Messages

This is more of a general question to rule out OPNsens as fault domain.
I've recently set up a new bridge. When I try to reach services (SSH, SMB, etc.) across the bridge the connection times out or if the connection is successful in the case of SMB for example folders with less then ten items take forever to load or the file manager freezes up. In the case of SSH I also get the initial connection timeout and once I connect the terminal after some time (a few minutes) of usage stops to accept input then it may work again or the terminal session just freezes up completely. Also, some of these hosts cannot be reached at all and pings fail. The hosts affected switches around. So sometimes A works sometimes B.
OPNsense is configure to use static DHCP and permanent ARP. IP addresses get assigned and arp correctly maps IP to MAC. There are no rules in play. There are no issues trying to connect between LAN services/devices on either end of the bridge (not across the bridge).
All devices are on the same subnet. The bridge is correctly configured with IP, gateway, DNS, etc. There are no connection issues with external services, internet, Netflix, etc. Throughput is excellent.
I've put in a ticket with the vendor (Engenius), but my experience with their customer support hasn't been stellar.
I hope that some network wizard my have feedback for me.

Thanks

This issue resolved itself on its own. I believe it was related to one or two DNS service providers: 1.1.1.1 or/and 9.9.9.9. This is just a guess, but I've noticed before that randomly domains don't resolve properly.

Just to be clear, I am not necessarily trying to pin this on OPNsense, but prior to upgrading, I scanned through the 19.x forum posts to see, if anybody reported any issues with the upgrade. That's how I came across the post mentioned above and it specifically refers to an iPhone being unable to access an Apple website that requires Apple ID authentication, so I don't think my reasoning is too far fetched. Also, I can access other websites without issues from the iPhone or my other devices, so this appears to be specific to the https://appleid.apple.com/ website. Prior to posting, I've checked the Apple services status page. All services were up and running. As far as my setup is concerned, this is one segment that exhibits this behavior:

modem > OPNsense > wifi router
> laptop wired
> iPhone wireless

[Or]

I've recently purchased an iPhone and I am unable to authenticate with my Apple ID credentials on the device itself:
authentication server can't be reached

Or with any browser from any other device (laptop, etc.) https://appleid.apple.com/
502 Bad Gateway

So I know it's not a browser issue with any one of my devices. I don't know if this is an issue introduced with the upgrade to 19.x, because I had already upgraded prior to purchasing the iPhone.

Regardless I found this forum topic that I thought might be related and followed the instructions, but it did not resolve the issue. https://forum.opnsense.org/index.php?topic=11401.msg51701#msg51701

Any thoughts?

Thanks

LOL... major facepalm.
Thanks mate

I've two private subnets: LAN 192.168.1.x and LAN02 172.16.1.x. I've used the guest network how-to https://wiki.opnsense.org/manual/how-tos/guestnet.html as a template to segregate LAN02 from LAN. With the block rules in place clients on LAN02 can't access any clients on LAN, but clients on LAN can access any client on LAN02.

What I would like to accomplish now is to allow certain clients on LAN02 to access certain clients on LAN. I've implemented three rules that I thought would accomplish that, but they don't work as expected. I've attached a screenshot.

In the screenshot these three rules are currently disabled, because if I've any one of them is enabled all traffic from any client on LAN02 can access any client on LAN. I am stumped.

Could somebody help a lending hand?

Thanks

Done. And I added some more details.

I've found that you can create a static DHCP mapping without specifying a hostname. Not sure how that effect that would have?

ok, I added several names to my /etc/hosts  with different names and the same ip for the different names.
to be clear the host file i used is on the machine i use to access all others and NOT on the OPNsense box!

Well Ok, I would expect that to work; but I don't want to touch every hosts file on all of my clients. This should be handled by DHCP.
Thanks for you help. I hope a developer might have some insight.  :P
Cheers

good question!

What i had to do in this circumstance for example is to name a laptop as  laptop-wireless and laptop-ethernet for the static dhcp leases.

I've considered this. Ok, let's say the hostname of the device is 'laptop'. When you create static DHCP mappings for the _same_devices and specify one mapping as hostname 'laptop-wireless' and hostname 'laptop-ethernet', then but what hostname will the device be known on the network? By 'laptop' (the true hostname of the device) or by 'laptop-ethernet' vs. 'laptop-wireless'? By what hostname would you ssh / ping the device? If the hostname in the static mapping is inconsequential than why the need to specify one? Mmmm... There has to be a better solution I would hope.  :o

Thanks, man

Most devices have multiple MACs i.e. wired and wifi. How do I create static mappings for the _same_ hostname, but a different MAC address. It appears that's currently not possible. Could somebody please explain?

Thanks

According to the help it says "If no IPv4 address is given, one will be dynamically allocated from the pool", but if I follow this way, the MAC address is shown as ' static'  in the leases table without an IP. i.e.: I have created a static lease without a visible IP.

Is this a bug, or is there another way to create an easily identifiable indicator for the MAC addresses that have obtained a lease?

Looking forward to your suggestions..

I am in the same boat and would also appreciate some feedback from an expert.

Hey Franco
I did change the password for 'root' to only include upper / lower case characters and numbers.
I've got TOTP enabled for the user account that I use to connect via ssh, but not for 'root'. I don't use 'root' to log in to the web GUI only my user account. So effectively I can' 'su' because TOTP is not enabled for 'root'?

Sorry, I am not sure what you're suggesting. I am not trying to use sudo, I am trying to switch user to 'root', so I can access the same options I get when logged in at the console:

0)     Logout                              7)      Ping host
1)     Assign interfaces                   8)      Shell
2)     Set interface(s) IP address         9)      pfTop
3)     Reset the root password             10)     Filter logs
4)     Reset to factory defaults           11)     Restart web interface
5)     Reboot system                       12)     Upgrade from console
6)     Halt system                         13)     Restore a configuration

Maybe I misunderstood you? Thanks Cheers

OPNsense 18.7.6-amd64
FreeBSD 11.1-RELEASE-p15
LibreSSL 2.7.4

ssh to opnsense; authenticate via key; then:

$ groups my.username
wheel admins
$ su
Password:
su: Sorry
$ su
Password:
su: Sorry
$

Just to be sure the password is correct, I've changed it for 'root' in the GUI. Still no go. What gives?  :'(