Messages

I have the same subject here and just want to confirm that I am not running into some walls here:

- We run an older Deciso appliance with OPNSense Community edition and just upgraded to a brand new including business edition.

So, we can import the config of the 25.7. community into the 25.10. business? What about if we decide to do the community upgrade to 26.1 before we have the new appliance ready?

Hi
I have been using OPENVPN for years. Now the "old" plugin is legacy, so I converted all settings to the "new" instances. However, when I turn off the client/servers from the old settings and start the "instances", I cannot connect anymore.

As this is business critical for me, I wonder what I am doing wrong. Is there a comprehensive how-to for the conversion of the old settings to the new? I had to guess a few fields as they are named differently, but I believe I got it okay. No error message except "time out" to be found.

I am prety sure that OpnSense did not have an auto-update feature so far. *However* it seems to do this now. I was away and just checked back on OpnSense after two weeks and to my suprise it claims to be on 25.1.5_5. A hotfix that just came out this monday, after an update that came out last week.

Being *very* sure that I did not install either update, I still checked to "check for updated". And then all that came was "System is rebooting Rebooting".


After a while, it goes back to the dashboard. As it did not boot I tried to reboot from the energy menu - no effect.

Also, my *av services do not start and "intrusion detection" regularily breaks down.

I am very confused. Is there a new autoupdate feature? Does it update itself now?

And why can't I reboot? What is the problem? I tried many things short from pulling the plug.

Hi
I have a confusing problem which I cannot figure out:
- I have a number of Samsung A9+ tablets configured in the LAN
- The tablets can access the internet and internal zones and download the *Play Services* Updates without problem
- They cannot download the Samsung Update (Software/Firmware Update)
- If I plug them into our Guest Network, all works fine
- When I do a live inspection of the Firewall protocol with the source of the corresponding IP I only get "pass to router, "Anti Lockout Rule"" no other message.

I really do not understand where it stalls. Any idea?

I am using unbound as DNS with some standard ad-blockers, but as I can access the internet fine, this is not an issue, isn't it?

Any help for understanding how to trace the problem would be apreaciated.

Hi
I installed quite a while ago a Rocket.chat server (snap) behind my OPNSense firewall and used a turourial for getting this done (it is done via automations, took a bit but works well).
Now I try the same with a postfix/cyrus setup I have behind my firewall. Opening a port 80 to this host is out of question.

The reason I want to do this is, that currently a few anti-spam engines (may they rot in hell) decline our emails due to "non verifiable certificate chain". We are forwarding all our email to a relay of our uplink and download everything via fetchmail (all on a server behind the firewall).

With a let's encrypt SSL certificate for our postfix host I hope to be able to solve the problem.

Anybody knowing where to find or having maybe written such a tutorial will be sure of my never ending thanks for pointing me to it.

I honestly did not look into the postfix service of OPNsense so I do not know if that would solve my issues easier. Any suggestions welcome.

And: Happy New Year!

Hi
I try to get Wireguard running with a few clients (currently I run mostly on OpenVPN and IPSec, both are working fine, smoothly and easy to setup). I followed

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

In multiple attempts, religiously so far. With variations that are due to my setup. However, I always get the message "handshake timed out" at the client after 5 sec when trying to connect.

On server side I do not get any messages, assuming that the client is somehow not reaching the right endpoint.

To make things a bit more spicy, I have for technical reasons (thank you DEUTSCHE TELEKOM) to run two Fritz!Boxes as endpoints in my network for two DSL lines. Both make the connection but forward everything to the OPNSENSE Firewall on two different ports (input ports).

So, basically:

- The firewall is in two different non-routing networks (192.168.178.0/24 and 192.168.179.0/24), while the Fritz!boxes have fixed external IP Adresses

I have setup accoring to the example an nistance on port 51820 and a tunnel address of 192.168.22.0/24.
Then I have setup a peer with the same public key as the instance and a preshared key. Allowed IP is one single (192.168.22.100/32). Endpoint is the public IP of one of the Fritz!Boxes, port 51820. The Instance to use the (only) instance I have generated.

I then went to the peer generator and generated a configuartion that I imported in a client (S7FE Tablet, wireguard software).

I am now unable to connect from there, but also I no idea what the problem might be.

I also included in the Firewall settings on each of the WANS a route for the UDP port:

    IPv4 UDP    *    *    WAN1DSL Adresse    51820    *    *       Wiregard Inbound WAN1DSL

I am utterly confused and run into walls here. What am I doing wrong?

Amazing as everybody says "Wireguard is the easiest to setup" and I spent more time trying to get it to work than a number of IPSEC and OPENVPN setups together.

For some reasons I want to be able to use Wireguard additionally to the OpenVPN Roadwarrier configurations for some clients, but I am totally failing at it. Please help!

Merry Christmas!

Hi
I am using OpenVPN with OPNSense since many years. For some reasons we have multiple OpnVPN Servers running ("legacy mode"). The config is

WAN1: 1194 UDP
WAN2: 1195 UDP
WAN1: 443 TCP
WAN2: 443 TCP

The latter two servers are in the (from time to time happening case) that UDP connections are blocked by a firewall e.g. in a hotel.

