Topics

Hello Community,

i did an upgrade to the latest OPNsense Version 24.7_9 which worked without any problems  8)
I just saw that the NGINX Logs will not be shown in the UI. I added a Screenshot. There is no entry for the selection of the days. It's the same behaviour with access and error logs. I also switched from the dark theme to the opnsense default theme - without success.

Can some NGINX user please do a quick on their system with the latest 24.7 version ?

Thank you!

[Interface overview:]

Hello,

i want to check out Sensei again. Had some troubles in older version because of a netmap error. Looks like this is still a problem.
-> If i enable Sensei in the bridge mode, then the complete OPNsense is no more access able from the network (including the VLANs)

Interface overview:

IGB0 (Physical) LAN Network
- VLAN 10
- VLAN 20
- VLAN 30
...

IGB1 (Physical) WAN Network

Code Select Expand

10_DMZ (igb0_vlan10) -> v4: 172.16.10.254/24
                    v6/t6: 2003:f2:6748:ecf1:6eb3:11ff:fe1b:aede/64
20_VPN (igb0_vlan20) -> v4: 172.16.20.254/24
30_Pentest (igb0_vlan30) -> v4: 172.16.30.254/24
                    v6/t6: 2003:f2:6748:ecf3:6eb3:11ff:fe1b:aede/64
40_WifiGuest (igb0_vlan40) -> v4: 172.16.40.254/24
                    v6/t6: 2003:f2:6748:ecf4:6eb3:11ff:fe1b:aede/64
50_IoT (igb0_vlan50) -> v4: 172.16.50.254/24
                    v6/t6: 2003:f2:6748:ecf5:6eb3:11ff:fe1b:aede/64
60_Dev (igb0_vlan60) -> v4: 172.16.60.254/24
                    v6/t6: 2003:f2:6748:ecf6:6eb3:11ff:fe1b:aede/64
70_WiFi (igb0_vlan70) -> v4: 172.16.70.254/24
                    v6/t6: 2003:f2:6748:ecf7:6eb3:11ff:fe1b:aede/64
80_Server (igb0_vlan80) -> v4: 172.16.80.254/24
                    v6/t6: 2003:f2:6748:ecf8:6eb3:11ff:fe1b:aede/64
90_Clients (igb0_vlan90) -> v4: 172.16.90.254/24
                    v6/t6: 2003:f2:6748:ecf9:6eb3:11ff:fe1b:aede/64
LAN (igb0)      -> v4: 172.16.17.254/24
                    v6/t6: 2003:f2:6748:ecf0:6eb3:11ff:fe1b:aede/64
PIA_VPN (ovpnc1) -> v4: 10.49.112.204/24
WAN (igb1)      -> v4: 192.168.217.2/24
                    v6/DHCP6: fe80::6eb3:11ff:fe1b:aedf/64


Here is my Sensei Setup:


Yes, i know that it is experimental. But since i have the setup with VLAN on the same interface as the physical, there is no other option that i can use (so far i know).

I would like to debug the problem. What information can i provide to bring the function up and running ?

OPNsense Information:
- KVM under Proxmox
- Both WAN and LAN are same Intel Network Chips (dual card)
- Sensei Version 1.8
- OPNsense 21.1.3_3-amd64

Thanks for any help!
Cheers BeNe

Hi Community,

i updated my OPNsense box from OPNsense 20.7.7_1-amd64 to the current 21.1 Version. The Update was without errors and so far everything is fine expect HAProxy. HAProxy is extremely slow and does not deliver all content. I host Nextcloud, Weewx Wheater etc. and none of the sites are usable after the update.

I did not changed any config or so - just update from OPNsense 20.7.7_1-amd64 to OPNsense 21.1.
I rolled back my snapshot to 20.7.7_1 and everything runs fast as expected. The Problem starts in OPNsense 20.7.8. I did the update again in steps. And in 20.7.8 the sites behind the HAProxy are not usable anymore.
So i will stay at 20.7.7_1 this time and need to find the needle in the hay.

Someone else with the same problem ?
Thanks, BeNe

Hi,

i updated to OPNsense 20.7.6 since some days. I have a strange problem with OpenVPN in Client Mode.
The OPNsense connects to a VPN Provider (Private Internet Access in my case) as Client.

The VPN Tunnel is established and i traffic goes trough. So there is no problem.
But in the GUI i have the message "Unable to contact daemon Service not running?"
The VPN Tunnel is shown as down - but it isn´t.

