So, I have a protectli box with opnsense 23.7.5 installed, currently I have the ISP router/modem in front of the opnsense box and a laptop (which I have been dual booting between win/lin) to try to get things setup.
I am able to access sites like google.com, cloudflare, but also bing, facebook, and apparently opnsense.org via the linux laptop I have connected but that is about it - other sites like wikipedia.org or reddit.com (pretty much any other site) just give me a "cant connect to server" error. In Win I can't even access opnsense - it just times out and tells me 192.168.1.1 took too long to respond.
I can not ping 1.1.1.1 from the opnsense console nor from the computer I have connected to opnsense, it just tells me no route to host and 100% packet loss - so its that rules out DNS?
I have tried ticking so many boxes and have reset back to defaults so many times that starting to feel like pulling my hair out over this and can't figure what I am doing wrong, I am so hoping to just get the most basic setup going (access websites) and then back that up so I can try to figure the other things out.
Please. Please help - I will post whatever log info is needed but I didn't want to just willy nilly post useless info so please let me know and I will happily post it.
anyone? Please?
If you can't ping an IP (1.1.1.1) it's not related to DNS.
Too spares info to even start thinking about a root cause for your problems. Try adding more DNS servers. Package loss on WAN? etc. pp....
ok, thanks i think.
Am trying my best to figure this out and of course am willing to post more information but am (obviously) a networking noob.
So I added two more DNS servers (adgaruds and OpenDNS Home) 208.67.222.222 and 94.140.14.14 but as far as i can tell that didn't seem to change anything.
Read up on WAN packet loss so tried going to interfaces, diag, packet capture and got:
Interface Timestamp SRC DST output
WAN
igb1 2024-05-04
17:24:41.672662 6c:4b:b4:68:01:51 ff:ff:ff:ff:ff:ff Unknown Ethertype (0x7373), length 121:
WAN
igb1 2024-05-04
17:24:41.800722 6c:4b:b4:68:01:51 01:80:c2:00:00:00 802.3, length 38: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1d, Config, Flags [none], bridge-id 0000.6c:4b:b4:68:01:51.8001, length 43
WAN
igb1 2024-05-04
17:24:42.035789 30:89:4a:a1:7b:79 33:33:ff:68:01:51 IPv6, length 86: fe80::ca88:bea6:3b48:e015 > ff02::1:ff68:151: ICMP6, neighbor solicitation, who has fe80::6e4b:b4ff:fe68:151, length 32
WAN
igb1 2024-05-04
17:24:42.117316 30:89:4a:a1:7b:79 ff:ff:ff:ff:ff:ff IPv4, length 366: 0.0.0.0.68 > 255.255.255.255.67: UDP, length 324
WAN
igb1 2024-05-04
17:24:42.117917 6c:4b:b4:68:01:51 ff:ff:ff:ff:ff:ff IPv4, length 391: 192.168.1.254.67 > 255.255.255.255.68: UDP, length 349
WAN
igb1 2024-05-04
17:24:42.226942 30:89:4a:a1:7b:79 33:33:ff:68:01:51 IPv6, length 86: 2600:1700:25d1:a710:b575:be42:7840:290f > ff02::1:ff68:151: ICMP6, neighbor solicitation, who has fe80::6e4b:b4ff:fe68:151, length 32
WAN
igb1 2024-05-04
17:24:42.335468 30:89:4a:a1:7b:79 ff:ff:ff:ff:ff:ff ARP, length 60: Request who-has 192.168.1.218 tell 0.0.0.0, length 46
WAN
igb1 2024-05-04
17:24:42.335704 30:89:4a:a1:7b:79 33:33:ff:48:e0:15 IPv6, length 78: :: > ff02::1:ff48:e015: ICMP6, neighbor solicitation, who has fe80::ca88:bea6:3b48:e015, length 24
WAN
igb1 2024-05-04
17:24:42.335858 30:89:4a:a1:7b:79 33:33:ff:96:8f:5f IPv6, length 78: :: > ff02::1:ff96:8f5f: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710:49b3:3a7f:dc96:8f5f, length 24
WAN
igb1 2024-05-04
17:24:42.336001 30:89:4a:a1:7b:79 33:33:ff:40:29:0f IPv6, length 78: :: > ff02::1:ff40:290f: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710:b575:be42:7840:290f, length 24
WAN
