Messages

My setup is sort of Multi-WAN, the second NIC/port is not enabled.

I had this port:  3WANC interface (wan, pppoe0)

but, i've stopped using pppoe for the time, and that port is DOWN.

Instead i got:  4WANH interface (opt2, igb1)

and that is setup as DHCP, it can surf the net, however, clicking RELEASE/renew on that port, causes the above effect, in that default gateway is missing.  I must ssh into the opnsense, and add a default gateway, then all connected devices can surf the internet.

Thanks.

Is a known issue or something bad on my setup/steps? 

Using OPNsense 17.7.11-amd64 with PPPOE, I'm able to click RELEASE followed by RENEW on the INTERFACES:OVERVIEW page on the specific port and all works as expected after that.

However, when doing that RELEASE / RENEW on a DHCP connection (not pppoe), the link comes up, gets an IP, but no surfing is possible!

Comparing netstat -rn, before/after, shows that a single line is missing..... for the default gateway!

default x.y.z.q   UGS   igb1

The solution is to ssh into the opnsense box, and add a default gateway, e.g:

route add default x.y.z.q

and boom immediately all works fine..

Any thoughts welcomed..

Stormy.

Sorry, haven't had time to look into this since then. It was surprisingly complex, I'm not sure why a simple list of URLs (with wildcards) cannot be blocked.. maybe someone has a solution.  For the moment, I shutdown entire client IP :) :) until a more reliable way is found...

That was it!!!  Thanks!

I got 17.7.1 configured with LAN + WIFI as well as BRIDGE0 on both.

All clients can ping one another EXCEPT a wifi client cannot ping another wifi client.

I suspect this is some firewall rule that needs to be added, but i have no clue how to do that...

sorry if this is in the docs :)

just to be clear:

1) Lan can ping all other lan clients
2) lan can ping all wifi clients
3) wifi can ping all lan clients
4) wifi client cannot ping any other wifi client

Thanks in advance.

Stormy

Thanks for taking the time Fabian.

Sorry, seems I'm totally uneducated on how this works, but thankfully someone else started this thread so I don't feel so bad :)

1)  First you wrote:

"An alias will probably not work because it resolves an DNS entry which is valid for 300s "

then you write it WILL work and say something about TTL 4h, not sure how that plays into things..  I just need traffic to specific websites blocked, I don't care if they can resolve the IP/names.

From TESTING, alias/firewall-rule seems NOT to work as the original poster of this thread is claiming, I've added 2 aliases as follows:

social: facebook.com and www.facebook.com
video: youtube.com and www.youtube.com

then applied as a rule to FIXED IP 192.168.1.199, to BLOCK both these destinations.  Left it overnight, and 10hrs later, only one of these blocked, the other was connecting fine.. 

If I remove the DESTINATION, and leave destination to ALL ("*"), then it blocks the entire PC/IP, which means the rule does work, but just the alias/filter does not.

seems there is unpredictability (maybe b/c the name resolves to MANY IPs) with this method, although it is relatively simple to implement :)

2) In response to the DNS blocking you wrote:

"they still have to send the hostname to the proxy server"

What does that mean? 

I don't see how dns blocking is useful, there are plenty of methods to get an IP of a host via any other network, so if I know that youtube.com resolves to a.b.c.d, one never has to send youtube.com, just access the IP directly, a.b.c.d, and it sounds like the dns blocking would NOT block this, OR, does this rule somehow does a reverse lookup (in realtime??) and blocks it if it notices the ip maps to a blocked name?

besides, I'm not sure where/how one would implement a dns blocking rule in opnsense.

3) As for this:

"Creating a two squid ACLs (source host, url_regex) by hand, and create a block rule"

it sounds so simple (to developers) :)  Reminds me of this old clip (1min):

https://www.youtube.com/watch?v=8LsxmQV8AXk

how simple "linux" is (it was true 10+ years ago, now it's a lot better), recompile your kernel, once or twice :)

4) I would hope/think that adding creating such a rule to block a *single website* from a *single IP* should take less time than writing any of these messages in this post?