Here are some screenshots








Directly after a reboot everything is fine and up in the GUI. Looks like the behavior starts after a reconnect in the night (by my Internet Provider (Telekom))

I´m running OPNsense inside a Proxmox VM with Intel Network Cards (successfully since 2 years)

Any logs needed ?
Any hints ?

Thanks for your help!

Hello!

i upgraded very successful to 20.1 - thanks for that.
All Services excluded OpenVPN-Server are running fine. The OpenVPN Server stopped and i´m unable to start it.
It worked fine before in 19.x

Here is the Log:

Code Select Expand


2020-02-01T20:31:42 openvpn[33750]: Exiting due to fatal error
2020-02-01T20:31:42 openvpn[33750]: Cannot open TUN/TAP dev /dev/tun2: Device busy (errno=16)
2020-02-01T20:31:42 openvpn[33750]: TUN/TAP device ovpns2 exists previously, keep at program end
2020-02-01T20:31:42 openvpn[33750]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2020-02-01T20:31:42 openvpn[33750]: WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
2020-02-01T20:31:42 openvpn[31339]: library versions: LibreSSL 3.0.2, LZO 2.10
2020-02-01T20:31:42 openvpn[31339]: OpenVPN 2.4.8 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 29 2020


Here are the current devices:

Code Select Expand


:/dev # ls -lha | grep tun
crw-------   1 uucp  dialer     0x76 Jan 31 20:57 tun0
crw-------   1 uucp  dialer     0x62 Feb  1 20:45 tun1
crw-------   1 uucp  dialer     0x63 Jan 31 20:57 tun2
crw-------   1 uucp  dialer     0x65 Jan 31 20:57 tun3
crw-------   1 uucp  dialer     0x67 Jan 31 20:57 tun4


Is there anything else i can test or provide to debug ?
Thank you!

Hi OPNsense Users,

i try to setup/enable Wireguard and checked the documentation (OPNsense wiki and Thomas Krenn Wiki).
But the Service won't come up.

How can i debug the problem ?
I'm unable to find the correct log for wireguard. There is nothing helpfull in the Logfiles (System -> Logfiles -> Backend or General).

Code Select Expand

Sep 20 16:43:29 configd.py: [ab436b4f-6a31-4b6a-a8f4-685ec8e485f2] starting Wireguard
Thats all for wireguard, but the service is directly stopped. I'm on OPNsense 19.7.4_1-amd64 with LibreSSL 2.9.2

Thanks for your help!

Hallo Zusammen,

ich habe meine OPNsense schon seit über einem Jahr mit IPv4 + IPv6 erfolgreich am laufen.
Jetzt würde ich gerne einen eigenen IPv6 DNS Server (der ebenfalls im internen Netzwerk steht) per DHCP mitgeben.
Leider ist mir nicht ganz klar wie die Einstellungen dazu aussehen soll. Der IPv6 Range ist dynamisch von der Telekom und ändert sich alle 24 Stunden. Daher nehme ich die Link-Lokale Adresse.

Nur, was Trage ich bei Range ein ? ::1111:1111:111:1111 bis ::ffff:ffff:ffff:ffff ?

Bin dankbar für einen Tipp!  ;)

Hello OPNsense Users,

is there a way that i can use the OPNSense as Smarthost or Relay for my internal network devices ?
I don´t want to add my external Mails Credentials (User/Password) to all my NAS, Printer, Switches and 3rd Party Software for Notification Mails. Have no more an internal Mailserver since there is Google Apps or Office 365 with Exchange in the Cloud.

All devices should send their mails to the OPNsence and the OPNSense via smarthost outside. The external Mail Credentials are only one time in the firewall for the smarthost needed. Restriction would possible with a Firewall rule. Also all Mails could checked for Spam before they leave the network.

Is there such an option ? Could not find it inside the Postfix Plugin.

Hello OPNSense Users,

i have a question about Unbound and IPv6. My DNS resolution doesn´t work everyting for the IPv6 interface. I need to restart Unbound DNS once a day to get it working. Here is my current output and problem on a client, no DNS via the IPv6 Address of the OPNSense:

Code Select Expand


Microsoft Windows [Version 10.0.16299.125]
(c) 2017 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\MyUser>nslookup
DNS request timed out.
    timeout was 2 seconds.
Standardserver:  UnKnown
Address:  2003:85:ae35:59f0:20d:b9ff:fe43:5398

> ard.de
Server:  UnKnown
Address:  2003:85:ae35:59f0:20d:b9ff:fe43:5398

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Zeitüberschreitung bei Anforderung an UnKnown.
>