igb1 2024-05-04
17:24:42.336128 30:89:4a:a1:7b:79 33:33:ff:00:00:46 IPv6, length 78: :: > ff02::1:ff00:46: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710::46, length 24
WAN
igb1 2024-05-04
17:24:42.336144 30:89:4a:a1:7b:79 33:33:00:00:00:02 IPv6, length 62: fe80::ca88:bea6:3b48:e015 > ff02::2: ICMP6, router solicitation, length 8
WAN
igb1 2024-05-04
17:24:42.336364 30:89:4a:a1:7b:79 33:33:00:00:00:16 IPv6, length 190: fe80::ca88:bea6:3b48:e015 > ff02::16: HBH ICMP6, multicast listener report v2, 6 group record(s), length 128
WAN
igb1 2024-05-04
17:24:42.535991 30:89:4a:a1:7b:79 33:33:ff:00:00:01 IPv6, length 86: 2600:1700:25d1:a710:b575:be42:7840:290f > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710::1, length 32Interface Timestamp SRC DST output
WAN
igb1 2024-05-04
17:24:41.672662 6c:4b:b4:68:01:51 ff:ff:ff:ff:ff:ff Unknown Ethertype (0x7373), length 121:
WAN
igb1 2024-05-04
17:24:41.800722 6c:4b:b4:68:01:51 01:80:c2:00:00:00 802.3, length 38: LLC, dsap STP (0x42) Individual, ssap STP (0x42) Command, ctrl 0x03: STP 802.1d, Config, Flags [none], bridge-id 0000.6c:4b:b4:68:01:51.8001, length 43
WAN
igb1 2024-05-04
17:24:42.035789 30:89:4a:a1:7b:79 33:33:ff:68:01:51 IPv6, length 86: fe80::ca88:bea6:3b48:e015 > ff02::1:ff68:151: ICMP6, neighbor solicitation, who has fe80::6e4b:b4ff:fe68:151, length 32
WAN
igb1 2024-05-04
17:24:42.117316 30:89:4a:a1:7b:79 ff:ff:ff:ff:ff:ff IPv4, length 366: 0.0.0.0.68 > 255.255.255.255.67: UDP, length 324
WAN
igb1 2024-05-04
17:24:42.117917 6c:4b:b4:68:01:51 ff:ff:ff:ff:ff:ff IPv4, length 391: 192.168.1.254.67 > 255.255.255.255.68: UDP, length 349
WAN
igb1 2024-05-04
17:24:42.226942 30:89:4a:a1:7b:79 33:33:ff:68:01:51 IPv6, length 86: 2600:1700:25d1:a710:b575:be42:7840:290f > ff02::1:ff68:151: ICMP6, neighbor solicitation, who has fe80::6e4b:b4ff:fe68:151, length 32
WAN
igb1 2024-05-04
17:24:42.335468 30:89:4a:a1:7b:79 ff:ff:ff:ff:ff:ff ARP, length 60: Request who-has 192.168.1.218 tell 0.0.0.0, length 46
WAN
igb1 2024-05-04
17:24:42.335704 30:89:4a:a1:7b:79 33:33:ff:48:e0:15 IPv6, length 78: :: > ff02::1:ff48:e015: ICMP6, neighbor solicitation, who has fe80::ca88:bea6:3b48:e015, length 24
WAN
igb1 2024-05-04
17:24:42.335858 30:89:4a:a1:7b:79 33:33:ff:96:8f:5f IPv6, length 78: :: > ff02::1:ff96:8f5f: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710:49b3:3a7f:dc96:8f5f, length 24
WAN
igb1 2024-05-04
17:24:42.336001 30:89:4a:a1:7b:79 33:33:ff:40:29:0f IPv6, length 78: :: > ff02::1:ff40:290f: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710:b575:be42:7840:290f, length 24
WAN
igb1 2024-05-04
17:24:42.336128 30:89:4a:a1:7b:79 33:33:ff:00:00:46 IPv6, length 78: :: > ff02::1:ff00:46: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710::46, length 24
WAN
igb1 2024-05-04
17:24:42.336144 30:89:4a:a1:7b:79 33:33:00:00:00:02 IPv6, length 62: fe80::ca88:bea6:3b48:e015 > ff02::2: ICMP6, router solicitation, length 8
WAN
igb1 2024-05-04
17:24:42.336364 30:89:4a:a1:7b:79 33:33:00:00:00:16 IPv6, length 190: fe80::ca88:bea6:3b48:e015 > ff02::16: HBH ICMP6, multicast listener report v2, 6 group record(s), length 128
WAN
igb1 2024-05-04
17:24:42.535991 30:89:4a:a1:7b:79 33:33:ff:00:00:01 IPv6, length 86: 2600:1700:25d1:a710:b575:be42:7840:290f > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2600:1700:25d1:a710::1, length 32
Not much of it makes sense to me, the "Unknown Ethertype" seems suspect but after googling I am honestly a bit more confused.
I can totally run some more things but I really haven't a clue what else would be useful to run/post.
How about some infos on your hardware, ISP, potential modems used. Package loss can be seen in GUI Lobby under "Gateways". ;-)
right, thanks!