Anyways, I'll post a working example once that is obtained, and if someone does have it pls share.

My fear with adding another "proxy" inside is a) makes things more complex, b) it might break other things like vnc/vpn/ssh and other things connecting to that LAN..  I only want to ever impact 1 or 2 IPs, not entire network, just these 2 PCs (based on hardcoded IP)...

My time horizon is weeks/months, not days or hours to resolve such things, it is not critical but longer term nice to resolve.

Thanks.
Stormy

1) then why is the alias option even there if it does not work ? maybe put a warning to users ? or specifically saying when they do work?

2) dns blocking will impact ALL machines on that lan? or can one do this per machine/pc?  also, dns blocking is really not blocking power users or websites that have the IP directly embedded into the web page.

3) I did read up/looked at the transparent proxy rule, it looks like sea of options there.

Maybe someone can post a simple screenshot of how to block a single URL from a single PC/IP?

i wonder how do dd-wrt/tomato and other consumer grade firmwares make it so simple to enter as many urls and group them, then define which IPs can access , schedules, etc. 

Here the requirement is absolutely bare minimum, just block youtube.com from IP1, and facebook.com from IP2,
for example.

I don't expect an overnight answer, but if someone did that already , a screenshot would be appreciated, and once i get that sorted will post to this thread, as it appears others ran into same issue before :)

Stormy.

define "simple" :)  All these are pretty complex/involved.

I'm just looking for an easy and reliable way to block certain websites from certain PCs on the network, very similar to Parental control if you will.  DNS will only block name resolution, what if they know the IP or some embedded website has the IPs of youtube hardcoded..  this rule/alias seems very promising, if it would work :)  simple enough, and only impacts that specific host/ip.

Well, on 17.7, I tried this alias / rule, and no website worked , despite the rules, it allowed traffic.

example alias is:

social    Host(s)       www.facebook.com, facebook.com

example rule is:

   IPv4 *    192.168.1.199    *    social    *    *    

this means that IP 192.168.1.199 is blocked from accessing "social" (the alias), but as mentioned, this does not block traffic..  pinging and browsing works from that IP.

Changing the rule and removing the "social", i.e. target: ANY, then it blocks ALL traffic to that IP, so at least we know the rules basics do work, just not per-website/url...

Any tips welcomed.
Stormy.

After few more days of monitoring, I'm still clueless, but , found a "simpler" workaround, and that is simply to:

ifconfig ath0_wlan1 DOWN, followed by UP, so, just bounce the wifi interface, and IMMEDIATELY all android/windows devices can connect to the wifi, before that they all get authentication failures.   the output of ifconfig before and after are identical this time around (not using the GUI apply method). 

I might add a cron job to do that each night :)

For completeness, here is the ifconfig/output:

Code Select Expand

Initial state, UP, wifi is not working:

root@OPNsense:/var/log # ifconfig ath0_wlan1
ath0_wlan1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 4c:0f:6e:22:17:96
        inet6 fe80::4e0f:6eff:fe22:1796%ath0_wlan1 prefixlen 64 scopeid 0x9
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11ng <hostap>
        status: running
        ssid STAR channel 2 (2417 MHz 11g ht/40+) bssid 4c:0f:6e:22:17:96
        regdomain 128 country 4007 indoor ecm authmode WPA2/802.11i
        privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit
        txpower 20 scanvalid 60 protmode OFF ampdulimit 64k ampdudensity 8
        shortgi burst -apbridge dtimperiod 1 -dfs
        groups: wlan
root@OPNsense:/var/log #
root@OPNsense:/var/log # ifconfig ath0_wlan1 down
root@OPNsense:/var/log # ifconfig ath0_wlan1
ath0_wlan1: flags=8902<BROADCAST,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 4c:0f:6e:22:17:96
        inet6 fe80::4e0f:6eff:fe22:1796%ath0_wlan1 prefixlen 64 tentative scopeid 0x9
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11ng <hostap>
        status: no carrier
        ssid STAR channel 2 (2417 MHz 11g ht/40+)
        regdomain 128 country 4007 indoor ecm authmode WPA2/802.11i
        privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit
        txpower 20 scanvalid 60 protmode OFF ampdulimit 64k ampdudensity 8
        shortgi burst -apbridge dtimperiod 1 -dfs
        groups: wlan