Now, the fun part is: Depending on which server to connect, sometimes we cannot acces certain webservers in the company, and other times we can. Sometimes it happens on the UDP ports and sometimes on the 443. To be honest, I do not understand what the problem is - the firewall actually does not block it.

Maybe someone has an idea to debug this? Is it mandatory to move to the new "instances"  or can I continue to use the "old" setup?
Thanks

Hi
I am trying to setup wireguard as alternate VPN to the existing and running vpn. However, even if I religously follow the instruction in the documentation, i get an immediate connect (well, both linux and android claim to have connected), but nothing is accessible. i do not see anything from the inside network, not the ouside network.

Protocoll is set to "debugging" but does not even show entries (no new entries when somebody tries to connect I mean):

2024-09-01T10:21:54   Notice   wireguard   wireguard instance RoadWarrior (wg0) started   
2024-09-01T10:21:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (execute task : dpinger_configure_do(,WireGuard))   
2024-09-01T10:21:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (,WireGuard)   
2024-09-01T10:21:54   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid opt4 interface gateway address: 'missing'   
2024-09-01T10:21:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: entering configure using 'opt4'

I have no idea where to set the "gateway address" as I have set it under "Peers" with the correct IP of the outside address. However, the address is tested either to be the external IP to the internet (which is the IP of a router forwarding everything to the firewall) OR the IP of the firewall. Both do not make any difference.

I really do not understand what the problem is or how to debug it. There is literally no traffic via the wireguard interface.

Thank you for your help.

I have spent now a lot of time in these matters. But no results.

I am at a point were I can assume the following:

I run several OpenVPN Servers e.g. on port 1195, 1196, 443. Port 443 (TCP) operates on both internet landlines.

It seems as when I connect via port 443 one, and exactly one IP in the internal network of the VPN Firewall is not accessible. ALL other ports work fine. When I reconnect and connect to UDP Port 1195 for example - I can access it.

I am more than somewhat confused about it. All openVPN servers have different IP ranges (and are there for exactly this purpose - being stuck in a hotel that blocks our IP ranges, so I tried to avoid that problem by having differen VPNs that would allow in any case to use a private network).

I do see that the access from the VPN to the firefill is transferred to the IP address ("pass"). However, it does not seem to arrive.

Maybe it is of importance that the host "missing" is a virtual machine - on the other hand, all other virtual machines work fine.

It would be great if anybody has an idea where the problem could be based or at last, how I might be able to trace it. Currently my only option is to reconnect the VPN until I see the host again...

Hi
since the latest update, I cannot access from my VPN services that are available at ports 8000, 8080, 8100 etc.
On hosts, providing those services, I cannot even get a ping (either direction) through or login.

This worked right before the last update (24.1.9_hf4).

I did not change anyhting a the firewall rules. I tried to loosen the rules, but no effect.

Specifically one virtual machine running in the main net 192.168.1.33 is not accessible. On any port.
My VPN runs (openVPN) at 192.168.21.x
I cannot ping in either direction or connect.

The Firewall seems to accept the cooection  ("pass") from the VPN - after that it is silence.

Within the main main net, the hosts in question (192.168.1.33) is reachable on any port, ping, ssh etc.

It seems as the packages send are just eaten up from the firewall.

I am runnign out of ideas how to find the problem. The hosts in question is a VM, but on that machine a number of identically configured VMs are present and all work.

Any idea where that comes from and how to solve?
Thanks.

Maybe it just took a veeeery long time (>30 min) to reload unbound... now it works.

Hi
I recently have discovered blacklisting with unbound (yes, yes, I am slow sometimes), and now want to WHITELIST some pages, e.g. web.whatsapp.com
However, the whitelisting does not work at all

- *.whatsapp.com (despite the help below that field) is not accepted, according to protocol "invalid"
- (.*)?(\.)?whatsapp.com is accepted

However, none of them allow access to web.whatsapp.com

It seems as the Whitelisting is broken? I am on the current 24.1 version with todays updates (OPNsense 24.1.1-amd64).

Hi
Right after the last update I see that the memory consuption is very high on my system (>>90%).
Most of it is made up by "inactive processes". They form like a stepwise ladder during the day and are killed somewhere late in the evening.
The strange thing is, that if I look at a long term overview, this only.
It started around Jan 20 this year right after an update.
Since then it seems to get worse.

Hi
I tried to install the webproxy with TLS inspection and ICAP. However, this does not work on all pages.

While https://www.spiegel.de loads fine, https://faz.net is not loading at all (access denied by proxy). Many other pages, e.g. this forum work.

I cannot find the reason for that acutally. Even if I specifically insert an exception in the SSL inspection, or in the access lists, it still does not load faz.net.

Is there any way to find out what is actually blocking the page?

BTW: Funny enough, the EICAR test file is loaded both with https and with http....

Hi
I found that it seems a number of external ACL blacklists do not work anymore. So I searched for new ones and I wonder if I can test if they are good and active. Some pages (e.g. www.spiegel.de or www.faz.net) manage to dump a lot of advertisement on the page - that is funny enough not displayed on a reload of the page.

So I wonder if the ACL is working correctly.

Any way to test this?