# Hardware:
modem (isp provided) - bgw320-500 (https://usermanual.wiki/Humax/BGW320-4522445.pdf)
router - protectli FW2B-2-8-120 (https://protectli.com/product/fw2b/), opnsense 23.7.5 with 8gb mem
comp using to access router (for what its worth) - gen4 x1 yoga dual booting lin/win, using edge/firefox to access opnsense webgui
# ISP:
AT&T fiber
GUI Lobby, doh! noted :)
ok, so as i understand it i used nslookup and dig incorrectly before, when i redid it i got:
kubuntu@kubuntu:~$ nslookup www.google.com 1.1.1.1
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; no servers could be reached
kubuntu@kubuntu:~$ nslookup www.cloudflare.com 1.1.1.1
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; no servers could be reached
kubuntu@kubuntu:~$ nslookup www.google.com 8.8.8.8
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
;; no servers could be reached
kubuntu@kubuntu:~$ dig www.google.com @8.8.8.8
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
; <<>> DiG 9.18.18-0ubuntu2-Ubuntu <<>> www.google.com @8.8.8.8
;; global options: +cmd
;; no servers could be reached
kubuntu@kubuntu:~$ dig www.cloudflare.com @1.1.1.1
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out
; <<>> DiG 9.18.18-0ubuntu2-Ubuntu <<>> www.cloudflare.com @1.1.1.1
;; global options: +cmd
;; no servers could be reached
I had also tried ifconfig -a thinking it would give me more information about why I was not able to access opnsense via 192.168.1.1 (that is it would show me the gateway):
kubuntu@kubuntu:~$ ifconfig -a
enp0s31f6: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether f8:75:a4:ab:47:bc txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xea200000-ea220000
enx00e04cefcb25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.197 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 2600:1700:25d1:a71f::19af prefixlen 128 scopeid 0x0<global>
inet6 2600:1700:25d1:a71f:f8e9:7092:c27d:8229 prefixlen 64 scopeid 0x0<global>
inet6 fe80::b2bc:371a:aed0:56ec prefixlen 64 scopeid 0x20<link>
inet6 2600:1700:25d1:a71f:6cd2:f4b3:8aaa:a9 prefixlen 64 scopeid 0x0<global>
ether 00:e0:4c:ef:cb:25 txqueuelen 1000 (Ethernet)
RX packets 36167 bytes 48159820 (48.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 14770 bytes 1684296 (1.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1738 bytes 192775 (192.7 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1738 bytes 192775 (192.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp0s20f3: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 5c:80:b6:1c:d0:7c txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
but it seems that was also incorrect, but at the same time I'm told this seems to point to ipv6 working but ipv4 not working, so, how can I further diagnose why ipv4 is not working?
I also ran (trying to determine if opnsense is actually the gateway) ip and netstat:
kubuntu@kubuntu:~$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 enx00e04cefcb25
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 enx00e04cefcb25
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enx00e04cefcb25
kubuntu@kubuntu:~$ ip route
default via 192.168.1.1 dev enx00e04cefcb25 proto dhcp src 192.168.1.197 metric 100
169.254.0.0/16 dev enx00e04cefcb25 scope link metric 1000
192.168.1.0/24 dev enx00e04cefcb25 proto kernel scope link src 192.168.1.197 metric 100
Also, for what its worth I am able to use apt with no issues - i guess it uses ipv6?
https://www.whatismyip.com/169-254-ip-address/
No one knows how you have exactly configured what, so nobody can debug this remotely...
I got that. Caveat is I have no idea what information to give. I've kind of just tried posting whatever info I can in hopes THAT bit of info would be the useful bit of info. I am truly sorry I am such a noob.
Thank you for the link, so DHCP isnt configured correctly? I'll try playing around with that I guess. In the meantime, you mentioned "configured" so I am not sure if my config file will help but I don't know what else to post yet so... Below is my config file:
<?xml version="1.0"?>
<opnsense>
<theme>opnsense</theme>
<sysctl>
<item>
<descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
<tunable>vfs.read_max</tunable>
<value>default</value>
</item>
<item>
<descr>Set the ephemeral port range to be lower.</descr>
<tunable>net.inet.ip.portrange.first</tunable>
<value>default</value>
</item>
<item>
<descr>Drop packets to closed TCP ports without returning a RST</descr>
<tunable>net.inet.tcp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
<tunable>net.inet.udp.blackhole</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize the ID field in IP packets</descr>
<tunable>net.inet.ip.random_id</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
It can also be used to probe for information about your internal networks. These functions come enabled
as part of the standard FreeBSD core system.
</descr>
<tunable>net.inet.ip.accept_sourceroute</tunable>
<value>default</value>
</item>
<item>
<descr>
This option turns off the logging of redirect packets because there is no limit and this could fill
up your logs consuming your whole hard drive.
