37 by RouterOS 7.8
# software id = 6UBJ-P7S7
#
# model = CRS112-8G-4S
# serial number = HE208R3GR53
/interface bridge
add igmp-snooping=yes ingress-filtering=no name=vlan-bridge vlan-filtering=yes
/interface vlan
add interface=vlan-bridge name="Client Systeme" vlan-id=20  
add interface=vlan-bridge name=DMZ vlan-id=23
add interface=vlan-bridge name=Default vlan-id=1
add interface=vlan-bridge name="Legacy AVM" vlan-id=28  
add interface=vlan-bridge name=WiFi vlan-id=24
add interface=vlan-bridge name=WiFi-Guests vlan-id=25
add interface=vlan-bridge name=WiFi-IoT vlan-id=26
add interface=vlan-bridge name=Management vlan-id=27
add interface=vlan-bridge name=Multimedia vlan-id=22
add interface=vlan-bridge name="Server Systeme" vlan-id=21  
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=vlan-bridge interface=sfp12
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=20
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=21
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=22
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=23
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=24
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=25
add bridge=vlan-bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=26
/interface bridge vlan
add bridge=vlan-bridge tagged=sfp12 untagged=ether2 vlan-ids=20
add bridge=vlan-bridge tagged=sfp12 untagged=ether3 vlan-ids=21
add bridge=vlan-bridge tagged=sfp12 untagged=ether4 vlan-ids=22
add bridge=vlan-bridge tagged=sfp12 untagged=ether5 vlan-ids=23
add bridge=vlan-bridge tagged=sfp12 untagged=ether6 vlan-ids=24
add bridge=vlan-bridge tagged=sfp12 untagged=ether7 vlan-ids=25
add bridge=vlan-bridge tagged=sfp12 untagged=ether8 vlan-ids=26
add bridge=vlan-bridge tagged=sfp12 vlan-ids=27
add bridge=vlan-bridge tagged=sfp12 vlan-ids=28
/ip address
add address=192.168.27.3 interface=Management network=255.255.255.0
add address=172.17.1.2 interface=sfp12 network=255.255.255.0
/ip dhcp-relay
add dhcp-server=192.168.20.254 disabled=no interface="Client Systeme" name=\  
    DHCP-Relay-v20
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.17.1.1 pref-src="" \  
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Berlin


Hier ist einmal die aktuelle Konfiguration der OPNSense:

<?xml version="1.0"?>  
<opnsense>
    <optimization>normal</optimization>
    <hostname>FWGW</hostname>
    <domain>hostname.domain.tld</domain>
    <dnsallowoverride>1</dnsallowoverride>
    <group>
      <name>admins</name>
      <description>System Administrators</description>
      <scope>system</scope>
      <gid>1999</gid>
      <member>0</member>
      <priv>page-all</priv>
    </group>
    <user>
      <name>root</name>
      <descr>System Administrator</descr>
      <scope>system</scope>
      <groupname>admins</groupname>
      <password></password>
      <uid>0</uid>
    </user>
    <nextuid>2000</nextuid>
    <nextgid>2000</nextgid>
    <timezone>Europe/Berlin</timezone>
    <timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
    <webgui>
      <protocol>https</protocol>
      <ssl-certref>6423a4deec1dc</ssl-certref>
      <port/>
      <ssl-ciphers/>
      <interfaces/>
      <compression/>
      <ssl-hsts>1</ssl-hsts>
      <session_timeout>3600</session_timeout>
      <httpaccesslog>1</httpaccesslog>
      <nodnsrebindcheck>1</nodnsrebindcheck>
    </webgui>
    <disablenatreflection>yes</disablenatreflection>
    <usevirtualterminal>1</usevirtualterminal>
    <disableconsolemenu>1</disableconsolemenu>
    <disablevlanhwfilter>1</disablevlanhwfilter>
    <disablechecksumoffloading>1</disablechecksumoffloading>
    <disablesegmentationoffloading>1</disablesegmentationoffloading>
    <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
    <ipv6allow>1</ipv6allow>
    <powerd_ac_mode>hadp</powerd_ac_mode>
    <powerd_battery_mode>hadp</powerd_battery_mode>
    <powerd_normal_mode>hadp</powerd_normal_mode>
    <bogons>
      <interval>monthly</interval>
    </bogons>
    <pf_share_forward>1</pf_share_forward>
    <lb_use_sticky>1</lb_use_sticky>
    <ssh>
      <group>admins</group>
      <noauto>1</noauto>
      <interfaces/>
      <kex/>
      <ciphers/>
      <macs/>
      <keys/>
      <keysig/>
      <enabled>enabled</enabled>
      <permitrootlogin>1</permitrootlogin>
    </ssh>
    <rrdbackup>-1</rrdbackup>
    <netflowbackup>-1</netflowbackup>
    <firmware version="1.0.1">  
      <mirror/>
      <flavour/>
      <plugins>os-api-backup,os-clamav,os-haproxy,os-wireguard-go,os-ntopng,os-igmp-proxy,os-intrusion-detection-content-pt-open,os-lldpd,os-redis</plugins>
      <type/>
      <subscription/>
    </firmware>
    <language>en_US</language>
    <dnsserver>9.9.9.9</dnsserver>
    <dnsserver>1.1.1.1</dnsserver>
    <dnsallowoverride_exclude/>
    <dns1gw>WAN_DHCP</dns1gw>
    <dns2gw>WAN_DHCP</dns2gw>
    <dns3gw>none</dns3gw>
    <dns4gw>none</dns4gw>
    <dns5gw>none</dns5gw>
    <dns6gw>none</dns6gw>
    <dns7gw>none</dns7gw>
    <dns8gw>none</dns8gw>
    <serialspeed>115200</serialspeed>
    <primaryconsole>video</primaryconsole>
    <thermal_hardware>coretemp</thermal_hardware>
    <prefer_ipv4>1</prefer_ipv4>
    <gw_switch_default>1</gw_switch_default>
    <enablenatreflectionhelper>yes</enablenatreflectionhelper>
    <maximumstates/>
    <maximumfrags/>
    <aliasesresolveinterval/>
    <maximumtableentries/>
  </system>
  <interfaces>
    <wan>
      <enable>1</enable>
      <if>igc0</if>
      <ipaddr>dhcp</ipaddr>
      <ipaddrv6>dhcp6</ipaddrv6>
      <gateway/>
      <dhcphostname>opnsense-wan</dhcphostname>
      <media/>
      <mediaopt/>
      <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
      <descr>WAN</descr>
    </wan>
    <lo0>
      <internal_dynamic>1</internal_dynamic>
      <descr>Loopback</descr>
      <enable>1</enable>
      <if>lo0</if>
      <ipaddr>127.0.0.1</ipaddr>
      <ipaddrv6>::1</ipaddrv6>
      <subnet>8</subnet>
      <subnetv6>128</subnetv6>
      <type>none</type>
      <virtual>1</virtual>
    </lo0>
    <opt1>
      <if>igc1</if>
      <descr>OPT1</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>172.16.1.1</ipaddr>
