Topics

Hi All,

does anyone know how to grant ssh rights to a user ?
I added 'admins' to the user but I still can't login: 'This account is currently not available.'

Hi All,

After a migration from 23.7 to 24.1 my backup to GDrive stopped working.
I followed the official documentation and created a new cert and so on. It failed , but the fault is not in OpnSense but in the fact that openssl no longer supports legacy encryption.

In order to workaround the problem , I've copied the p12 to a legacy system (RHEL8) and extracted the contents of the p12 , so I could later recreate it on a newer system.

On RHEL8 or equivalent run the following:
openssl pkcs12 -in my-cert-from-gcp.p12  -nodes

Obtain the Public and Private keys from the output and save the output to a more modern system (most probably it would work on Opnsense shell but I tested it on RHEL9).
Run the following and provide "notasecret" for password:
openssl pkcs12 -export -out gdrive.p12 -inkey privkey.pem -in pubkey.pem

Then upload your p12 and test the backup.

Hi All,

I have a selenium script that backs up my Zenarmor policies and I was wondering if I can install Firefox (or any other browser) on the Opnsense and schedule the backup from there.

Note: The API access is limited to Business plan and home users can't use that.

In 22.7 I had a rule that allows all IPv4 from 'Lan Net' to 'Lan Net' , but after update to 23.1 the multicast traffic from my DLNA server is blocked and I had to create a new rule: allow ipv4 udp from <DLNA IP>:57953 to 239.255.255.0/24:1900.

Any reason for that change ?

Hello All,

I was checking the API and I couldn't find an endpoint that matches to the 'Services' -> 'DHCPv4' -> 'LAN' menu.
What are my options. Is it possible to inject new MAC addresses (and their IP) in a file or in the config and reload the service ?

Hi All,

I was dd the DVD image to my usb stick and as usual I tried to boot it - the bios of the machine skips it.
Any hints for properly creating bootable Legacy Stick (under Linux) ?

Hi All,

I saw that 21.7 now supports setup of ZFS via the installer.
Do you think that I can reinstall with ZFS and later load my configuration backup ?

Do you see any issues ?

Hi All,

based on the man of unbound.conf , the "Answers for local zones  are  authoritative  DNS answers."
Yet, I got the following:

Code Select Expand

# dig engine.localdomain

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> engine.localdomain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29750
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;engine.localdomain.            IN      A

;; ANSWER SECTION:
engine.localdomain.     3600    IN      A       192.168.1.2

;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Jun 13 23:09:02 EEST 2021
;; MSG SIZE  rcvd: 63



The machine has static dhcp entry and as per host_entries.conf I got the following:

Code Select Expand

root@opnsense:/var/unbound # grep -E 'local-zone|engine' host_entries.conf
local-zone: "localdomain" transparent
local-data-ptr: "192.168.1.2 engine.localdomain"
local-data: "engine.localdomain IN A 192.168.1.2"
root@opnsense:/var/unbound #

The whole problem comes from the moment where

Code Select Expand

dig +noall +answer engine.localdomain ANY
is not returning anything.

How can I make unbound return authoritative answers for "localdomain" zone ?

Hi All,

does anyone got a clue why postfixis complaining:

Code Select Expand

OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied

It seems that it dies randomly and restart of the service is not helping.

Hi all,

I'm using 20.7 since this summer and I'm quite impressed.
Yet, I would like to 'insure' myself and ask of there is a way to snapshot my physical device?
I know that ZFS supports that and restore could be possible afterwards.
Also, is it possible to use config backups from 20.7 directly on 21.1 or the backup can be restored only on same major version ?

Hello All,

I recently noticed that logging stopped working (and the last changes were only in Firewall Aliases or the Proxy) and I need your assistance to debug it.
Could it be related to the latest update (20.7.4) ?

I have restarted syslog-ng service serveral times and  I also rebooted the system , yet no logs are generated in many files - especially in system.log
When I restart syslog-ng I got the following:

Code Select Expand


Starting syslog_ng.
[2020-11-19T07:03:07.684086] Connection failed; fd='21', server='AF_UNIX(/var/run/legacy_log)', local='AF_UNIX(anonymous)', error='Connection refused (61)'
[2020-11-19T07:03:07.684122] Initiating connection failed, reconnecting; time_reopen='60'

So far I haven't touched any of the configuration files of syslog-ng.
Any ideas ?

Hello All,

it seems that an alias for the firewall is not updating ,as I see the IP being blocked by the default block rule.

I have set a cron job , but I would like to debug it further. Which log should I check for details ?

Do we have a way to test the SMTP settings in monit ?

Hello All,

I'm trying to setup a proxy in non-transparent mode (without the firewall rules), but it seems that Opnsense is not listening on port 3129 on the LAN interface:

Code Select Expand

root@firewall1:~ # netstat -aL | grep 3128
tcp4  0/0/128                          firewall1.3128         
tcp6  0/0/128                          localhost.3128         
tcp4  0/0/128                          localhost.3128         
root@firewall1:~ # netstat -aL | grep 3129
tcp6  0/0/128                          localhost.3129         
tcp4  0/0/128                          localhost.3129

Any ideas how to force the ssl proxy to listen on firewall1.3129 ?

Hello All,

I'm quite new to BSD systems (Linux knowledge only).
I have setup igb0 for WAN, while I bridged all other NICs + wifi into LAN.

I saw that there are default rules for LAN and I want to know how to setup:
- All bridge clients to be unrestricted between each other
- Block all outgoing (from LAN to WAN to internet) connections untill I create a specific rule for it.

I was thinking to disable the 2 default rules for LAN, but I don't want to setup the firewall again from scratch.

Hello All,

I'm planning to replace my Mikrotik with opensense and I want to mirror all my scripts I got on the Mikrotik.

The one I try to recreate is for reducing the txpower to the minimum when there are no clients available and increasing it to maximum when a client connects.

I'm trying to figure out how to change the txpower via the ifconfig , but it fails with (keep in mind that I'm typing it manually ):

Code Select Expand

root@firewall1:~ # ifconfig run0_wlan1 txpower 10
ifconfig SIOCS80211: Operation not supported

I tried to bring down the interface first , but it also fails.
Any hints are appreciated.