</descr>
<tunable>net.inet.icmp.log_redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
<tunable>net.inet.tcp.drop_synfin</tunable>
<value>default</value>
</item>
<item>
<descr>Enable sending IPv6 redirects</descr>
<tunable>net.inet6.ip6.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
<tunable>net.inet6.ip6.use_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Prefer privacy addresses and use them over the normal addresses</descr>
<tunable>net.inet6.ip6.prefer_tempaddr</tunable>
<value>default</value>
</item>
<item>
<descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
<tunable>net.inet.tcp.syncookies</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
<tunable>net.inet.tcp.recvspace</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
<tunable>net.inet.tcp.sendspace</tunable>
<value>default</value>
</item>
<item>
<descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
<tunable>net.inet.tcp.delayed_ack</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.inet.udp.maxdgram</tunable>
<value>default</value>
</item>
<item>
<descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
<tunable>net.link.bridge.pfil_onlyip</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
<tunable>net.link.bridge.pfil_local_phys</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
<tunable>net.link.bridge.pfil_member</tunable>
<value>default</value>
</item>
<item>
<descr>Set to 1 to enable filtering on the bridge interface</descr>
<tunable>net.link.bridge.pfil_bridge</tunable>
<value>default</value>
</item>
<item>
<descr>Allow unprivileged access to tap(4) device nodes</descr>
<tunable>net.link.tap.user_open</tunable>
<value>default</value>
</item>
<item>
<descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
<tunable>kern.randompid</tunable>
<value>default</value>
</item>
<item>
<descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
<tunable>hw.syscons.kbd_reboot</tunable>
<value>default</value>
</item>
<item>
<descr>Enable TCP extended debugging</descr>
<tunable>net.inet.tcp.log_debug</tunable>
<value>default</value>
</item>
<item>
<descr>Set ICMP Limits</descr>
<tunable>net.inet.icmp.icmplim</tunable>
<value>default</value>
</item>
<item>
<descr>TCP Offload Engine</descr>
<tunable>net.inet.tcp.tso</tunable>
<value>default</value>
</item>
<item>
<descr>UDP Checksums</descr>
<tunable>net.inet.udp.checksum</tunable>
<value>default</value>
</item>
<item>
<descr>Maximum socket buffer size</descr>
<tunable>kern.ipc.maxsockbuf</tunable>
<value>default</value>
</item>
<item>
<descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
<tunable>vm.pmap.pti</tunable>
<value>default</value>
</item>
<item>
<descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
<tunable>hw.ibrs_disable</tunable>
<value>default</value>
</item>
<item>
<descr>Hide processes running as other groups</descr>
<tunable>security.bsd.see_other_gids</tunable>
<value>default</value>
</item>
<item>
<descr>Hide processes running as other users</descr>
<tunable>security.bsd.see_other_uids</tunable>
<value>default</value>
</item>
<item>
<descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
and for the sender directly reachable, route and next hop is known.
</descr>
<tunable>net.inet.ip.redirect</tunable>
<value>default</value>
</item>
<item>
<descr>
Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
packets without returning a response.
</descr>
<tunable>net.inet.icmp.drop_redirect</tunable>
<value>1</value>
</item>
<item>
<descr>Maximum outgoing UDP datagram size</descr>
<tunable>net.local.dgram.maxdgram</tunable>
<value>default</value>
</item>
</sysctl>
<system>
<optimization>normal</optimization>
<hostname>router</hostname>
<domain>tnbc</domain>
<group>
<name>admins</name>
<description>System Administrators</description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>root</name>