      <subnet>24</subnet>
    </opt1>
    <opt2>
      <if>igc2</if>
      <descr>OPT2</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>172.17.1.1</ipaddr>
      <subnet>24</subnet>
    </opt2>
    <opt3>
      <if>bridge0</if>
      <descr>BR_Switches</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
    </opt3>
    <opt4>
      <if>vlan020</if>
      <descr>Clients</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.20.254</ipaddr>
      <subnet>24</subnet>
    </opt4>
    <opt5>
      <if>vlan021</if>
      <descr>Server</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.21.254</ipaddr>
      <subnet>24</subnet>
    </opt5>
    <opt6>
      <if>vlan022</if>
      <descr>Multimedia</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.22.254</ipaddr>
      <subnet>24</subnet>
    </opt6>
    <opt7>
      <if>vlan023</if>
      <descr>DMZ</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.23.254</ipaddr>
      <subnet>24</subnet>
    </opt7>
    <opt8>
      <if>vlan024</if>
      <descr>WiFi</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.24.254</ipaddr>
      <subnet>24</subnet>
    </opt8>
    <opt9>
      <if>vlan025</if>
      <descr>WiFiGuests</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.25.254</ipaddr>
      <subnet>24</subnet>
    </opt9>
    <opt10>
      <if>vlan026</if>
      <descr>WiFiIoT</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.26.254</ipaddr>
      <subnet>24</subnet>
    </opt10>
    <opt11>
      <if>vlan027</if>
      <descr>Management</descr>
      <enable>1</enable>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.27.254</ipaddr>
      <subnet>24</subnet>
    </opt11>
    <opt12>
      <if>vlan028</if>
      <descr>LegacyAVM</descr>
      <lock>1</lock>
      <spoofmac/>
      <ipaddr>192.168.28.254</ipaddr>
      <subnet>24</subnet>
    </opt12>
  </interfaces>
  <dhcpd>
    <opt4>
      <enable>1</enable>
      <defaultleasetime>36800</defaultleasetime>
      <gateway>192.168.20.254</gateway>
      <domain>home.reeger.eu</domain>
      <ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
      <numberoptions>
        <item/>
      </numberoptions>
      <range>
        <from>192.168.20.50</from>
        <to>192.168.20.150</to>
      </range>
      <winsserver/>
      <dnsserver>192.168.20.254</dnsserver>
      <ntpserver/>
    </opt4>
    <opt7>
      <enable>1</enable>
      <defaultleasetime>36800</defaultleasetime>
      <gateway>192.168.23.254</gateway>
      <domain>home.reeger.eu</domain>
      <ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
      <numberoptions>
        <item/>
      </numberoptions>
      <range>
        <from>192.168.23.50</from>
        <to>192.168.23.150</to>
      </range>
      <winsserver/>
      <dnsserver>192.168.23.254</dnsserver>
      <ntpserver/>
    </opt7>
    <opt8>
      <enable>1</enable>
      <defaultleasetime>36800</defaultleasetime>
      <gateway>192.168.24.254</gateway>
      <domain>home.reeger.eu</domain>
      <ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
      <numberoptions>
        <item/>
      </numberoptions>
      <range>
        <from>192.168.24.50</from>
        <to>192.168.24.150</to>
      </range>
      <winsserver/>
      <dnsserver>192.168.24.254</dnsserver>
      <ntpserver/>
    </opt8>
    <opt9>
      <enable>1</enable>
      <maxleasetime>36800</maxleasetime>
      <gateway>192.168.25.254</gateway>
      <domain>guests.reeger.eu</domain>
      <ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
      <numberoptions>
        <item/>
      </numberoptions>
      <range>
        <from>192.168.25.50</from>
        <to>192.168.25.150</to>
      </range>
      <winsserver/>
      <dnsserver>192.168.25.254</dnsserver>
      <ntpserver/>
    </opt9>
    <opt10>
      <enable>1</enable>
      <defaultleasetime>36800</defaultleasetime>
      <gateway>192.168.26.254</gateway>
      <ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
      <numberoptions>
        <item/>
      </numberoptions>
      <range>
        <from>192.168.26.50</from>
        <to>192.168.26.150</to>
      </range>
      <winsserver/>
      <dnsserver>192.168.26.254</dnsserver>
      <ntpserver/>
    </opt10>
    <opt11>
      <enable>1</enable>
      <defaultleasetime>36800</defaultleasetime>
      <gateway>192.168.27.254</gateway>
      <ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
      <numberoptions>
        <item/>
      </numberoptions>
      <range>
        <from>192.168.27.50</from>
        <to>192.168.27.150</to>
      </range>
      <winsserver/>
      <dnsserver>192.168.27.254</dnsserver>
      <ntpserver/>
    </opt11>
    <opt6>
      <enable>1</enable>
      <defaultleasetime>36800</defaultleasetime>
      <gateway>192.168.22.254</gateway>
      <domain>home.reeger.eu</domain>
      <ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
      <numberoptions>
        <item/>
      </numberoptions>
      <range>
        <from>192.168.22.50</from>
        <to>192.168.22.150</to>
      </range>
      <winsserver/>
      <dnsserver>192.168.22.254</dnsserver>
      <ntpserver/>
    </opt6>
    <opt5>
      <enable>1</enable>
      <defaultleasetime>36800</defaultleasetime>
      <gateway>192.168.21.254</gateway>
      <domain>home.reeger.eu</domain>
      <ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
      <numberoptions>
        <item/>
      </numberoptions>
      <range>
        <from>192.168.21.50</from>
        <to>192.168.21.150</to>
      </range>
      <winsserver/>
      <dnsserver>192.168.21.254</dnsserver>
      <ntpserver/>
    </opt5>
  </dhcpd>
  <unbound>
    <enable>on</enable>
    <dnssec>on</dnssec>
    <dnssecstripped>on</dnssecstripped>
    <stats>1</stats>
  </unbound>
  <snmpd>
    <syslocation/>
    <syscontact/>
    <rocommunity>public</rocommunity>
  </snmpd>
  <filter>
    <rule uuid="f7521853-f611-49d9-8aac-fe8b58c36c36">  
      <type>pass</type>
      <interface>wan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>WAN-ANY-INBOUND</descr>
      <direction>in</direction>
