Messages

If I read htop correctly the RES is 3700 so 3.7 megabytes

I'm saying that the dhcp service gives to clients various pieces of information including the dns server to use, that's all.
I don't know what else to suggest then if your clients have problems when you only use Unbound for name resolution. Normally it is a configuration problem, whether on Unbound itself or the overall dns resolution setup for clients, which is what I've been trying to get you to see.

Services like AdGuardHome but seems not.

I previously had Unbound enabled (it came that way by default). I did nothing further with it. In System->Settings->General, I had specified three DNS server IPs. Nothing more for DNS. It's been this way for a couple of years, and no trouble here that I'm aware of.

System->Settings->General is for OPN itself but take notice of the tooltips because then you can start pushing these to clients depending on other settings.
Then you look what you have in your selected  DHCP service. That gets passed to your clients. Say for instance ISC DHCPv4, expand your LAN interface settings there. Check the tooltip for "DNS servers" too: "Leave blank to use the system default DNS servers: This interface IP address if a DNS service is enabled or the configured global DNS servers." So that means that if you have Unbound enabled and as per default listening on all interfaces, the DHCP lease will have this interface's IP as the DNS server for the clients. But you can see you can also override things here.
As diagnostic, when it happens on your clients, check what ip they are using for dns.

phew, just in time hey! There are plugins available to save configs regularly like sftp and to nextcloud.

@pseudonym3k I read you are running a pretty "default" setup but it is an upgrade so worth visiting basics. What services do you have running on your infra and on OPN ?

Crickey it is so hard to read your posts, in this pseudo-verse and no punctuation. Are you able to change that going forward? Not criticism intended, just making it easier.
Anyhow, I think you say you have a (corporate) device which makes connections out and you say you can block it with a firewall rule. Is there a question ?

I suggest to do a search on this forum for N100. Seems to have to have a firmware that is up to date.

I suspect the filesystem is in a bad state. I'd urgently save your config as you might need to re-install.
How it got there? Perhaps a faulty storage.

@cookiemonster Services on the same server but different port is relatively standard and I am confirming that the same ip address and ports are accessible from the network prior to moving to opnsense and after stabilising with opnsense.

Yes it is pretty standard. I wasn't saying otherwise ;)
Network connectivity at ip level seems OK then. And it has been established that they are on the same network segment (and same host). By DNS is another matter so we might need to diagnose that. No routing required of course. The basic tests I was thinking you have now accomplished so I'm leaning on the application side now.

BTW if you have a flat network, may I ask why are you using those plugins which are normally to relay broadcast traffic between networks? Unrelated of course, just in case it shines some strange light.

[- IOS is more picky: additionally it is necessary to create a .config profile and embed the root and intermediate certificates in DER Base64 format.]

Hi Gents,

Please try to follow Cedrick's App Note carefully: https://docs.opnsense.org/manual/how-tos/ipsec-swanctl-rw-ikev2-eap-mschapv2.html. This is a good starting point...

In my case the biggest stumbles were as follows:
- that "advanced mode" toggle in the left upper corner of the IPsec screen is pretty easy to overlook
- it was not in the documentation that the DNS server(s) can be defined on the Pool configuration form
- and the biggest one is that Apple hasn't implemented the certificate check consistently i.e. macOS and IOS implementations differ:
  - in case of macOS it is sufficient to import in the root and intermediate certificates and accept root certificate as trustworthy
  - IOS is more picky: additionally it is necessary to create a .config profile and embed the root and intermediate certificates in DER Base64 format.

Hopefully above will be deemed helpful, but please send specific questions and I will try to help...

Best regards,

Tamas Halmai

This highlighted element is one that I am unaware of, so I need to see how to implement it. I have failed so far to get iOS client to connect although I suspect I have a either corruption or a very edge case of ui defect in opn. So far those instructions followed to the letter with no success, but no wonder if it also needs this extra step. Where do you need to place it on iOS ? And is it the certs chain from CA to client in text file, then base64 encode ?
Thanks for sharing.

meantime whilst hopefully Tamas helps, can I ask this Cedrik? You previously gave me hints to solve my same problem which is still unsolved.
I suspect my trust store is corrupted but I can't read the code. How does the UI page to show a certificate select the file from the filesystem? I am trying to identify each file in /usr/local/etc/swanctl/{x509,x509ca}
From that I'd be more confident on which ones to remove with the UI.

care to share how it has been made to work ?

Yes I get the local-only traffic and therein lies the question. Verify it still goes and gets where it is -supposed- to be.
My thinking is the OP has his host with a static ip on the old router. Now he has OPN as the new router but although traffic is not through it, the host(s) still require the new router to dish out their ip addresses, static reserver or dynamic.
Now lately with isc dhcp to dnsmasq transition it might not be yet setup correctly to have dhcp reservations. Hence I am suggesting to check that basic.

Docker containers = I'm out. Sorry, can't help.

The mini pc host has 32 GB but this is a VM on it. It only has been given 6 GiB and 2 vCPUs.