<descr>System Administrator</descr>
<scope>system</scope>
<groupname>admins</groupname>
<password>$2y$10$ZyasLp34vWYaO8i3.7NbSu3RrAQ9NaI/Koi2xVo9jFRqZJsV/.3OG</password>
<uid>0</uid>
</user>
<nextuid>2000</nextuid>
<nextgid>2000</nextgid>
<timezone>Etc/UTC</timezone>
<timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
<webgui>
<protocol>https</protocol>
<ssl-certref>662c4a6b65a15</ssl-certref>
<port/>
<compression>9</compression>
<ssl-hsts>1</ssl-hsts>
</webgui>
<disablenatreflection>yes</disablenatreflection>
<usevirtualterminal>1</usevirtualterminal>
<disableconsolemenu>1</disableconsolemenu>
<disablevlanhwfilter>1</disablevlanhwfilter>
<disablechecksumoffloading>1</disablechecksumoffloading>
<disablesegmentationoffloading>1</disablesegmentationoffloading>
<disablelargereceiveoffloading>1</disablelargereceiveoffloading>
<ipv6allow/>
<powerd_ac_mode>hadp</powerd_ac_mode>
<powerd_battery_mode>hadp</powerd_battery_mode>
<powerd_normal_mode>hadp</powerd_normal_mode>
<bogons>
<interval>monthly</interval>
</bogons>
<pf_share_forward>1</pf_share_forward>
<lb_use_sticky>1</lb_use_sticky>
<ssh>
<group>admins</group>
<noauto>1</noauto>
<interfaces/>
<kex/>
<ciphers/>
<macs/>
<keys/>
<keysig/>
</ssh>
<rrdbackup>24</rrdbackup>
<netflowbackup>24</netflowbackup>
<firmware version="1.0.1">
<mirror/>
<flavour/>
<plugins/>
<subscription/>
</firmware>
<language>en_US</language>
<dnsallowoverride_exclude/>
<dnsserver>208.67.222.222</dnsserver>
<dnsserver>94.140.14.14</dnsserver>
<dnsserver>1.1.1.1</dnsserver>
<dnsserver>8.8.8.8</dnsserver>
<dns1gw>none</dns1gw>
<dns2gw>none</dns2gw>
<dns3gw>none</dns3gw>
<dns4gw>none</dns4gw>
<dns5gw>none</dns5gw>
<dns6gw>none</dns6gw>
<dns7gw>none</dns7gw>
<dns8gw>none</dns8gw>
<serialspeed>115200</serialspeed>
<primaryconsole>video</primaryconsole>
<thermal_hardware>coretemp</thermal_hardware>
<dhcpbackup>24</dhcpbackup>
</system>
<interfaces>
<wan>
<enable>1</enable>
<if>igb1</if>
<ipaddr>dhcp</ipaddr>
<ipaddrv6>dhcp6</ipaddrv6>
<gateway/>
<blockpriv>1</blockpriv>
<blockbogons>1</blockbogons>
<media/>
<mediaopt/>
<dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
</wan>
<lan>
<enable>1</enable>
<if>igb0</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
<ipaddrv6>track6</ipaddrv6>
<subnetv6>64</subnetv6>
<media/>
<mediaopt/>
<track6-interface>wan</track6-interface>
<track6-prefix-id>0</track6-prefix-id>
<gateway/>
<gatewayv6/>
</lan>
<lo0>
<internal_dynamic>1</internal_dynamic>
<descr>Loopback</descr>
<enable>1</enable>
<if>lo0</if>
<ipaddr>127.0.0.1</ipaddr>
<ipaddrv6>::1</ipaddrv6>
<subnet>8</subnet>
<subnetv6>128</subnetv6>
<type>none</type>
<virtual>1</virtual>
</lo0>
</interfaces>
<dhcpd>
<lan>
<enable>1</enable>
<range>
<from>192.168.1.10</from>
<to>192.168.1.100</to>
</range>
</lan>
</dhcpd>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<nat>
<outbound>
<mode>automatic</mode>
</outbound>
</nat>
<filter>
<rule>
<type>pass</type>
<ipprotocol>inet</ipprotocol>
<descr>Default allow LAN to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
<rule>
<type>pass</type>
<ipprotocol>inet6</ipprotocol>
<descr>Default allow LAN IPv6 to any rule</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
</filter>
<rrd>
<enable/>
</rrd>
<load_balancer>
<monitor_type>
<name>ICMP</name>
<type>icmp</type>
<descr>ICMP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>TCP</name>
<type>tcp</type>
<descr>Generic TCP</descr>
<options/>
</monitor_type>
<monitor_type>
<name>HTTP</name>
<type>http</type>
<descr>Generic HTTP</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>HTTPS</name>
<type>https</type>
<descr>Generic HTTPS</descr>
<options>
<path>/</path>
<host/>
<code>200</code>
</options>
</monitor_type>
<monitor_type>
<name>SMTP</name>
<type>send</type>
<descr>Generic SMTP</descr>
<options>
<send/>