After this if UP then WIFI works again:

root@OPNsense:/var/log # ifconfig ath0_wlan1 up
root@OPNsense:/var/log # ifconfig ath0_wlan1
ath0_wlan1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 4c:0f:6e:22:17:96
        inet6 fe80::4e0f:6eff:fe22:1796%ath0_wlan1 prefixlen 64 scopeid 0x9
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11ng <hostap>
        status: running
        ssid STAR channel 2 (2417 MHz 11g ht/40+) bssid 4c:0f:6e:22:17:96
        regdomain 128 country 4007 indoor ecm authmode WPA2/802.11i
        privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit
        txpower 20 scanvalid 60 protmode OFF ampdulimit 64k ampdudensity 8
        shortgi burst -apbridge dtimperiod 1 -dfs
        groups: wlan


Hi there!!

I'm using 17.1.7, and configured a wifi adapter

Code Select Expand

ath0@pci0:4:0:0:        class=0x028000 card=0x2091168c chip=0x002e168c rev=0x01 hdr=0x00
    vendor     = 'Qualcomm Atheros'
    device     = 'AR9287 Wireless Network Adapter (PCI-Express)'
    class      = network


Set everything to DEFAULT in the gui, but, every few hours the connection drops, and on android clients getting:

Authentication problem.... and cannot log in.

The "fix", is very simple, I go to the OPN GUI, find the WIFI adapter, scroll to bottom of page, click SAVE.  Then on top APPLY changes, and INSTANTLY, connections are possible using that wifi adapter.

running clog wireless.log does not show anything out of the ordinary, lots of these, but i think this is normal:

Code Select Expand

May 27 09:53:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 09:58:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 10:03:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 10:08:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 10:13:35 OPNsense hostapd: ath0_wlan1: WPA GMK rekeyd
May 27 10:13:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 10:18:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 10:23:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK
May 27 10:28:39 OPNsense hostapd: ath0_wlan1: WPA rekeying GTK


I have not yet been able to find/correlate the logs to when the connection initially drops.

What I did do is capture ifconfig BEFORE and AFTER the above APPLY in gui, and this is the difference:

Code Select Expand

# diff ifconfig-b4apply.lis ifconfig-afapply.lis
53,55c53,55
<       privacy MIXED deftxkey 3 AES-CCM 2:128-bit AES-CCM 3:128-bit
<       txpower 20 scanvalid 60 protmode OFF ampdulimit 64k ampdudensity 8
<       shortgi burst -apbridge dtimperiod 1 -dfs
---
>       privacy MIXED deftxkey 2 AES-CCM 2:128-bit txpower 20 scanvalid 60
>       protmode OFF ampdulimit 64k ampdudensity 8 shortgi burst -apbridge
>       dtimperiod 1 -dfs


So, some changes are visible, but not sure what to make of that...

Here is the relevant GUI wifi setup, I've hidden the password field with **** :)

Any tips/ideas are welcomed..

Stormy.

Ok, closing this, few points to keep in mind:

1)  For some reason opnsense in my case at least put the wifi adapter in the routing table for 192.168.1.0/24, so it blocked access to the box.

workaround from console, type:

Code Select Expand

ifconfig ath0_wlan1 down
then could access/ssh/gui and proceed with setup.

