Messages

Thanks, I will try it out.

HI,

I got this nice little firewall with 16G RAM and 256G NVME for running OPNSENSE.

    https://www.aliexpress.com/item/1005004242580766.html?spm=a2g0o.order_list.0.0.1cf61802Fuoz0d

    11th Gen N5105 N5095 Soft Router 4 Intel i225 2.5G LAN pfSense Firewall Appliance 2xDDR4 NVMe
    Mini PC OPNsense Virtual Machine

The hardware has a sim slot and a MPCIE slot for a 4G LTE MODEM card.

What is the best 4G card that works well with OPNSENSE ?


Thanks,

/rs

One last thing, I added a rule in my firewall to allow LocalNet to LocalNet for any any. Not sure how restrictive others may have their rule base but you need to allow access to the jail from other hosts or pf will drop the connections.

Regards

Here are the instructions on how I got a jail to work in OPNSense 17.1:


# Contents of /etc/rc.conf.d/jail

jail_enable="YES"       # Set to NO to disable starting of any jails
jail_parallel_start="YES"       # Start jails in the background
jail_list=""            # Space separated list of names of jails
jail_reverse_stop="NO"  # Stop jails in reverse order

# End of /etc/rc.conf.d/jail

# Contents of /etc/jail.conf

allow.raw_sockets = 0;
exec.clean;
exec.system_user = "root";
exec.jail_user = "root";
exec.start += "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_${name}_console.log";
mount.devfs;
mount.fstab = "/etc/fstab.$name";
allow.mount;
allow.set_hostname = 0;
allow.sysvipc = 0;
path = "/jails/${name}";

nas {
        host.hostname = "nas.ads.local";
        interface = bge1;
        ip4.addr = 10.xxx.xxx.32;
        allow.raw_sockets = 1;
}

# End of /etc/jail.conf

# Run these commands at shell prompt

touch /etc/fstab.nas
mkdir -p /jails/nas
mkdir -p /jails/11R
cd /jails/11R

fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/11.0-RELEASE/base.txz
tar -JxvC /jails/nas/ -f base.txz

cp /etc/resolv.conf /jails/nas/etc/
cp /etc/localtime /jails/nas/etc/

# Now switch to the root of the jail and change root passwd, mail aliases and
# update the jail release.

chroot /jails/nas /bin/csh

passwd
mkdir /usr/ports
mkdir /usr/home
ln -s /usr/home /home
cd /etc/mail
make aliases
freebsd-update fetch install

grep ssh /etc/defaults/rc.conf > /etc/rc.conf.d/sshd

# Contents of /etc/rc.conf.d/sshd inside the jail

sshd_enable="YES"               # Enable sshd
sshd_program="/usr/sbin/sshd"   # path to sshd, if you want a different one.
sshd_flags=""                   # Additional flags for sshd.
# End of /etc/rc.conf.d/sshd inside the jail




# Exit the jail
exit

# I needed to enable posix acls in OPNSense for samba
# Contents of /etc/fstab

# Device                Mountpoint      FStype  Options         Dump    Pass#
/dev/ada0s1a            /               ufs     rw,acls         1       1
/dev/ada0s1b            none            swap    sw              0       0
# End of /etc/fstab



# reboot OPNSense firewall, ssh back in , the jail should be running

jls

root@OPNSense:/etc # jls
   JID  IP Address      Hostname                      Path
     5  10.xxx.xxx.32     nas.ads.local                 /jails/nas

# you can now ssh into the jail via IP or use jexec. Set Permitrootlogin if you want to ssh in as root in jail.
# otherwise use jexec to loginto jail
jexec 5 /bin/csh

root@nas:~ #

# update pkg database

pkg update


# Install samba **** samba 44 is broken in freebsd - just core dumps
# install 43 instead. Maybe samba45 will fix the issue

pkg install samba43-4.3.13_1.txz

# Follow the rest of Samba install . I used standalone model, you can also run as a dc, etc.

Thats what I wanted to confirm -  use FreeBSD 11.x tarballs.
I didnt know if OPNSense was drastically that different. I suppose as long as the Kernel versions are in sync then I should be ok.

Ok, I will try that and see what happens.

/rs

I didnt want it to be that complicated. Actually, I would have just preferred a plugin or samba pkg to run on the firewall itself. I know its frowned upon but its just a simple server. I thought the next best step is to run samba in a jail.  I like the GUI and simplicity of OPNSense though. I suppose if I have to I can go back to running a full server (OpenBSD). I dont really want to compile packages, run hyprvisors etc. just to stream music. Ill wait to see what others suggest over the next few days.

Thanks.

Greetings,

I would like to run a jail inside OPNSense 17.1.  I have a decent firewall 2 core, 8G RAMwith 512GB SSD more than enough for a FW and a SONOS music server. I just want to run Samba 4 as a simple file server for my SONOS music system. I really dont want to run freenas or another seperate server. Is there instructions on how to do this on OPNSense and is there a OPNSense jail tarball I can use ?

Thanks.

Thank you for looking into this  :)

Yes, paste the file contents into the GUI if it is static. If it is dynamic, you can add the following to unbound advanced options text area instead... (note the colon)

include: /var/unbound/ad_servers.conf

That unfortunatly doesnt work because it puts the line after the "." cache section:
# Forwarding
forward-zone:
    name: "."
        forward-addr: x.x.x.x
        forward-addr: y.y.y.y


# Unbound custom option
include:
/var/unbound/ad_servers.conf

This causes the contents of ad_servers.conf to be ignored and actually resolves it to the real addresses instead of 127.0.0.1. The placement of it appears to be important. If I place it before the forwarding section I get the intended results. If it is placed after (as it is when using the "advanced method") it doesnt work.

Found my own answer by editing the file:

/usr/local/etc/inc/unbound.inc

to include:
include /var/unbound/ad_servers.conf

then restarting unbound. Works like a charm.

Hi ,

I've switched from OpenBSD server to OPNSense and must say it is quite nice. In my old setup I had autogenerated a conf file for ad servers so that unbound would respond back with 127.0.0.1:

curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound;showintro=0" | sed -e 's/<[^>]*>//g' | sed -e 's/^Ad.*//g' > /var/unbound/ad_servers.conf

Then in unbound.conf:

include /var/unbound/ad_servers.conf


this generates hundreds of adserver domains that point back to 127.0.0.1:
local-zone: "101com.com" redirect
local-data: "101com.com A 127.0.0.1"
local-zone: "101order.com" redirect
local-data: "101order.com A 127.0.0.1"
...


How do I make this persistent on reboots in OPNSense so that I can continue to block adservers at the network/DNS level ?

Thanks.