<expect>220 *</expect>
</options>
</monitor_type>
</load_balancer>
<ntpd>
<prefer>0.opnsense.pool.ntp.org</prefer>
</ntpd>
<widgets>
<sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
<column_count>2</column_count>
</widgets>
<revision>
<username>(root)</username>
<time>1715908408.0369</time>
<description>lan configuration from console menu</description>
</revision>
<OPNsense>
<Interfaces>
<vxlans version="1.0.1"/>
<loopbacks version="1.0.0"/>
</Interfaces>
<proxy version="1.0.6">
<general>
<enabled>0</enabled>
<error_pages>opnsense</error_pages>
<icpPort/>
<logging>
<enable>
<accessLog>1</accessLog>
<storeLog>1</storeLog>
</enable>
<ignoreLogACL/>
<target/>
</logging>
<alternateDNSservers/>
<forwardedForHandling>on</forwardedForHandling>
<uriWhitespaceHandling>strip</uriWhitespaceHandling>
<enablePinger>1</enablePinger>
<useViaHeader>1</useViaHeader>
<suppressVersion>0</suppressVersion>
<connecttimeout/>
<VisibleEmail>admin@localhost.local</VisibleEmail>
<VisibleHostname/>
<cache>
<local>
<enabled>0</enabled>
<directory>/var/squid/cache</directory>
<cache_mem>256</cache_mem>
<maximum_object_size/>
<maximum_object_size_in_memory/>
<memory_cache_mode>always</memory_cache_mode>
<size>100</size>
<l1>16</l1>
<l2>256</l2>
<cache_linux_packages>0</cache_linux_packages>
<cache_windows_updates>0</cache_windows_updates>
</local>
</cache>
<traffic>
<enabled>0</enabled>
<maxDownloadSize>2048</maxDownloadSize>
<maxUploadSize>1024</maxUploadSize>
<OverallBandwidthTrotteling>1024</OverallBandwidthTrotteling>
<perHostTrotteling>256</perHostTrotteling>
</traffic>
<parentproxy>
<enabled>0</enabled>
<host/>
<enableauth>0</enableauth>
<user>username</user>
<password>password</password>
<port/>
<localdomains/>
<localips/>
</parentproxy>
</general>
<forward>
<interfaces>lan</interfaces>
<port>3128</port>
<sslbumpport>3129</sslbumpport>
<sslbump>0</sslbump>
<sslurlonly>0</sslurlonly>
<sslcertificate/>
<sslnobumpsites/>
<ssl_crtd_storage_max_size>4</ssl_crtd_storage_max_size>
<sslcrtd_children>5</sslcrtd_children>
<snmp_enable>0</snmp_enable>
<snmp_port>3401</snmp_port>
<snmp_password>public</snmp_password>
<ftpInterfaces/>
<ftpPort>2121</ftpPort>
<ftpTransparentMode>0</ftpTransparentMode>
<addACLforInterfaceSubnets>1</addACLforInterfaceSubnets>
<transparentMode>0</transparentMode>
<acl>
<allowedSubnets/>
<unrestricted/>
<bannedHosts/>
<whiteList/>
<blackList/>
<browser/>
<mimeType/>
<googleapps/>
<youtube/>
<safePorts>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</safePorts>
<sslPorts>443:https</sslPorts>
<remoteACLs>
<blacklists/>
<UpdateCron/>
</remoteACLs>
</acl>
<icap>
<enable>0</enable>
<RequestURL>icap://[::1]:1344/avscan</RequestURL>
<ResponseURL>icap://[::1]:1344/avscan</ResponseURL>
<SendClientIP>1</SendClientIP>
<SendUsername>0</SendUsername>
<EncodeUsername>0</EncodeUsername>
<UsernameHeader>X-Username</UsernameHeader>
<EnablePreview>1</EnablePreview>
<PreviewSize>1024</PreviewSize>
<OptionsTTL>60</OptionsTTL>
<exclude/>
</icap>
<authentication>
<method/>
<authEnforceGroup/>
<realm>OPNsense proxy authentication</realm>
<credentialsttl>2</credentialsttl>
<children>5</children>
</authentication>
</forward>
<pac/>
<error_pages>
<template/>
</error_pages>
</proxy>
<TrafficShaper version="1.0.3">
<pipes/>
<queues/>
<rules/>
</TrafficShaper>
<unboundplus version="1.0.8">
<general>
<enabled>1</enabled>
<port>53</port>
<stats/>
<active_interface/>
<dns64>0</dns64>
<dns64prefix/>
<noarecords>0</noarecords>
<regdhcp>1</regdhcp>
<regdhcpdomain/>
<regdhcpstatic>1</regdhcpstatic>
<noreglladdr6>0</noreglladdr6>
<noregrecords>0</noregrecords>
<txtsupport>0</txtsupport>
<cacheflush>1</cacheflush>
<local_zone_type>transparent</local_zone_type>
<outgoing_interface/>
<enable_wpad>0</enable_wpad>
</general>
<advanced>
<hideidentity/>
<hideversion/>
<prefetch/>
<prefetchkey/>