      <log>1</log>
      <quick>1</quick>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@192.168.28.199</username>
        <time>1680029279.4235</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@192.168.28.199</username>
        <time>1680029279.4235</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="ac8e83fc-db0d-4337-8608-b97b2ba6b32e">  
      <type>pass</type>
      <ipprotocol>inet</ipprotocol>
      <descr>Default allow LAN to any rule</descr>
      <interface>lan</interface>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <any/>
      </destination>
    </rule>
    <rule uuid="82eac9fa-b43c-42b4-bea6-3608ab9009b9">  
      <type>pass</type>
      <ipprotocol>inet6</ipprotocol>
      <descr>Default allow LAN IPv6 to any rule</descr>
      <interface>lan</interface>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <any/>
      </destination>
    </rule>
    <rule uuid="77202ac5-bb66-4091-b189-722c5ab27edd">  
      <type>pass</type>
      <interface>opt1</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <direction>in</direction>
      <log>1</log>
      <quick>1</quick>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@192.168.28.199</username>
        <time>1680117323.6271</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@192.168.28.199</username>
        <time>1680117323.6271</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="d7612c22-2fa6-48bb-ae4b-75076bae6635">  
      <type>pass</type>
      <interface>opt2</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <direction>in</direction>
      <log>1</log>
      <quick>1</quick>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@192.168.28.199</username>
        <time>1680117277.7438</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@192.168.28.199</username>
        <time>1680117277.7438</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule uuid="dca70d72-3207-4ef3-ab4f-9195620ed5c9">  
      <type>pass</type>
      <interface>opt3</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <direction>in</direction>
      <log>1</log>
      <quick>1</quick>
      <source>
        <any>1</any>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@192.168.28.199</username>
        <time>1680117265.9038</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@192.168.28.199</username>
        <time>1680117265.9038</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
  </filter>
  <rrd>
    <enable/>
  </rrd>
  <load_balancer>
    <monitor_type>
      <name>ICMP</name>
      <type>icmp</type>
      <descr>ICMP</descr>
      <options/>
    </monitor_type>
    <monitor_type>
      <name>TCP</name>
      <type>tcp</type>
      <descr>Generic TCP</descr>
      <options/>
    </monitor_type>
    <monitor_type>
      <name>HTTP</name>
      <type>http</type>
      <descr>Generic HTTP</descr>
      <options>
        <path>/</path>
        <host/>
        <XX_code>200</XX_code>
      </options>
    </monitor_type>
    <monitor_type>
      <name>HTTPS</name>
      <type>https</type>
      <descr>Generic HTTPS</descr>
      <options>
        <path>/</path>
        <host/>
        <XX_code>200</XX_code>
      </options>
    </monitor_type>
    <monitor_type>
      <name>SMTP</name>
      <type>send</type>
      <descr>Generic SMTP</descr>
      <options>
        <send/>
        <expect>220 *</expect>
      </options>
    </monitor_type>
  </load_balancer>
  <ntpd>
    <prefer>0.opnsense.pool.ntp.org</prefer>
  </ntpd>
  <widgets>
    <sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show,log-container:00000004-col4:show,system_log-container:00000005-col4:show,thermal_sensors-container:00000006-col4:show,traffic_graphs-container:00000007-col4:show</sequence>
    <column_count>2</column_count>
  </widgets>
  <revision>
    <username>root@192.168.28.199</username>
    <time>1680117330.1279</time>
    <description>/firewall_rules.php made changes</description>
  </revision>
  <OPNsense>
    <Swanctl version="1.0.0">  
      <Connections/>
      <locals/>
      <remotes/>
      <children/>
      <Pools/>
      <VTIs/>
      <SPDs/>
    </Swanctl>
    <IPsec version="1.0.1">  
      <general>
        <enabled/>
      </general>
      <keyPairs/>
      <preSharedKeys/>
    </IPsec>
    <captiveportal version="1.0.1">  
      <zones/>
      <templates/>
    </captiveportal>
    <cron version="1.0.4">  
      <jobs/>
    </cron>
    <Firewall>
      <Lvtemplate version="0.0.1">  
        <templates/>
      </Lvtemplate>
      <Category version="1.0.0">  
        <categories/>
      </Category>
      <Alias version="1.0.1">  
        <geoip>
          <url/>
        </geoip>
        <aliases/>
      </Alias>
    </Firewall>
    <Netflow version="1.0.1">  
      <capture>
        <interfaces/>
        <egress_only/>
        <version>v9</version>
        <targets/>
      </capture>
      <collect>
        <enable>0</enable>
      </collect>
      <activeTimeout>1800</activeTimeout>
      <inactiveTimeout>15</inactiveTimeout>
    </Netflow>
    <IDS version="1.0.7">  
      <rules/>
      <policies/>
      <userDefinedRules/>
      <files/>
      <fileTags/>
      <general>
        <enabled>0</enabled>
        <ips>0</ips>
        <promisc>0</promisc>
        <interfaces>wan</interfaces>
        <homenet>192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</homenet>
        <defaultPacketSize/>
        <UpdateCron/>
        <AlertLogrotate>W0D23</AlertLogrotate>
        <AlertSaveLogs>4</AlertSaveLogs>
        <MPMAlgo>ac</MPMAlgo>
        <detect>
          <Profile>medium</Profile>
          <toclient_groups/>
          <toserver_groups/>
        </detect>
        <syslog>0</syslog>
        <syslog_eve>0</syslog_eve>
        <LogPayload>0</LogPayload>
        <verbosity/>
      </general>
    </IDS>
    <Interfaces>
      <vxlans version="1.0.1"/>  
      <loopbacks version="1.0.0"/>  
    </Interfaces>
    <monit version="1.0.11">  
      <general>
        <enabled>0</enabled>
        <interval>120</interval>
        <startdelay>120</startdelay>
        <mailserver>127.0.0.1</mailserver>
