Topics

I'm passing a webhook request from azure devops to my local jenkins. It's passing Nginx on OpnSense.
I read it does not give any clear message when the definition is invalid.
This is part of the request url: "/generic-webhook-trigger/invoke?token=mytoken/git/notifyCommit?url..."
The webhook url definition on devops is "/generic-webhook-trigger/invoke?token=mytoken", but it's also adding "/git/notifyCommit?url..." which creates a invalid url.
So i'm trying to remove "/git/notifyCommit?" from the url and replace it with "&".
But whatever i try to define as a URL rewriting rule (and add it to the location), it does not do anything, passing the original url.

Do you have any suggestions on the used parameters for the URL rewriting rule?

additionally I've also looked at the nginx.config and it validated with following test:
location = /git/notifyCommit {
    rewrite ^/git/notifyCommit?$ /somePage break;

But it still did not rewrite the url at all.

I was looking forward to a new dashboard, after upgrading to 24.7 but it's still a bit disapointing.
As the attached picture shows, some of the widgets do not work (yet).
"System Information" sometimes shows after a page refresh, but after a short while it shows "failed" again.
Are these known issues for all of the failing widgets?

Hope we get a hotfix soon.

I'm using several VLAN's that all have access to the internet, it's own VLAN and DNS on LAN, but nothing else on the network. See GUEST VLAN.jpg.
I think this looks fine.
My problem is with the camera network that I also don't want to give internet access.
Despite trying all kind of rules, I did not get a good result at first.
Except when adding the blocking rule on top of the others that is shown on the CAM VLAN.jpg.

What can I say, it works but i have the feeling its a bit of a novice solution.
The DNS access can also be obsoleted I gather.

Can you help me, or show me your solutions for this problem?
Thanks.

Does anyone know if it's possible to upload a certificate from ACME with automation to TrueNas scale.
Maybe it is in development, but I can't find anything about it.
It's a wildcard certificate from let's encrypt that I'm using for Synology and also want to use for my TrueNas scale.
Or is the other way around possible, to use ngingx or traefic on Truenas and get it from OpnSense/ACME.
Or is it all to complex and simply use a different certificate on my Truenas scale.
I'm quite a bit relaying on the GUI userinterface and am not to familiar with linux commands at all.

Does anyone have experience with this?

I think this a a shot in the dark, but I think that my OPNSense is blocking login.microsoftonline.com
It's OPNSense or the way it is configured, because when I make a Wifi connection through a hotspot on my Phone, the signin validates immediately.
Also from another PC, I cannot Signin from Visual Studio, connected to my private network.
Through Fiddler I see that Visual Studio Signin goes to login.microsoftonline.com but doesn't return an answer.
I've disabled ClamAV (i think non related), Intrusion Detection, Unbound DNS (BlockList), without success.
But I still have no clou how I can see that the Visual Studio Signin passes or is blocked.

Is there a way to passthrough this url to see if it's caused by OPNSense. Or is there a good monitoring tool that can help me.

After a sudden crash of OPNSense 22.7.2 it did no longer boot.
because I don't know much about linux and freesbd the only solution I could think of was to reinstall and restore the settings.
After the initial install I could reach 192.168.1.1 directly from my laptop, and was able to restore the latest backup from the explorer. After that internet again worked, restoring my iprange to 192.168.178.x. Also dns and dhcp (as it should) worked again after the restore.

problem now i that I cant access opnsense any more throught http://192.168.178.1/index.php or https://192.168.178.1:1443/index.php.

is there any way to configure some rule or setting, by console, to access my opnsense again from my laptop.

Every time I modify some Unbound DNS setting, but mostly Overrides, the service does not restart.
It does stop running after the settings are saved.
Also trying to do a manual start does not work. It halts for a few seconds showing it wants to start, but nothing happens.
Only after a reboot the service is again up and running.


Does anyone has an explanation for this behavior, and can it be resolved, or where can I find any logging why the service does not restart?

Thanks.