2) For wifi and LAN to be on same subnet, e.g. 192.168.1.*, they must be bridged :) :)  So created a bridge with both

3) have to then add a FW rule on WIFI for any traffic it looks like this:

Code Select Expand

IPv4 * * * * * *

4) At this point the WIFI is bridged to the LAN, and hence does not need:

  a) an IP
  b) A dhcp server setup on it, b/c it uses the LAN settings which have both.

5) Tested speeds with two Atheros cards I got in the mail, one:

Code Select Expand

ath0@pci0:4:0:0:        class=0x028000 card=0x10891a3b chip=0x002b168c rev=0x01 hdr=0x00
    vendor     = 'Qualcomm Atheros'
    device     = 'AR9285 Wireless Network Adapter (PCI-Express)'
    class      = network


which, i think has 1x antenna specs, although TWO plugs were connected to the card, it yielded 5Mbps upload

Second card was with 2x antenna specs:

Code Select Expand

ath0@pci0:4:0:0:        class=0x028000 card=0x2091168c chip=0x002e168c rev=0x01 hdr=0x00
    vendor     = 'Qualcomm Atheros'
    device     = 'AR9287 Wireless Network Adapter (PCI-Express)'
    class      = network


and here it got 34Mbps consistently, max speed for net work i think is ~40Mbps (LAN gets 39Mbps), so this is really good, by comparison, linksys/tomato on same network runs at ~21Mbps (max for G i think).

Hope this helps others in wifi setup on opnsense, finally got it working :)

Thanks to Will, djGrrr...

Oh dear.. the "issue" was that the MODE was set to "Infrastructure" and turns out that is not correct, again, thanks to djGrrr for pointing it out... changed to AP, and then bridging to "bridge0" worked OK, so, managed to connect to wifi, but, speed is very low, likw 11kpbs.. even though android shows link-speed as 65Mbps...

BTW, the wifi card is:

Code Select Expand

ath0@pci0:4:0:0:        class=0x028000 card=0x10891a3b chip=0x002b168c rev=0x01 hdr=0x00
    vendor     = 'Qualcomm Atheros'
    device     = 'AR9285 Wireless Network Adapter (PCI-Express)'
    class      = network


I'm "simply" trying to setup wifi on opnsense/latest 17.1.4.  After months of failed attempts with Broadcom, ordered Atheros and card immediately recognized by the OS/and UI, ath0, so went to:

Interfaces->Wireless->Devices, and set it up, all looks ok there, then moved to ASSIGNMENTS and added a new interface, it was called OPT5, i've renamed it to WIFI to make it easier to remember.

So "WIFI" maps to "ath0_wlan1 (Wifi)" in the assignment page..

In Overview page the interface appears as:

Code Select Expand

WIFI interface (opt5, ath0_wlan1)
Status no carrier
MAC address 74:f0:6d:xx:xx:xx - AzureWave Technologies, Inc.
IPv6 Link Local fe80::76f0:6dff:fe0d:xxxx
Media autoselect
Channel 7
SSID STAR2


Notice the "no carrier"...  going into "WIRELESS" tab and clicking "STATUS" RESCAN does not find any other wifi in the area even though there are some wifis..

Also, i cannot find that SSID "STAR2"..

So, decided to reboot, after that, could not access the internet nor ssh into opnsense box :) :)

from console typed:

ifconfig ath0_wlan1 down

and then could ssh into the box/ssh, and internet is working.

The question is why the wifi disabled internet/access to box??

Thought maybe need to bridge the wifi + bridge0 (which already has LAN1 LAN2 ports), but that fails with:

Code Select Expand

Bridging a wireless interface is only possible in hostap mode.


I understand security, but why does it have to be so complex?  Just want the wifi to be an extension to the LAN, security WPA2 already is "good enough" for my needs.

Is there any way to do this with opnsense? any docs/references?

for now, disabled the wifi :)

Thanks, Stormy.

PS: Also tried such guides which are pfsense: https://www.cyberciti.biz/faq/howto-configure-wireless-bridge-access-point-in-pfsense/

to no avail...