If i use the IPv4 Address of my OPNSense - Unbound works perfect:

Code Select Expand



C:\Users\MyUser>nslookup - 172.16.17.254
Standardserver:  firewall.my-net.local
Address:  172.16.17.254

> ard.de
Server:  firewall.my-net.local
Address:  172.16.17.254

Nicht autorisierende Antwort:
Name:    ard.de
Address:  83.125.35.3

>


The IPv6 Address of the OPNsense LAN interface is right and i can ping it for the client:

Code Select Expand


C:\Users\MyUser>ping 2003:85:ae35:59f0:20d:b9ff:fe43:5398

Ping wird ausgeführt für 2003:85:ae35:59f0:20d:b9ff:fe43:5398 mit 32 Bytes Daten:
Antwort von 2003:85:ae35:59f0:20d:b9ff:fe43:5398: Zeit=5ms
Antwort von 2003:85:ae35:59f0:20d:b9ff:fe43:5398: Zeit=2ms
Antwort von 2003:85:ae35:59f0:20d:b9ff:fe43:5398: Zeit=6ms
Antwort von 2003:85:ae35:59f0:20d:b9ff:fe43:5398: Zeit=6ms

Ping-Statistik für 2003:85:ae35:59f0:20d:b9ff:fe43:5398:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 2ms, Maximum = 6ms, Mittelwert = 4ms


After i restarted the unbound service manually, the IPv6 DNS resolution works as well for the whole day:

Code Select Expand


C:\Users\MyUser>nslookup
Standardserver:  firewall.my-net.local
Address:  2003:85:ae35:59f0:20d:b9ff:fe43:5398

> ard.de
Server:  firewall.my-net.local
Address:  2003:85:ae35:59f0:20d:b9ff:fe43:5398

Nicht autorisierende Antwort:
Name:    ard.de
Address:  83.125.35.3

> mdr.de
Server:  firewall.my-net.local
Address:  2003:85:ae35:59f0:20d:b9ff:fe43:5398

Nicht autorisierende Antwort:
Name:    mdr.de
Address:  193.22.36.128

> google.de
Server:  firewall.my-net.local
Address:  2003:85:ae35:59f0:20d:b9ff:fe43:5398

Nicht autorisierende Antwort:
Name:    google.de
Addresses:  2a00:1450:4016:801::2003
          172.217.22.227

>


My Internet connection get´s a reset every night at 3:00 o´clock. So i thought about the new IPv6 prefix, but that is already correct in the Unbound Listening Address List. Also Unboud did a service reset at 5:00 o´clock (i don´t know why but it´s ok for me)

Does anybody have the same behavior ? Or can i create a cron job for reset the unbound service again ?
Thanks for any hints  :)

Hello OPNsense Folks,

can i use the Let´s Encrypt Plugin to generate a valid SSL Cert for the OPNSense WebGUI itself ?

As far is know i can use HA-Proxy and the Let´s Encrypt Plugin to generate a Cert for Web-Services behind the Firewall, but not for the Firewall itself.

My Firwall has a external static dns entry.
Is there an option ?

Thanks!

Hi,

i´m unable to set a IPv6 Prefix ID for my internal networks.
I Track the IPv6 Prefix from my WAN and need to set the prefix to 1.

But this seems to be a bug for me:

-> Enter a hexadecimal value between 0 and 0 here, default value is 0.  ??

Between 0 and 0, default is 0 ?  ::)
Value must be between 0 and f.

Thanks for any help.

Hallo OPNsense Community,

habe mir eine APU2 zugelegt und bin gerade am konfigurieren.
Jetzt ist mir aufgefallen das ich beim anlegen von meinen OpenVPN Verbindungen (Server wie auch Client)
kein "Hardware Crypto" auswählen kann ?! Laut beschreibung hat die APU2 eine AES-NI Unterstützung.
Habe schon von OpenSSL auf LibreSSL gewechselt, hat aber leider nichts gebracht.

In den Einstellungen -> System: Settings: Miscellaneous -> hatte ich zuvor AESNI ausgewählt und neugestartet.

Hat einer einen Tipp oder ebenfalls eine APU2 mit aktivem AES-NI ?
Bei Google habe ich Foreneinträge gefunden - sind aber schon älter wo von bessere Unterstützung in FreeBSD 10.3 gesprochen wird welches ja schon einzug in OPNSense erhalten hat.

Infos zu meinem System:
Versions    OPNsense 16.7.7-amd64
FreeBSD 10.3-RELEASE-p11
LibreSSL 2.4.3

Danke & Grüße,
BeNe