I did a few re-installs when I started using OPNsense and one after since and every time after the second or third reboot, the startup took more time than the 1 or 2 minutes I was expecting. During the startup I can see the timeouts as shown below. These look like the cause of the slow startups. It might not be something in OPNsense itself but more a hardware setup problem.
OPNsense is running on this hardware https://www.amazon.nl/dp/B09PHGWPMB

Does anyone have a suggesting what hardware setup could be the cause of this problem, or maybe some driver problem?

lo0: link state changed to UP
igc0: link state changed to DOWN
igc1: link state changed to DOWN
igc0: link state changed to UP
igc1: link state changed to UP
ahcich1: Timeout on slot 9 port 0
ahcich1: is 00000000 cs 00000000 ss 00000200 rs 00000200 tfd 50 serr 00000000 cmd 0000d517
(ada0:ahcich1:0:0:0): SEND_FPDMA_QUEUED DATA SET MANAGEMENT. ACB: 64 01 00 00 00 40 00 00 00 00 00 00
(ada0:ahcich1:0:0:0): CAM status: Command timeout
(ada0:ahcich1:0:0:0): Retrying command, 3 more tries remain
ahcich1: Timeout on slot 26 port 0
ahcich1: is 00000000 cs 00000000 ss 04000000 rs 04000000 tfd 40 serr 00000000 cmd 0000da17
(ada0:ahcich1:0:0:0): SEND_FPDMA_QUEUED DATA SET MANAGEMENT. ACB: 64 01 00 00 00 40 00 00 00 00 00 00
(ada0:ahcich1:0:0:0): CAM status: Command timeout
(ada0:ahcich1:0:0:0): Retrying command, 2 more tries remain
ahcich1: Timeout on slot 31 port 0
ahcich1: is 00000000 cs 00000000 ss 80000000 rs 80000000 tfd 40 serr 00000000 cmd 0000df17
(ada0:ahcich1:0:0:0): SEND_FPDMA_QUEUED DATA SET MANAGEMENT. ACB: 64 01 00 00 00 40 00 00 00 00 00 00
(ada0:ahcich1:0:0:0): CAM status: Command timeout
(ada0:ahcich1:0:0:0): Retrying command, 1 more tries remain
ahcich1: Timeout on slot 4 port 0
ahcich1: is 00000000 cs 00000000 ss 00000010 rs 00000010 tfd 40 serr 00000000 cmd 0000c417
(ada0:ahcich1:0:0:0): SEND_FPDMA_QUEUED DATA SET MANAGEMENT. ACB: 64 01 00 00 00 40 00 00 00 00 00 00
(ada0:ahcich1:0:0:0): CAM status: Command timeout
(ada0:ahcich1:0:0:0): Retrying command, 0 more tries remain
ahcich1: Timeout on slot 9 port 0
ahcich1: is 00000000 cs 00000000 ss 00000200 rs 00000200 tfd 40 serr 00000000 cmd 0000c917
(ada0:ahcich1:0:0:0): SEND_FPDMA_QUEUED DATA SET MANAGEMENT. ACB: 64 01 00 00 00 40 00 00 00 00 00 00
(ada0:ahcich1:0:0:0): CAM status: Command timeout
(ada0:ahcich1:0:0:0): Error 5, Retries exhausted
pflog0: permanently promiscuous mode enabled
WARNING: attempt to domain_add(netgraph) after domainfinalize()

Every time when opnsense is rebooted, my nginx reverse proxy is no longer working.
The website that I am hosting is no longer accessible.
Only after refreshing the nginx configuration, the website is available again.
how come? is this standard behavior? I hope it's a bug that can be resolved.

I'm using this version:
OPNsense 22.1.8_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1o 3 May 2022

My WAN overview show the list below. I think that it should only show the last 3 lines if I don't want to use my provider dns servers.
In system/settings/general I've added 1.1.1.1, 8.8.8.8 and 9.9.9.9.
all other "networking" settings are disabled.
How can I remove my providers dns-servers.

DNS servers   
84.116.46.23
84.116.46.22
2001:b88:1002::10
2001:b88:1202::10
2001:730:3e42:1000::53
1.1.1.1
8.8.8.8
9.9.9.9

I'm receiving this message when trying to create a certificate with ACME. How can this be resolved?
Also what's strange about this, is that KeyLength says 4096 while I changed, restarted and retried with keylength 2048.

