What I would like to see is a Windows challenge, where they try to achieve privacy as close to out of the box linux as they can get. That would probably genuinely be entertaining.

Hmm I think I this does not work in case you meant to put the bridge as the parent of the VLANs, OPNsense does not allow this:

now, define 3 vlan with the vlan tags you defined in the switch + ap, you need to say that the port they are received is the bridged port

However I think I found another solution that works exactly as I want but it is very weird so be warned:

• Created vlan01.11 and vlan02.11 on igc1 and igc2 respectively, assigned them, enabled them and gave each a static ipv4 (192.168.11.1 and 192.168.11.2)
• Created a bridge with both VLANs as members, did NOT assign and enable this (when I do the setup breaks (?!))
• Use KEA DHCP instead of ISC:
  • In settings listen on both VLAN interfaces
  • In subnets create the subnet with subnet=192.168.11.1/24 and a pool of 192.168.11.21-192.168.11.254, uncheck “Match Client-id” and “Auto collect option data” and set Routers, DNS and NTP Servers to 192.168.11.1 and 192.168.11.2

This way KEA will give out IP addresses on all interfaces with a static IP in the defined subnet. Make sure to disable ISC DHCP as it otherwise caused issues with KEA and somehow also Unbound (I also enabled “Register ISC DHCP4 Leases” in Unbounds settings because I had weird issues with SERVFAIL there).

I repeated this process for the vlan0x.13 and vlan0x.14. Now internet access works on all VLAN interfaces, aswell as the normal interfaces and I can still define Rules for each VLAN.

What I don’t get about this is why I cannot assign or enable the bridge interface… but I guess it works soo I’m happy. Thank you for your suggestion though!

Mainly I want to have separate USER, IOT and GUEST VLANs. So for example I don’t want guests to be able to access IoT devices.

The AP and Switch tag these VLANs based on SSID and Port a device is connected to, so OPNsense receives tagged traffic that I can put rules on. I could probably just connect the AP to the Switch and be fine, but the Switch is 1Gb and the AP has a 2.5Gb port so I would like to keep both the switch and the AP connected to OPNsense directly.

Having the switch and AP on their own subnet is not really a requirement, but I guess it would be nice to also be able to control who can access their webinterfaces.

So really I just want to have:

• AP connected to one port on the firewall
• Switch connected to another port on the firewall
• Both AP and switch tag frames and pass them to OPNsense so I can apply rules.
• Devices on vlan01.11 can talk to devices on vlan02.11 and so on
• A single DHCP provides IPs to all devices connected to both the Switch and AP

Does that make it more clear?

I get what you are asking for but I don’t think it is even necessary to have a list of users on the client in the first place using the MPA approach. I would guess the list of users is just available to the server, which pre-renders HTML out of it and provides it to the client.

I don’t know, but for me it just worked when I clicked on the google wallen option. Since I don’t have google wallet it just downloaded the pkpass instead.

I use fWallet. Works just fine, but you will have to be able to download the pkpass file and import it into the wallet: https://f-droid.org/packages/business.braid.f_wallet

Cool! U-Bahnen sind vermutlich aber noch weniger kompliziert als Züge, da es ja unterirdisch noch weniger gibt, was die Gleise blockieren könnte. Zudem Fahrerlos im Sinne von komplett Automatisch oder im Sinne von Ferngesteuert? Wenn das schon automatisch für U-Bahnen möglich ist, erklärt sich mir noch weniger, warum so etwas nicht für Züge möglich ist.

Allerdings gibt es diese Probleme ja genauso auch bei Autos. Vor allem viel häufiger, da sich im Straßenverkehr ja nicht nur andere Autos und Hindernisse, sondern auch Fußgänger und Zweiradfahrer befinden. Von daher würde ich auch denken, dass Züge einfacher automatisierbar sein müssten als Autos. Hab zu automatisierten Zügen allerdings auch noch nichts so wirklich gehört, was mich auch wundert weil alle Welt so auf automatisierto Autos abfährt.

In Pisse sitzen

Fairphones have them too.