        <port>25</port>
        <username/>
        <password/>
        <ssl>0</ssl>
        <sslversion>auto</sslversion>
        <sslverify>1</sslverify>
        <logfile>syslog facility log_daemon</logfile>
        <statefile/>
        <eventqueuePath/>
        <eventqueueSlots/>
        <httpdEnabled>0</httpdEnabled>
        <httpdUsername>root</httpdUsername>
        <httpdPassword>cDYQIuI6TgElOYpH5ET6U4kV4uDc74</httpdPassword>
        <httpdPort>2812</httpdPort>
        <httpdAllow/>
        <mmonitUrl/>
        <mmonitTimeout>5</mmonitTimeout>
        <mmonitRegisterCredentials>1</mmonitRegisterCredentials>
      </general>
      <alert uuid="7e8e557c-adb5-492d-9337-b9da447edbc8">  
        <enabled>0</enabled>
        <recipient>root@localhost.local</recipient>
        <noton>0</noton>
        <events/>
        <format/>
        <reminder>10</reminder>
        <description/>
      </alert>
      <service uuid="53646230-3a9f-4624-ad4b-8fec510739d8">  
        <enabled>1</enabled>
        <name>$HOST</name>
        <description/>
        <type>system</type>
        <pidfile/>
        <match/>
        <path/>
        <timeout>300</timeout>
        <starttimeout>30</starttimeout>
        <address/>
        <interface/>
        <start/>
        <stop/>
        <tests>dd3cbce4-a1ab-4b1c-bf92-31093bedd7a4,b21e41b5-ad74-4eba-a231-109e539165e2,9463bcfb-09f2-491a-a0b1-9cb1915f5b0e,a9c3cdcb-433f-4a4a-9557-4b0f1a0e82d7</tests>
        <depends/>
        <polltime/>
      </service>
      <service uuid="08a0da58-cc25-4771-b501-19773a28099d">  
        <enabled>1</enabled>
        <name>RootFs</name>
        <description/>
        <type>filesystem</type>
        <pidfile/>
        <match/>
        <path>/</path>
        <timeout>300</timeout>
        <starttimeout>30</starttimeout>
        <address/>
        <interface/>
        <start/>
        <stop/>
        <tests>49e58bb3-babc-4ffd-a97d-408377037dce</tests>
        <depends/>
        <polltime/>
      </service>
      <service uuid="44d086f2-b11b-424e-a5f4-65e44dabfe62">  
        <enabled>0</enabled>
        <name>carp_status_change</name>
        <description/>
        <type>custom</type>
        <pidfile/>
        <match/>
        <path>/usr/local/opnsense/scripts/OPNsense/Monit/carp_status</path>
        <timeout>300</timeout>
        <starttimeout>30</starttimeout>
        <address/>
        <interface/>
        <start/>
        <stop/>
        <tests>f72f63fa-4502-467a-9472-3da1bee0d893</tests>
        <depends/>
        <polltime/>
      </service>
      <service uuid="04b1aafe-6311-45c1-9443-519ace230269">  
        <enabled>0</enabled>
        <name>gateway_alert</name>
        <description/>
        <type>custom</type>
        <pidfile/>
        <match/>
        <path>/usr/local/opnsense/scripts/OPNsense/Monit/gateway_alert</path>
        <timeout>300</timeout>
        <starttimeout>30</starttimeout>
        <address/>
        <interface/>
        <start/>
        <stop/>
        <tests>494f8a43-671d-436c-9bd1-5756bf2ba3c6</tests>
        <depends/>
        <polltime/>
      </service>
      <test uuid="ca6f811f-74ba-4206-bc93-915590468c3e">  
        <name>Ping</name>
        <type>NetworkPing</type>
        <condition>failed ping</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="f40b16bb-fcab-4ea3-a4c8-857bf4e8e8d8">  
        <name>NetworkLink</name>
        <type>NetworkInterface</type>
        <condition>failed link</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="cb8cf639-3f8f-43b1-9b16-24f1c3efaa41">  
        <name>NetworkSaturation</name>
        <type>NetworkInterface</type>
        <condition>saturation is greater than 75%</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="dd3cbce4-a1ab-4b1c-bf92-31093bedd7a4">  
        <name>MemoryUsage</name>
        <type>SystemResource</type>
        <condition>memory usage is greater than 75%</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="b21e41b5-ad74-4eba-a231-109e539165e2">  
        <name>CPUUsage</name>
        <type>SystemResource</type>
        <condition>cpu usage is greater than 75%</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="9463bcfb-09f2-491a-a0b1-9cb1915f5b0e">  
        <name>LoadAvg1</name>
        <type>SystemResource</type>
        <condition>loadavg (1min) is greater than 8</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="a9c3cdcb-433f-4a4a-9557-4b0f1a0e82d7">  
        <name>LoadAvg5</name>
        <type>SystemResource</type>
        <condition>loadavg (5min) is greater than 6</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="76543e93-0c8f-46d1-95f2-8d6c82ab4b27">  
        <name>LoadAvg15</name>
        <type>SystemResource</type>
        <condition>loadavg (15min) is greater than 4</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="49e58bb3-babc-4ffd-a97d-408377037dce">  
        <name>SpaceUsage</name>
        <type>SpaceUsage</type>
        <condition>space usage is greater than 75%</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="f72f63fa-4502-467a-9472-3da1bee0d893">  
        <name>ChangedStatus</name>
        <type>ProgramStatus</type>
        <condition>changed status</condition>
        <action>alert</action>
        <path/>
      </test>
      <test uuid="494f8a43-671d-436c-9bd1-5756bf2ba3c6">  
        <name>NonZeroStatus</name>
        <type>ProgramStatus</type>
        <condition>status != 0</condition>
        <action>alert</action>
        <path/>
      </test>
    </monit>
    <OpenVPNExport version="0.0.1">  
      <servers/>
    </OpenVPNExport>
    <proxy version="1.0.5">  
      <general>
        <enabled>0</enabled>
        <error_pages>opnsense</error_pages>
        <icpPort/>
        <logging>
          <enable>
            <accessLog>1</accessLog>
            <storeLog>1</storeLog>
          </enable>
          <ignoreLogACL/>
          <target/>
        </logging>
        <alternateDNSservers/>
        <dnsV4First>0</dnsV4First>
        <forwardedForHandling>on</forwardedForHandling>
        <uriWhitespaceHandling>strip</uriWhitespaceHandling>
        <enablePinger>1</enablePinger>