2022-04-28T00:00:02   acme.sh   [Thu Apr 28 00:00:02 CEST 2022] Create domain key error.
2022-04-28T00:00:02   acme.sh   [Thu Apr 28 00:00:02 CEST 2022] Add '--force', and try again.
2022-04-28T00:00:02   acme.sh   [Thu Apr 28 00:00:02 CEST 2022] Domain key exists, do you want to overwrite the key?
2022-04-28T00:00:02   acme.sh   [Thu Apr 28 00:00:02 CEST 2022] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
2022-04-28T00:00:02   acme.sh   [Thu Apr 28 00:00:02 CEST 2022] Using config home:/var/etc/acme-client/home
2022-04-28T00:00:02   acme.sh   [Thu Apr 28 00:00:02 CEST 2022] Creating domain key
2022-04-28T00:00:02   acme.sh   [Thu Apr 28 00:00:02 CEST 2022] Read key length:4096
2022-04-28T00:00:02   acme.sh   [Thu Apr 28 00:00:02 CEST 2022] _saved_account_key_hash is not changed, skip register account.

Zoals hierboven beschreven heb ik een ziggo modem in bridge mode en een opnsense router.
Wat ik wil weten is, of mijn instellingen verkeerd zijn of mijn logging niets bijzonders van betekenis aangeven.
Ik krijg deze meldingen te zien op mijn WAN aansluiting (verbonden met de Ziggo modem)
2022-04-23T18:51:05   Error   radvd   AdvLinkMTU for igc1 (576) must be zero or between 1280 and 1500   
2022-04-23T18:51:05   Warning   radvd   prefix length should be 64 for igc1

Eigenlijk werkt mijn internet verbinding helemaal naar tevredenheid met ip4 en ip6, en toch blijven deze meldingen me bezighouden.
Als ik een aantal aanbevolen MTU instellingen uitprobeer, zoals 1472 dan lijkt de verbinding te werken maar blijkt toch alles behalve stabiel te zijn. ook andere MTU's heb ik geprobeerd zonder een stabiel resultaat op zowel ip4 als ip6.
Dus heb ik de MTU instelling maar weer leeggelaten en zie ik de error melding terugkomen.

Ook de prefix length zou volgens ziggo op 60 moeten worden gezet (meen ik te hebben gelezen). maar deze lijkt te worden overruled met 56.

Waar doe ik nu goed aan. mijn instellingen zo behouden en maar geen aandacht aan de logging geven. Wat kan ik hier best doen.

I'm using Nginx with reversy proxy instead of NAT.
What will the "Original URL Pattern (Regex)" and "New URL Pattern" be if I want to access a website externally with url "https://my.externaldomain.eu" going to an internal server that can be accessed by "https://externaldomain.localdomain.local".

Ik zou graag een lokale webserver die intern bereikbaar is via 192.168.178.222:8443 of sub.mydomain.local, extern willen aanroepen met my.sub.eu.
Ik kan wel my.sub.eu extern aanroepen via de reverse proxy als ik intern ook een webserver my.sub.eu heb draaien. ik heb een geldig certificaat geinstalleerd voor my.sub.eu op opnsense, niet op de intern server.

Klopt het dat ik de URL rewriter hiervoor kan gebruiken, en waar kan ik dit het best instellen. Ik kan dit klaarblijkelijk doen op http server en/of location niveau.

kan iemand mij hiermee verder helpen.

I'm using this version
os-acme-client (installed)   3.9   664KiB   OPNsense   ACME Client

When trying to create a certificate I receive following error:

2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] Sleep 10 and retry.
2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] Can not init api for: https://acme-staging-v02.api.letsencrypt.org/directory.
2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] ret='35'
2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L '
2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] timeout=
2022-04-11T19:16:20   acme.sh   [Mon Apr 11 19:16:20 CEST 2022] url='https://acme-staging-v02.api.letsencrypt.org/directory'
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] GET
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] _init api for server: https://acme-staging-v02.api.letsencrypt.org/directory
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] Using config home:/var/etc/acme-client/home
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] ACME_DIRECTORY='https://acme-staging-v02.api.letsencrypt.org/directory'
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] Using config home:/var/etc/acme-client/home
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] Running cmd: registeraccount
2022-04-11T19:15:39   acme.sh   [Mon Apr 11 19:15:39 CEST 2022] Using server: letsencrypt_test

Further info Challenging Type DNS-01   CloudFlare API.
I don't know how far or where the registration is halting.
maybe someone had the same error and can tell me what to look for.