Messages

Hallo

Sieht soweit eigentlich gut aus.
Versuch einmal, statt den Aliasen, direkt die Werte einzutragen.

Wie ist denn Deine OpnSense ans Internet angeschlossen ? (Evtl. Router mit NAT davor? Hier müsste der Port ebenfalls durchgereicht werden)

Ist der Port auf dem Server, auf den weitergeleitet werden soll, offen und erreichbar ?

Gruss

Gesendet von meinem ONEPLUS A5000 mit Tapatalk

Apart from setting the right values in System > Settings > Administration > Console, you can enter those values in System > Settings > Tunables, there they will stick even after updates/upgrades.

Gesendet von meinem ONEPLUS A5000 mit Tapatalk

Versuch mal dem How-To in der Dokumentation zu folgen:
https://wiki.opnsense.org/manual/how-tos/ipsec-road.html

Soweit ich das verstanden habe, hast du die FritzBox vor der OpenSense, auf dieser müssen die entsprechenden Ports für das VPN zur OpenSense weitergeleitet werden.

Edit sagt: Da die OpenSense als exposed Host in der FritzBox eingetragen ist, kannst du meine Anmerkung zur Port-Weiterleitung ignorieren :)

Gesendet von meinem ONEPLUS A5000 mit Tapatalk

Wenn die Werbung lokal und per, ebenfalls lokalem, CSS eingebunden ist, kann eine DNS-Blocking Lösung (also Unbound, Bind und Pi-Hole) nichts dagegen machen, da es von der selben Domain kommt.

uBlock Origin und Brave können diese Werbung unterbinden, da diese sich beim Anzeigen der Seite einklinken und über CSS-Selektoren die entsprechenden Elemente ausfiltern.

Gesendet von meinem ONEPLUS A5000 mit Tapatalk

Gerne :) (durfte letztens selbst damit Erfahrungen machen)

Das os-ftp-proxy Plugin einschalten und konfigurieren;

https://forum.opnsense.org/index.php?topic=3868.0

Oder, falls möglich, auf eine sichere Alternative setzen (sftp oder scp).

Bezüglich pfblockerNG gibt es mit OPNsense zwei Möglichkeiten: Entweder per bind plugin adblock Listen laden oder dem Unbound eine eigene per custom Feld hinzufügen.

"Not only in 4.8.0.6.
At least the whole 4.8.x releases have these bugs, they just weren't added to the previous releases after they were found."

Exactly.
There may be other open issues in 4.8 that are already known, but not yet published. So I dont recommend 4.8.x, personally I stick to 4.0 as long as necessary. Dont want to risk my firewall crash because of these BIOS issues, it is rock solid (at least the BIOS) on 4.0.19.

Well I'm running 4.8.0.6 and it's also stable, the most boring issue is that I need to replug power when rebooting after some hours/days running, not shure about the cpu frequency but working ecc and ahci is nice to have.

Hi all,

for interested 4.8.0.6 is available.

cheers
till

4.8.0.6 has many stability issues:
https://pcengines.github.io/#mr-16

Known issues:
CPU frequency is stuck at low frequencies and does not react to stressin"
some PCIe cards are not detected on certain OSes
booting with 2 USB 3.x sticks plugged in apu4 sometimes results in detecting only 1 stick
certain USB 3.x sticks happen to not appear in boot menu
booting Xen is unstable
platforms happen to hang after reboot

Not only in 4.8.0.6.
At least the whole 4.8.x releases have these bugs, they just weren't added to the previous releases after they were found.

Take a look at the wiki:

https://docs.opnsense.org/development/backend/autorun.html

Well rsync is just like scp a tool (& protocol) to transmit data (securely) it doesn't open any ports, there's rsyncd which is a deamon that listens for incoming connections ..

Could you try to attach your test device directly to the OPNsense Firewall to rule out the cisco switch?

Since it's a statefull firewall the default configuration allows to access anything from LAN (like browsing etc.).

Think of it like a normal Consumer NAT router.

To be able to access a web or mail server from outside (WAN) that resides behind the Firewall, you would need the respective ports to be forwarded (NAT forwarding).

Since rules apply on first match, try moving your vpn rule to the top and see if it works at least.

Also I'm not sure about your rules without explicit port matching (like 'WAN address | *')  I would say it matches any traffic, meaning everything would end up on the NATed address with the NATed port ..

I would be more cautious to conclude so quickly, that the ECC support has REALLY been completed 100%. Knowing the history of this topic dates back to more than 2 yrs in fact, with many miscommunication and blind guessing!

Well at least the guy from the blog seems to know what he's talking about and there are some changes to the code.

I just hope they finally fix the reboot hang issue (and the newly discovered frequency issue).