        <useViaHeader>1</useViaHeader>
        <suppressVersion>0</suppressVersion>
        <connecttimeout/>
        <VisibleEmail>admin@localhost.local</VisibleEmail>
        <VisibleHostname/>
        <cache>
          <local>
            <enabled>0</enabled>
            <directory>/var/squid/cache</directory>
            <cache_mem>256</cache_mem>
            <maximum_object_size/>
            <maximum_object_size_in_memory/>
            <memory_cache_mode>always</memory_cache_mode>
            <size>100</size>
            <l1>16</l1>
            <l2>256</l2>
            <cache_linux_packages>0</cache_linux_packages>
            <cache_windows_updates>0</cache_windows_updates>
          </local>
        </cache>
        <traffic>
          <enabled>0</enabled>
          <maxDownloadSize>2048</maxDownloadSize>
          <maxUploadSize>1024</maxUploadSize>
          <OverallBandwidthTrotteling>1024</OverallBandwidthTrotteling>
          <perHostTrotteling>256</perHostTrotteling>
        </traffic>
        <parentproxy>
          <enabled>0</enabled>
          <host/>
          <enableauth>0</enableauth>
          <user>username</user>
          <password>password</password>
          <port/>
          <localdomains/>
          <localips/>
        </parentproxy>
      </general>
      <forward>
        <interfaces>lan</interfaces>
        <port>3128</port>
        <sslbumpport>3129</sslbumpport>
        <sslbump>0</sslbump>
        <sslurlonly>0</sslurlonly>
        <sslcertificate/>
        <sslnobumpsites/>
        <ssl_crtd_storage_max_size>4</ssl_crtd_storage_max_size>
        <sslcrtd_children>5</sslcrtd_children>
        <snmp_enable>0</snmp_enable>
        <snmp_port>3401</snmp_port>
        <snmp_password>public</snmp_password>
        <ftpInterfaces/>
        <ftpPort>2121</ftpPort>
        <ftpTransparentMode>0</ftpTransparentMode>
        <addACLforInterfaceSubnets>1</addACLforInterfaceSubnets>
        <transparentMode>0</transparentMode>
        <acl>
          <allowedSubnets/>
          <unrestricted/>
          <bannedHosts/>
          <whiteList/>
          <blackList/>
          <browser/>
          <mimeType/>
          <googleapps/>
          <youtube/>
          <safePorts>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</safePorts>
          <sslPorts>443:https</sslPorts>
          <remoteACLs>
            <blacklists/>
            <UpdateCron/>
          </remoteACLs>
        </acl>
        <icap>
          <enable>0</enable>
          <RequestURL>icap://[::1]:1344/avscan</RequestURL>
          <ResponseURL>icap://[::1]:1344/avscan</ResponseURL>
          <SendClientIP>1</SendClientIP>
          <SendUsername>0</SendUsername>
          <EncodeUsername>0</EncodeUsername>
          <UsernameHeader>X-Username</UsernameHeader>
          <EnablePreview>1</EnablePreview>
          <PreviewSize>1024</PreviewSize>
          <OptionsTTL>60</OptionsTTL>
          <exclude/>
        </icap>
        <authentication>
          <method/>
          <authEnforceGroup/>
          <realm>OPNsense proxy authentication</realm>
          <credentialsttl>2</credentialsttl>
          <children>5</children>
        </authentication>
      </forward>
      <pac/>
      <error_pages>
        <template/>
      </error_pages>
    </proxy>
    <Syslog version="1.0.1">  
      <general>
        <enabled>1</enabled>
      </general>
      <destinations/>
    </Syslog>
    <TrafficShaper version="1.0.3">  
      <pipes/>
      <queues/>
      <rules/>
    </TrafficShaper>
    <unboundplus version="1.0.4">  
      <service_enabled/>
      <advanced>
        <hideidentity>0</hideidentity>
        <hideversion>0</hideversion>
        <prefetch>0</prefetch>
        <prefetchkey>0</prefetchkey>
        <dnssecstripped>0</dnssecstripped>
        <serveexpired>0</serveexpired>
        <serveexpiredreplyttl/>
        <serveexpiredttl/>
        <serveexpiredttlreset>0</serveexpiredttlreset>
        <serveexpiredclienttimeout/>
        <qnameminstrict>0</qnameminstrict>
        <extendedstatistics>0</extendedstatistics>
        <logqueries>0</logqueries>
        <logreplies>0</logreplies>
        <logtagqueryreply>0</logtagqueryreply>
        <logverbosity>1</logverbosity>
        <privatedomain/>
        <privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
        <insecuredomain/>
        <msgcachesize/>
        <rrsetcachesize/>
        <outgoingnumtcp/>
        <incomingnumtcp/>
        <numqueriesperthread/>
        <outgoingrange/>
        <jostletimeout/>
        <cachemaxttl/>
        <cacheminttl/>
        <infrahostttl/>
        <infracachenumhosts/>
        <unwantedreplythreshold/>
      </advanced>
      <dnsbl>
        <enabled>0</enabled>
        <type/>
        <lists/>
        <whitelists/>
        <blocklists/>
        <address/>
        <nxdomain>0</nxdomain>
      </dnsbl>
      <forwarding>
        <enabled>0</enabled>
      </forwarding>
      <dots/>
      <hosts/>
      <aliases/>
      <domains/>
    </unboundplus>
    <clamav>
      <general version="1.0.0">  
        <enabled>1</enabled>
        <fc_enabled>1</fc_enabled>
        <enabletcp>1</enabletcp>
        <maxthreads>10</maxthreads>
        <maxqueue>100</maxqueue>
        <idletimeout>30</idletimeout>
        <maxdirrecursion>20</maxdirrecursion>
        <followdirsym>0</followdirsym>
        <followfilesym>0</followfilesym>
        <disablecache>0</disablecache>
        <scanpe>1</scanpe>
        <scanelf>1</scanelf>
        <detectbroken>0</detectbroken>
        <scanole2>1</scanole2>
        <ole2blockmarcros>0</ole2blockmarcros>
        <scanpdf>1</scanpdf>
        <scanswf>1</scanswf>
        <scanxmldocs>1</scanxmldocs>
        <scanhwp3>1</scanhwp3>
        <scanmailfiles>1</scanmailfiles>
        <scanhtml>1</scanhtml>
        <scanarchive>1</scanarchive>
        <arcblockenc>0</arcblockenc>
        <maxscansize>100M</maxscansize>
        <maxfilesize>25M</maxfilesize>
        <maxrecursion>16</maxrecursion>
        <maxfiles>10000</maxfiles>
        <logverbose>0</logverbose>