<serveexpired/>
<serveexpiredreplyttl/>
<serveexpiredttl/>
<serveexpiredttlreset/>
<serveexpiredclienttimeout/>
<qnameminstrict/>
<extendedstatistics/>
<logqueries/>
<logreplies/>
<logtagqueryreply/>
<logservfail/>
<loglocalactions/>
<logverbosity>1</logverbosity>
<valloglevel>0</valloglevel>
<privatedomain/>
<privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
<insecuredomain/>
<msgcachesize/>
<rrsetcachesize/>
<outgoingnumtcp/>
<incomingnumtcp/>
<numqueriesperthread/>
<outgoingrange/>
<jostletimeout/>
<cachemaxttl/>
<cachemaxnegativettl/>
<cacheminttl/>
<infrahostttl/>
<infrakeepprobing/>
<infracachenumhosts/>
<unwantedreplythreshold/>
</advanced>
<acls>
<default_action>allow</default_action>
</acls>
<dnsbl>
<enabled>0</enabled>
<safesearch/>
<type/>
<lists/>
<whitelists/>
<blocklists/>
<wildcards/>
<address/>
<nxdomain/>
</dnsbl>
<forwarding>
<enabled/>
</forwarding>
<dots/>
<hosts/>
<aliases/>
<domains/>
</unboundplus>
<Firewall>
<Lvtemplate version="0.0.1">
<templates/>
</Lvtemplate>
<Category version="1.0.0">
<categories/>
</Category>
<Alias version="1.0.1">
<geoip>
<url/>
</geoip>
<aliases/>
</Alias>
</Firewall>
<Netflow version="1.0.1">
<capture>
<interfaces/>
<egress_only/>
<version>v9</version>
<targets/>
</capture>
<collect>
<enable>0</enable>
</collect>
<activeTimeout>1800</activeTimeout>
<inactiveTimeout>15</inactiveTimeout>
</Netflow>
<OpenVPNExport version="0.0.1">
<servers/>
</OpenVPNExport>
<OpenVPN version="1.0.0">
<Overwrites/>
<Instances/>
<StaticKeys/>
</OpenVPN>
<captiveportal version="1.0.1">
<zones/>
<templates/>
</captiveportal>
<IPsec version="1.0.1">
<general>
<enabled/>
</general>
<keyPairs/>
<preSharedKeys/>
</IPsec>
<Swanctl version="1.0.0">
<Connections/>
<locals/>
<remotes/>
<children/>
<Pools/>
<VTIs/>
<SPDs/>
</Swanctl>
<Syslog version="1.0.1">
<general>
<enabled>1</enabled>
</general>
<destinations/>
</Syslog>
<IDS version="1.0.9">
<rules/>
<policies/>
<userDefinedRules/>
<files/>
<fileTags/>
<general>
<enabled>0</enabled>
<ips>0</ips>
<promisc>0</promisc>
<interfaces>wan</interfaces>
<homenet>192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</homenet>
<defaultPacketSize/>
<UpdateCron/>
<AlertLogrotate>W0D23</AlertLogrotate>
<AlertSaveLogs>4</AlertSaveLogs>
<MPMAlgo>ac</MPMAlgo>
<detect>
<Profile>medium</Profile>
<toclient_groups/>
<toserver_groups/>
</detect>
<syslog>0</syslog>
<syslog_eve>0</syslog_eve>
<LogPayload>0</LogPayload>
<verbosity/>
</general>
</IDS>
<cron version="1.0.4">
<jobs/>
</cron>
<monit version="1.0.12">
<general>
<enabled>0</enabled>
<interval>120</interval>
<startdelay>120</startdelay>
<mailserver>127.0.0.1</mailserver>
<port>25</port>
<username/>
<password/>
<ssl>0</ssl>
<sslversion>auto</sslversion>
<sslverify>1</sslverify>
<logfile>syslog facility log_daemon</logfile>
<statefile/>
<eventqueuePath/>
<eventqueueSlots/>
<httpdEnabled>0</httpdEnabled>
<httpdUsername>root</httpdUsername>
<httpdPassword>9ec0GgZn7WfYSY6fK4ZTs17AH</httpdPassword>
<httpdPort>2812</httpdPort>
<httpdAllow/>
<mmonitUrl/>
<mmonitTimeout>5</mmonitTimeout>
<mmonitRegisterCredentials>1</mmonitRegisterCredentials>
</general>
<alert uuid="25261175-cbdb-44e2-8ff2-c1263e9b266c">
<enabled>0</enabled>
<recipient>root@localhost.local</recipient>
<noton>0</noton>
<events/>
<format/>
<reminder>10</reminder>
<description/>
</alert>
<service uuid="4351d165-0877-490b-b02b-dad60becb552">
<enabled>1</enabled>
<name>$HOST</name>
<description/>
<type>system</type>
<pidfile/>
<match/>
<path/>
<timeout>300</timeout>
<starttimeout>30</starttimeout>
<address/>
<interface/>
<start/>
<stop/>
<tests>b96b7318-666e-414d-98a4-122962234349,fd42fc79-b30b-46bd-9466-1fe93fda6f71,6abe35bd-2f69-4713-8360-61754511fbe3,5bdfe018-88b7-42cf-a257-15586cc42f7e</tests>
<depends/>
<polltime/>
</service>
<service uuid="ad2bc2c9-0704-47ca-8bd8-fdab32f40b9e">
