I ran the latest update as of writing this and my opnsense box is now simply not working anymore. All services are apparently gone and the ui only shows partly things.
I can ssh to the opnsense box and dmesg shows a never ending stream of lines with pid+Python 3.11 with signal.4 The pid shows various numbers. If i start unbound from the shell I can get access to the outside world and run pkg for example.
I am of the penguin kind so freebsd is not my regular environment.
Is there some way of repairing my nonsense box via the tools or do I have to reinstall from scratch? E.g. what can I do to get the system back up to a working state from the shell??
(Sorry for lack of detail but I am writing this from my phone due to lack of connectivity)
(Ps! The box is a intel core 2 machine just for the record)
« Last post by luckylinux on May 22, 2024, 11:50:25 pm »
@Patrick: Did you have any special Configuration needed for IPv6 to work with Hetzner ?
I couldn't manage to get it working. Neither on Proxmox VE, neither on OPNSense (tried both MAC Addresses to "point" the /64 Subnet to the right Appliance).
Maybe it's just because I'm used to IPv4, where Gateway and Address are in the same Subnet, but their Default Gateway fe80::1 doesn't play Ball at all. Interfaces -> Diagnostics -> NDT returns only the Local/Global (if set Static, otherwise none) IPv6 Addresses. DHCPv6 Configuration of the WAN Interface doesn't get an IP Address.
Strangely enough, I can see in OPNSense Firewall Logs that my Home Address is managing to Ping6 through (inbound), but I do not see any outbound reply (and Ping6 fails).
I had this issue previously with IPv4 as well (Inbound Traffic showing up in the logs, but Outbound not working), which I solved by setting Firewall -> Settings -> Advanced -> Disable reply-to on WAN rules -> CHECK
For IPv6 it's not working though. I tried to set Static IPv6 but nope. I cannot ping the gateway.
Probably the OPNSense VM cannot receive the Route Advertisement from the fe80::1 Gateway ? I don't see anything in the Proxmox VE Firewall Logs though ...
EDIT: I see lots of traffic on the Loopback Interface, not sure if this is normal. I don't really see anything going Out of the Firewall though. Loopback Interface has Source = Destination IPv6 Address, corresponding to the Static WAN IPv6 Address I had set.
« Last post by almodovaris on May 22, 2024, 10:44:46 pm »
I don't know about Untangle, but Zenarmor TLS inspection has:
- whitelist (do not inspect): factory defined whitelist and user whitelist; - blacklist (always inspect); - granular control (inspect only these categories of websites).
So, yeah, applying FTI to all websites/apps seems dumb, but applying it to only some of them is smart.
« Last post by defaultuserfoo on May 22, 2024, 10:26:50 pm »
I need to use an alias to specify a name server address for clients on a VLAN.
The address of the name server is an IPv6 address on another VLAN. It's assigned to the server through DHCPv6. I have created an alias for the server as a dynamic IPv6 host because the IPv6 prefix may change at any time. So the only way to somehow specify the address of the DNS server seems to be using the alias.
Unfortunately, in the DHCPv6 configuration of the interface the client is connected to, the web interface won't let me use the alias to specify a name server but says "A valid IPv6 address must be specified for the primary/secondary DNS servers."
So how am I supposed to specify a valid IPv6 address for DNS server?
I've given the DNS server also the address fd53::11/16 on one of its interfaces. I could use that as address for the DNS server for the clients, but opnsense does not have an interface in that network. Since the interface for the VLAN the clients are in is tracking the WAN interface to get IPv6 addresses, there doesn't seem to be any way to put an additional IPv6 address on that interface, and the DNS server remains unreachable.
How can I give interfaces that are tracking the WAN interface for IPv6 addresses additional addresses?
I guess I could add another VLAN and give opnsense another interface to make the DNS server reachable, but that seems like a rather convoluted solution and overkill for a problem that should be easy to solve.
« Last post by Cipher on May 22, 2024, 10:08:24 pm »
Hi everyone,
We are using WireGuard as a site-to-site VPN between four offices. These offices are connected to site A, so sites B, C, D, and E are connected to site A.
I want to allow RDP and ICMP from sites B and C, and allow all traffic from sites D and E. Can you please advise how to set this up? I appreciate any support.