        <fc_logverbose>0</fc_logverbose>
        <fc_databasemirror>database.clamav.net</fc_databasemirror>
        <fc_timeout>60</fc_timeout>
        <fc_malwareexpert>0</fc_malwareexpert>
        <fc_blurl>0</fc_blurl>
        <fc_jurlbla>0</fc_jurlbla>
        <fc_bofhland>0</fc_bofhland>
      </general>
      <url version="0.0.1">  
        <lists/>
      </url>
    </clamav>
    <HAProxy version="4.0.0">  
      <general>
        <enabled>0</enabled>
        <gracefulStop>0</gracefulStop>
        <hardStopAfter>60s</hardStopAfter>
        <closeSpreadTime/>
        <seamlessReload>0</seamlessReload>
        <storeOcsp>0</storeOcsp>
        <showIntro>1</showIntro>
        <peers>
          <enabled>0</enabled>
          <name1/>
          <listen1/>
          <port1>1024</port1>
          <name2/>
          <listen2/>
          <port2>1024</port2>
        </peers>
        <tuning>
          <root>0</root>
          <maxConnections/>
          <nbthread>1</nbthread>
          <sslServerVerify>ignore</sslServerVerify>
          <maxDHSize>2048</maxDHSize>
          <bufferSize>16384</bufferSize>
          <spreadChecks>2</spreadChecks>
          <bogusProxyEnabled>0</bogusProxyEnabled>
          <luaMaxMem>0</luaMaxMem>
          <customOptions/>
          <ssl_defaultsEnabled>0</ssl_defaultsEnabled>
          <ssl_bindOptions>prefer-client-ciphers</ssl_bindOptions>
          <ssl_minVersion>TLSv1.2</ssl_minVersion>
          <ssl_maxVersion/>
          <ssl_cipherList>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256</ssl_cipherList>
          <ssl_cipherSuites>TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256</ssl_cipherSuites>
        </tuning>
        <defaults>
          <maxConnections/>
          <maxConnectionsServers/>
          <timeoutClient>30s</timeoutClient>
          <timeoutConnect>30s</timeoutConnect>
          <timeoutCheck/>
          <timeoutServer>30s</timeoutServer>
          <retries>3</retries>
          <redispatch>x-1</redispatch>
          <init_addr>last,libc</init_addr>
          <customOptions/>
        </defaults>
        <logging>
          <host>127.0.0.1</host>
          <facility>local0</facility>
          <level>info</level>
          <length/>
        </logging>
        <stats>
          <enabled>0</enabled>
          <port>8822</port>
          <remoteEnabled>0</remoteEnabled>
          <remoteBind/>
          <authEnabled>0</authEnabled>
          <users/>
          <allowedUsers/>
          <allowedGroups/>
          <customOptions/>
          <prometheus_enabled>0</prometheus_enabled>
          <prometheus_bind>*:8404</prometheus_bind>
          <prometheus_path>/metrics</prometheus_path>
        </stats>
        <cache>
          <enabled>0</enabled>
          <totalMaxSize>4</totalMaxSize>
          <maxAge>60</maxAge>
          <maxObjectSize/>
          <processVary>0</processVary>
          <maxSecondaryEntries>10</maxSecondaryEntries>
        </cache>
      </general>
      <frontends/>
      <backends/>
      <servers/>
      <healthchecks/>
      <acls/>
      <actions/>
      <luas/>
      <fcgis/>
      <errorfiles/>
      <mapfiles/>
      <groups/>
      <users/>
      <cpus/>
      <resolvers/>
      <mailers/>
      <maintenance>
        <cronjobs>
          <syncCerts>0</syncCerts>
          <syncCertsCron/>
          <updateOcsp>0</updateOcsp>
          <updateOcspCron/>
          <reloadService>0</reloadService>
          <reloadServiceCron/>
          <restartService>0</restartService>
          <restartServiceCron/>
        </cronjobs>
      </maintenance>
    </HAProxy>
    <wireguard>
      <client version="0.0.7">  
        <clients/>
      </client>
      <general version="0.0.1">  
        <enabled>0</enabled>
      </general>
      <server version="0.0.4">  
        <servers/>
      </server>
    </wireguard>
    <ntopng>
      <general version="0.0.1">  
        <enabled>1</enabled>
        <interface/>
        <httpport>3000</httpport>
        <httpsport>3001</httpsport>
        <cert>6423a4deec1dc</cert>
        <dnsmode/>
      </general>
    </ntopng>
    <lldpd>
      <general version="1.0.0">  
        <enabled>1</enabled>
        <cdp>1</cdp>
        <fdp>0</fdp>
        <edp>0</edp>
        <sonmp>0</sonmp>
        <interface/>
      </general>
    </lldpd>
    <redis version="0.0.0">  
      <general>
        <enabled>1</enabled>
        <listen>opt3</listen>
        <protected_mode>1</protected_mode>
        <port>6379</port>
        <log_level>warning</log_level>
        <syslog_enabled>0</syslog_enabled>
        <syslog_facility>LOCAL0</syslog_facility>
        <databases>16</databases>
      </general>
      <security>
        <password/>
        <disable_commands/>
      </security>
      <limits>
        <maxclients>10000</maxclients>
        <maxmemory/>
        <maxmemory_policy>noeviction</maxmemory_policy>
        <maxmemory_samples>5</maxmemory_samples>
      </limits>
      <slowlog>
        <slower_than>10000</slower_than>
        <max_len>128</max_len>
      </slowlog>
    </redis>
  </OPNsense>
  <virtualip version="1.0.0">  
    <vip/>
  </virtualip>
  <vlans version="1.0.0">  
    <vlan uuid="585db155-7f96-4e78-bdc6-7ac41d3884be">  
      <if>igc3</if>
      <tag>20</tag>
      <pcp>0</pcp>
      <descr>Clients</descr>
      <vlanif>vlan020</vlanif>
    </vlan>
    <vlan uuid="7f1c0da2-d9e7-4bb2-8a37-43a805098c85">  
      <if>igc3</if>
      <tag>21</tag>
      <pcp>0</pcp>
      <descr>Server</descr>
      <vlanif>vlan021</vlanif>
    </vlan>
    <vlan uuid="5663c498-2985-4196-9033-d741ac742f40">  
      <if>igc3</if>
      <tag>22</tag>
      <pcp>0</pcp>
      <descr>Multimedia</descr>
      <vlanif>vlan022</vlanif>
    </vlan>
    <vlan uuid="5a3567ab-358d-4ed7-a825-1b0c9f5fa763">  
      <if>igc3</if>
      <tag>23</tag>
      <pcp>0</pcp>
      <descr>DMZ</descr>
      <vlanif>vlan023</vlanif>
    </vlan>
    <vlan uuid="a60deaec-867e-4fc5-938f-a9bd73a58e54">  
      <if>igc3</if>
      <tag>24</tag>
      <pcp>0</pcp>
      <descr>WiFi</descr>
      <vlanif>vlan024</vlanif>