<enabled>1</enabled>
<name>RootFs</name>
<description/>
<type>filesystem</type>
<pidfile/>
<match/>
<path>/</path>
<timeout>300</timeout>
<starttimeout>30</starttimeout>
<address/>
<interface/>
<start/>
<stop/>
<tests>d8f00d05-6774-4205-8bea-e33bacf9d802</tests>
<depends/>
<polltime/>
</service>
<service uuid="7e337156-4390-4941-9721-ebd21f66db1a">
<enabled>0</enabled>
<name>carp_status_change</name>
<description/>
<type>custom</type>
<pidfile/>
<match/>
<path>/usr/local/opnsense/scripts/OPNsense/Monit/carp_status</path>
<timeout>300</timeout>
<starttimeout>30</starttimeout>
<address/>
<interface/>
<start/>
<stop/>
<tests>f1070c99-a293-41fc-b1df-22c9aa22cf81</tests>
<depends/>
<polltime/>
</service>
<service uuid="7a8bc9bd-c466-47f3-83ac-733a044145a4">
<enabled>0</enabled>
<name>gateway_alert</name>
<description/>
<type>custom</type>
<pidfile/>
<match/>
<path>/usr/local/opnsense/scripts/OPNsense/Monit/gateway_alert</path>
<timeout>300</timeout>
<starttimeout>30</starttimeout>
<address/>
<interface/>
<start/>
<stop/>
<tests>09f6939a-3bf9-4641-b1ba-42ad85b05cfa</tests>
<depends/>
<polltime/>
</service>
<test uuid="d1fc5d1f-84ad-4a90-a001-cdc420dd99e7">
<name>Ping</name>
<type>NetworkPing</type>
<condition>failed ping</condition>
<action>alert</action>
<path/>
</test>
<test uuid="3080609e-fe72-4164-8157-ae44e920807f">
<name>NetworkLink</name>
<type>NetworkInterface</type>
<condition>failed link</condition>
<action>alert</action>
<path/>
</test>
<test uuid="9b516f06-bbc4-4d57-91c0-e2b280936e0b">
<name>NetworkSaturation</name>
<type>NetworkInterface</type>
<condition>saturation is greater than 75%</condition>
<action>alert</action>
<path/>
</test>
<test uuid="b96b7318-666e-414d-98a4-122962234349">
<name>MemoryUsage</name>
<type>SystemResource</type>
<condition>memory usage is greater than 75%</condition>
<action>alert</action>
<path/>
</test>
<test uuid="fd42fc79-b30b-46bd-9466-1fe93fda6f71">
<name>CPUUsage</name>
<type>SystemResource</type>
<condition>cpu usage is greater than 75%</condition>
<action>alert</action>
<path/>
</test>
<test uuid="6abe35bd-2f69-4713-8360-61754511fbe3">
<name>LoadAvg1</name>
<type>SystemResource</type>
<condition>loadavg (1min) is greater than 4</condition>
<action>alert</action>
<path/>
</test>
<test uuid="5bdfe018-88b7-42cf-a257-15586cc42f7e">
<name>LoadAvg5</name>
<type>SystemResource</type>
<condition>loadavg (5min) is greater than 3</condition>
<action>alert</action>
<path/>
</test>
<test uuid="8e3d3490-e7aa-49df-a54b-6495b262ec33">
<name>LoadAvg15</name>
<type>SystemResource</type>
<condition>loadavg (15min) is greater than 2</condition>
<action>alert</action>
<path/>
</test>
<test uuid="d8f00d05-6774-4205-8bea-e33bacf9d802">
<name>SpaceUsage</name>
<type>SpaceUsage</type>
<condition>space usage is greater than 75%</condition>
<action>alert</action>
<path/>
</test>
<test uuid="f1070c99-a293-41fc-b1df-22c9aa22cf81">
<name>ChangedStatus</name>
<type>ProgramStatus</type>
<condition>changed status</condition>
<action>alert</action>
<path/>
</test>
<test uuid="09f6939a-3bf9-4641-b1ba-42ad85b05cfa">
<name>NonZeroStatus</name>
<type>ProgramStatus</type>
<condition>status != 0</condition>
<action>alert</action>
<path/>
</test>
</monit>
<Gateways version="0.0.1"/>
</OPNsense>
<laggs version="1.0.0">
<lagg/>
</laggs>
<vlans version="1.0.0">
<vlan/>
</vlans>
<virtualip version="1.0.0">
<vip/>
</virtualip>
<openvpn/>
<staticroutes version="1.0.0">
<route/>
</staticroutes>
<ifgroups version="1.0.0"/>
<bridges>
<bridged/>
</bridges>
<gifs>
<gif/>
</gifs>
<gres>
<gre/>
</gres>
<ppps>
<ppp/>
</ppps>
<wireless>
<clone/>
</wireless>
<ca/>
<dhcpdv6/>
<gateways>
<gateway_item/>
</gateways>
<cert>
<refid>662c4a6b65a15</refid>
<descr>Web GUI TLS certificate</descr>
</opnsense>
Does your ISP use IPv6? If no, you could start by disabling it on OPN