    </vlan>
    <vlan uuid="4bb55cfb-0d7e-4799-9b0c-a5432a45bd41">  
      <if>igc3</if>
      <tag>25</tag>
      <pcp>0</pcp>
      <descr>WiFi-Guests</descr>
      <vlanif>vlan025</vlanif>
    </vlan>
    <vlan uuid="ade27991-bd74-4b06-bf09-82c766c6c8b9">  
      <if>igc3</if>
      <tag>26</tag>
      <pcp>0</pcp>
      <descr>WiFi-IoT</descr>
      <vlanif>vlan026</vlanif>
    </vlan>
    <vlan uuid="75121e74-4759-4068-a30b-c87bb2eff21e">  
      <if>igc3</if>
      <tag>27</tag>
      <pcp>0</pcp>
      <descr>Management</descr>
      <vlanif>vlan027</vlanif>
    </vlan>
    <vlan uuid="79adf296-8da6-4fc9-8e05-39aa1631d08f">  
      <if>igc3</if>
      <tag>28</tag>
      <pcp>0</pcp>
      <descr>Legacy-AVM</descr>
      <vlanif>vlan028</vlanif>
    </vlan>
  </vlans>
  <staticroutes version="1.0.0">  
    <route/>
  </staticroutes>
  <bridges>
    <bridged>
      <enablestp>1</enablestp>
      <linklocal>1</linklocal>
      <descr>Bridge-Switches</descr>
      <maxaddr/>
      <timeout/>
      <bridgeif>bridge0</bridgeif>
      <maxage/>
      <fwdelay/>
      <hellotime/>
      <priority/>
      <proto>rstp</proto>
      <holdcnt/>
      <members>opt1,opt2</members>
      <stp>opt1,opt2</stp>
      <ifpriority/>
      <ifpathcost/>
    </bridged>
  </bridges>
  <gifs>
    <gif/>
  </gifs>
  <gres>
    <gre/>
  </gres>
  <laggs>
    <lagg/>
  </laggs>
  <ppps>
    <ppp/>
  </ppps>
  <wireless>
    <clone/>
  </wireless>
  <ca/>
  <gateways>
    <gateway_item/>
  </gateways>
  <cert>
    <refid>6423a4deec1dc</refid>
    <descr>Web GUI TLS certificate</descr>
    <crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUhORENDQlJ5Z0F3SUJBZ0lVY0FQb0VmTVhqK3ZJNXloaFFKZGcyT3FuK0Zzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZa3hIVEFiQmdOVkJBTU1GRTlRVG5ObGJuTmxMbXh2WTJGc1pHOXRZV2x1TVFzd0NRWURWUVFHRXdKTwpUREVWTUJNR0ExVUVDQXdNV25WcFpDMUliMnhzWVc1a01SVXdFd1lEVlFRSERBeE5hV1JrWld4b1lYSnVhWE14CkxUQXJCZ05WQkFvTUpFOVFUbk5sYm5ObElITmxiR1l0YzJsbmJtVmtJSGRsWWlCalpYSjBhV1pwWTJGMFpUQWUKRncweU16QXpNamt3TWpNNU1qZGFGdzB5TkRBME1qa3dNak01TWpkYU1JR0pNUjB3R3dZRFZRUUREQlJQVUU1egpaVzV6WlM1c2IyTmhiR1J2YldGcGJqRUxNQWtHQTFVRUJoTUNUa3d4RlRBVEJnTlZCQWdNREZwMWFXUXRTRzlzCmJHRnVaREVWTUJNR0ExVUVCd3dNVFdsa1pHVnNhR0Z5Ym1sek1TMHdLd1lEVlFRS0RDUlBVRTV6Wlc1elpTQnoKWld4bUxYTnBaMjVsWkNCM1pXSWdZMlZ5ZEdsbWFXTmhkR1V3Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQwpEd0F3Z2dJS0FvSUNBUURGV1owTk5HSSt1ODkxdFNBc1FGdjB3RGtxeFhmVTNjV0IrQVhkaFpURVZ6aGRPUlFKCktpdjdENFNZTmNiYklEUm1Qa2V0TVloMFlUakhEdkdsdDJoRkNWZ20wY1RQMUlmZXNDa3U4NEdYZTJ0Z1gwS2EKOERSZDQrTjF6STBOVEZoN0FqcGNiZ2t5dkxpQWp6azNNajNWckZwWkVuVFVBQkxFSG1iTjYySUlZV3dBVTBNUAprd0xyTWI0TDcwRGN4Y0I5V3ZZSSsrSWpQUVk0c1MreEFKS2hxZTZEYVJhMkhZUktGakNKbkF5YklMcEtCNUs1CkZHU3JsaGxJbEdRdGs0R0tXa05lcDVjNmN2cTM2Nzd1Z3BHcUV5c0JkSERCU1FyZjY1UHFUaDkxVU5kNUdrOEQKZzV1dGtESkNaN0dNOHp5amN6RkFma0Q3UEZMK0FIRHE3UUxYZk4vWTJIRk9GN0xsOVFza2g0bm9HU1IrYUlkNwpyMnBVdHFhSXl2eVFNZ2NvVmxTc0cvRTA2VURwanZaMHQ1aDRkYVorWkdxd3hUcDBDNWUrcER2Y2tiWmpHemVGCmpqb2pHcVlHZ3prbC9CbXJDWVhDcUpVaUhOdDFVRmpuL3preWY5c1Q5KzBBUWFwT2JIbGZIUjg2cmZvR3E3ME4KL3lPU1ZnMldRQ3Q2TVFvcEFNcjNJZ0gzcDU3RG9sSU41bHd6SEhXRmNwTW95KzRUTEN6T092czhlMFFNNm00awpDY3l3MWkrclZtU1h4ZkErUnFEZExKWklCcWFIcnBISUJsTEd2YUcxQk5EK1RtWmhRelNvR2RQU2xXL3dVMEwyClpuS05Ka3g1VjVNV2lVRjZuWlhSaEpXSFl1djBEYjN4d00rRTVtRnV3U2NUb01LeUk3SE55L1ZHZHdJREFRQUIKbzRJQmtEQ0NBWXd3Q1FZRFZSMFRCQUl3QURBUkJnbGdoa2dCaHZoQ0FRRUVCQU1DQmtBd05BWUpZSVpJQVliNApRZ0VOQkNjV0pVOVFUbk5sYm5ObElFZGxibVZ5WVhSbFpDQlRaWEoyWlhJZ1EyVnlkR2xtYVdOaGRHVXdIUVlEClZSME9CQllFRkt3MFV5U21jQXBVT0puUGRIdXRaQmpDeFRCek1JSEpCZ05WSFNNRWdjRXdnYjZBRkt3MFV5U20KY0FwVU9KblBkSHV0WkJqQ3hUQnpvWUdQcElHTU1JR0pNUjB3R3dZRFZRUUREQlJQVUU1elpXNXpaUzVzYjJOaApiR1J2YldGcGJqRUxNQWtHQTFVRUJoTUNUa3d4RlRBVEJnTlZCQWdNREZwMWFXUXRTRzlzYkdGdVpERVZNQk1HCkExVUVCd3dNVFdsa1pHVnNhR0Z5Ym1sek1TMHdLd1lEVlFRS0RDUlBVRTV6Wlc1elpTQnpaV3htTFhOcFoyNWwKWkNCM1pXSWdZMlZ5ZEdsbWFXTmhkR1dDRkhBRDZCSHpGNC9yeU9jb1lVQ1hZTmpxcC9oYk1CMEdBMVVkSlFRVwpNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWdDQWpBTEJnTlZIUThFQkFNQ0JhQXdId1lEVlIwUkJCZ3dGb0lVClQxQk9jMlZ1YzJVdWJHOWpZV3hrYjIxaGFXNHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnSUJBSnpkY2xISTgrTloKSGh0YWlqd3F6aWZNNm56NTNoYVhDbjVpVUpUamNHcEl2ejB6VUt3bk5xZHJzQWc5V2t3L2M1SE1RaldicE9yVApOQXgyWmhMY1RTdXZlQmZMbXhIQS9iVDF4eXJEbTdldDFaSDZvQ25KMU8vNjc4QnNGVjBpSVFCYjVKeDdUYUpIClR6OXBFUUpFTTNwWDFKcnFISVRyQ1lTOUplTUxQWU1UR2VnU3ZITEY1WXIxbGlHa1ZFN0hTeC8wQm1DUHhLd1IKa1d1eEVYQ1RVbXBoSGEzdmNyeHU1alZ4VTYyNWVVNHkwTmIrZDNlT0hiMDFDT2ZxUjZib3lUVk5nUzNaSDRSbQpWNkVjK1htZWlKNUZrbXgvOStSU01uanViNGVkYVh4VXMrL0lmRkNLaXlGT0wyS240OVh1RVlNZXI0SnpoYVhwClVsbkNGVjJTdXBtK2oyd1JIOW9keFFVbXZ1T1ZXenhXYU9SVzhTcG55NWxQR20ydi9reGVweEtwUzFCdGwxZFcKRXZJNmNITjZHckhqK3lERUNYVjBJQnk2VElVN3FwYXRtaEdabmVNZG9kSUx6K2lDb1ovYVA4Q2FMaW03VmVaSgovU096UFBKRTlhQUt6aUJXYlh3Z1RMcHlIL3N5bDBkL09GSG1MekFrQnM0WUQrYlBPQ2ppSmkveSt5ZVRGQU5rCkRjOVg5WFNXb2FKckUwWENMdUo5MVFwUG4rRmk5TngrL0huV2NrcVVudnRjQm94bVY1TmJaWDZZT0V3OVAzbzQKNWFzcittWU9PTGJKWVF5RTJtUVZVckUya0FLN1pSRkdaa2I0T2xkUUFkRmJnbGRaUWRhaVJxUGJBZjJlMGFONgptMG94MGlzdEtXbzZuUHRtWVJ0V2s1L2Y1d1BINENESgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt>
    <prv>LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRREZXWjBOTkdJK3U4OTEKdFNBc1FGdjB3RGtxeFhmVTNjV0IrQVhkaFpURVZ6aGRPUlFKS2l2N0Q0U1lOY2JiSURSbVBrZXRNWWgwWVRqSApEdkdsdDJoRkNWZ20wY1RQMUlmZXNDa3U4NEdYZTJ0Z1gwS2E4RFJkNCtOMXpJME5URmg3QWpwY2Jna3l2TGlBCmp6azNNajNWckZwWkVuVFVBQkxFSG1iTjYySUlZV3dBVTBNUGt3THJNYjRMNzBEY3hjQjlXdllJKytJalBRWTQKc1MreEFKS2hxZTZEYVJhMkhZUktGakNKbkF5YklMcEtCNUs1RkdTcmxobElsR1F0azRHS1drTmVwNWM2Y3ZxMwo2Nzd1Z3BHcUV5c0JkSERCU1FyZjY1UHFUaDkxVU5kNUdrOERnNXV0a0RKQ1o3R004enlqY3pGQWZrRDdQRkwrCkFIRHE3UUxYZk4vWTJIRk9GN0xsOVFza2g0bm9HU1IrYUlkN3IycFV0cWFJeXZ5UU1nY29WbFNzRy9FMDZVRHAKanZaMHQ1aDRkYVorWkdxd3hUcDBDNWUrcER2Y2tiWmpHemVGampvakdxWUdnemtsL0JtckNZWENxSlVpSE50MQpVRmpuL3preWY5c1Q5KzBBUWFwT2JIbGZIUjg2cmZvR3E3ME4veU9TVmcyV1FDdDZNUW9wQU1yM0lnSDNwNTdECm9sSU41bHd6SEhXRmNwTW95KzRUTEN6T092czhlMFFNNm00a0NjeXcxaStyVm1TWHhmQStScURkTEpaSUJxYUgKcnBISUJsTEd2YUcxQk5EK1RtWmhRelNvR2RQU2xXL3dVMEwyWm5LTkpreDVWNU1XaVVGNm5aWFJoSldIWXV2MApEYjN4d00rRTVtRnV3U2NUb01LeUk3SE55L1ZHZHdJREFRQUJBb0lDQUU0aU02N1ZyWXYrMloxVnI3NDFZUExlCjVBTk9HU3A2LzBaOHh2MjBkSGpqdTFvVlRoeHV5T2ptZE8yNlpOZSt3V0ExaWpWRTVpeUZqWEFxTjN3UHlFV0UKOUpTeCtvVDZOU3p5ZSt1dDF3SDlpRDZvbUhzMVhOWkxjblBpSDNwRFhzaWMwalJrRUZvNUk2Y3FqVkdRSDdFbwpRc0QvTUtmNnUzTlFRZzJIQXRJa21CanMzaUVkYUV0cjd6MVVaVTdETUhtdytMWUgyN2x0NExlelZ4bHlDNXZiCjVxVzZocFpseTBsMXpaTzk1N1BIV2xvUzg0RTVWTDRtZUM0bktoNXRSeDFhclUrZGRKOWNoRzBxOWZZQ1ZkK0wKSlR5M09Da2VYU0xZWjBDZDI1Q2NDQ05YU2k4dS9RVFRrVUovUVdsM3ArdGlvUDVTdmpGNTZiWE13T2dTSEV3NApsZm0xNDhmT2JLSDNEZW5sTG5hZksxNmp1RE5HM1g1dWRtOFh5NDBWWWEzV1pIdUdsakxQQ0NkQWZSL2JSVFYxCmVDYnd2cmtqNVZNdXJ1a0pxOGlJd2IrM3M3RjZoYXdXWWR1Y0tpOWZEZDNXM0svZ01sUzdaV0dkZHVSQm5CL1UKKzhIM0R1a3phWjJYY2NHYjQ5V0dWTjBhOUZZMFZJcHpmbE9iaFRvK3dRNUtpQUlFSndWeitibjFxTFFFYkdQbQp0V3dGRXMrKy8wc0Uxd3NHTUtIWWhkVHRmOWdyZm4xcTRwMzRJL0dqNDI2S3g2eXpsMlNXVmQwaS9va1E2cFZWCi82ZkNUVkR5SGlVR3V3a0dNRmt2Wk5jM3FxK0cxNzRhVVpRZ2V0LzFDWDJZMyswaW9WWE93V3Zscm5uNEdGRisKQW9KZm5LbmViaW9LM0JHWFoxYXBBb0lCQVFEaFZURW1CV05FYVk5RHd1c3dPalYyb2ljbk81aHNGRDd6L3RQNwpnaXoyaWJLa2paNXJOdWFnWUZvWk5pRGpkRDA4WjBOSkUxUGZJano0SDJ2YkFITy9iVFRxWHB4bEJLUGozd3RMCmJGajNIQnRwRE5aeTBHakpUeUVXS1FncEUyTVpqdDc2a2EwQyt3amFlQXZMc3YrdDU0NmJPeHVackxVTjFPaGoKaXk2SGQ0bFFJeEkrajljbnZGQWozbGdWNGZQYTJ6V2tyQ2pXblBEUmxiOHBDK1Q4aGtvalBGclEvQy8yRFJRRQowSmp5OS9QU2ZLb2xra203OEVtelVQaGxnbExNMEQ4T0ZRZ1JybnBJMWQ1RDlHQTBNaElhR3lKVGx1ekh3ZU10CkhKMTJBK0Nzdjh3YTYrbGNJMHlGNGFGS2E1ajBpemhnTXNIT2lyT0hFN2JMTTZpOUFvSUJBUURnTlhvSEFBMXEKR1E4bE8wOCtSR2NodzZyU1N1dS9VL0RyajkwcFJrUHRhU21sQWVnVVZ4M0hvNnhBMWJSSmlpSC9ybUZVYVR0WQo3dThVOHZRMlVMVnRlcnZueUpjWFhBSkIxb0JEcTlBSlJTUlFiQkhOT1RTdFZ3VisrcjlOYjl5ckxab3pIQUE4Cm5WTXg3eFVMc1lseUFRTGlkNTJGS0VNU2NVejNlOWVPYlh5WmpsTkFQTmZZS29qajNGMXBUOVF0UEZHSkwzcXQKUU5yTmFiNlVLY1Q2d09kYjVDYlI0aEQxY2lkeWpWRnZuYW81TXJ6Smxsa0dVd2c3UDc2eGRrMWx0cnhIOW1Ndgpvb0xCK1YyWnJORzladmNESG5haWlhWHU2dVdNbk1UOHNSbDFhZXFYT3U3bVBoc2Fab3RNbXBXNFd4dHoxb25aCnk3S2hwZkxseXVGREFvSUJBRDlkRW5ZTG04OTRFNVpOY0k5ZVB2eCtPcDVZcnRMdG1vcElSVm43VUNOL3N5RjgKeFdpR3hyR2docFdDV0JzOTY1NVp0MTBNTjFDT3N6QmV2WmlXOXZXRWd4WEl4eGZOQnowajBteENLbjVLaEJhMQpTblI4MElxVFdzMTllbEw2cGFwaE42aWtZRTl2UWgwVkZ0UVFJTC9KVnB1bU1tdXpXakpxaFhMQWg3UUdWREdaCnV4Nm1taTBOVWtmVDFWZEo4NlcrY01ZK3R6a3Facm00NzBsZWsrVEM2b1FnQzdXcXhOM2U3WnN4QVdHSmdpSFYKZG84Y0pPblpkeEFhbTg4SHA3cjZjRkRJYnoxeG4rZHRaSlFkV3hReVpFNjlCSmtXM3J5SmRCV1NiMkRwVkR1ZgpyNGgrZ0YrdGVXNUlkVytVOUMwSUhURkg5S0hjOVFEdDlVQU01YzBDZ2dFQVlZVEErN1I1SVRHZkZjbVRNUGtkCmhtRU50b1Bod0FrcG03dXFMUjZqd3VwZnM2WjlwQU0wTDdZdjRNOVNxRDNOaGVENThuWUcyeXFwa0lvUDBHUVEKVlhyeHFlSGtYY09tTTY2eGdUMkVzZE9COVB6Y1RVL1phcCtVQTJQYXV6cXhWejd4ZDlOeEF1eEcyRXd0OGpVWgpIQjMyZkR3Y3BtTVpzVGJZakRnd1RJR3dsVFdEWGtoWWRXd2l1RUVMM0JkZHFRTTRUNXY0RnMxRG5kNmxodG9ZCkZCeTlSSW1hbk9WZ0RQSEcySnRBMVhSVktxVzMyVkpzakVTbkt1WVI4aXdMZy9jVU01U21GWHp3dEovYXAxRzAKdEZYSmtIQzZsdjJaejY0Wmc2eFlQYlJsNTF6WExVbnp5Tzh3YUs0N1htbEtQN0pZNFd4cDd2SWJVeFhUN1VEdAo4d0tDQVFFQWhKcy9seExFL3BnQUZ0UVBQY1lQK0xnVnBzbTRWRngrYnJvb2ZxWFJyVFJzaW43dTFBSVZpZ3g3CmdRa01HVzRCNk9zZFVEV2tQaHQ1RFF1VFUzM1I5aDQ2RExYYUd3d3FBZUEwRFdaVGhxblFHaGF2K1hsUk5FOVgKQm1hMHd2ZUNtTStHVDdwcENqcUpPTW1ndkw1NWpPMzIvQlg5Nk1leDJhaWFrWms3NFNyc0FQYnc2MmxCSzU4bAphejhkYis5L0NjY0s1NlRxdHdzZCtwYVNFNFBoOUMxTVI0ditya1owaG92YklpdjZhcmNLWWs2REVJaElwMURaCksrblIyTU54QkFmKytwYWZQM1llYitpWHhucksvdnpYSzJwQkN0N21ubDBmYjBMeGc3UUlteU9uNnlEV1BGSHcKWHppdmRiTkpxTkJtVWZibDRoWEVjQ2NhMnZCS3JRPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=</prv>
  </cert>
  <syslog>
    <preservelogs>30</preservelogs>
    <logoutboundnat>1</logoutboundnat>
  </syslog>
</opnsense>

Content-ID: 6563041948

Url: https://administrator.de/forum/opnsense-firewall-mit-mikrotik-switchen-inbetriebnahme-6563041948.html

Ausgedruckt am: 22.12.2024 um 12:12 Uhr

aqui
Lösung aqui 29.03.2023 aktualisiert um 22:07:38 Uhr
Goto Top
Die OPNSense Firewall beheimatet kein Modem (benötige ich das überhaut für einen LWL Anschluss?
Nein, benötigst du nicht, denn der ONT stellt dir ja einen einfachen RJ-45 Ethernet Port zur Verfügung.
Man kann also stinknormal die OPNsense mit dem WAN Port direkt auf den ONT stecken. Die FB ist da dann überflüssig oder kann dann einfach als nur VoIP Anlage im lokalen LAN betrieben werden. Klassisches Setup...

Versteht man dein dein Design jetzt richtig, dann sollen die Mikrotik Switches rein im Layer 2 laufen und der Layer 3 Traffic von der Firewall bedient werden. Ist das so richtig??
Leider ist deine Beschreibung da sehr oberflächlich.. face-sad

Wenn dem so ist dann fehlen auf den Mikrotiks der Tagged Uplink auf die Firewall. Da ist es dann klar das eine Connectivity zw. Firewall und Switches nichts laufen kann.
Lässt den Verdacht aufkommen das du die Tutorilas nicht richtig gelesen hast.

Wenn dein Komnzept so aussieht L3 = Firewall, Switches nur L2 dann musst du den Anschlussport des Mikrotik tagged auslegen also alle VLANs Tagged eintragen (Mode: Admit all). Das PVID VLAN ist dann 1 (PVID 1).
Das PVID VLAN mappt auf den physischen Port der Firewall, denn dieses Interface sendet den Traffic immer untagged. Alles VLAN Interfaces die diesen Port als Parent Port nutzen senden und empfangen Tagged Traffic, deshalb hier immer Mode: Admint all.
Dieser Uplink Port fehlt vollständig in deinem MT Setup.
banane31
banane31 29.03.2023 um 22:14:00 Uhr
Goto Top
Danke für deine Rückmeldung.

Du hast es richtig beschrieben.
Die OPN Sense macht L3 und die Switche nur L2

Eigentlich hatte ich das im Winbox gemäß deinem Tutorial konfiguriert mit dem Uplink Port auf SFP2
Alle VLANs als Tagged und PVID auf 1
Ebenso das Admit All

Dann muss ich da wohl noch einmal die Anleitung in Ruhe lesen und das nochmal Step für Step durchgehen.
Saß jetzt jedoch auch den halben Tag daran und war der Meinung ich habe alles 1:1 wie in der Anleitung umsetzt face-sad
michi1983
michi1983 29.03.2023 um 22:44:07 Uhr
Goto Top
und dafür brauchst du zwei user hier?
Crusher79
Crusher79 29.03.2023 um 22:51:44 Uhr
Goto Top
Zitat von @michi1983:

und dafür brauchst du zwei user hier?

Hmm, ist irgendwie Banane oder?
commodity
commodity 30.03.2023 um 00:14:06 Uhr
Goto Top
face-big-smile
War versehentlich der Account vom Bruder/Kind/Ehefrau. Kennt man doch. Passiert face-smile