Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Mr.Goodcat

#1
26.1, 26,4 Series / Re: 26.1.9 broke my DNS?
June 03, 2026, 05:44:55 PM
Quote from: newsense on June 03, 2026, 08:58:28 AM
Quote from: Mr.Goodcat on June 03, 2026, 08:42:35 AMSame issue here. Neither multiple restarts of unbound & dns-crypt as well as OPNsense nor a rollback to 26.1.5 (the entire VM image) fixed it.

If a rollback failed it is more likely you experienced a brief internet outage that messed up the ssl connections in dnscrypt

It most likely was a failure of DNS-crypt to load DNS servers via the fallback resolver. I used "194.150.168.168" (listed e.g. by CCC.de) which appears to be down.
#2
26.1, 26,4 Series / Re: 26.1.9 broke my DNS?
June 03, 2026, 08:42:35 AM
Same issue here. Neither multiple restarts of unbound & dns-crypt as well as OPNsense nor a rollback to 26.1.5 (the entire VM image) fixed it. Yet, pings from OPN to e.g. 8.8.8.8 worked. Didn't have the time to check beyond this, but it seems quite odd.

Update: the rollback is now back up. No idea what happened there. Will go back to the latest version later in the day and report back to nail this down.
#3
Hello,

trying to use dynDNS via ddclient for a .com domain at OVH fails, showing this error in the log: [ovh - ] failed to set new ip xx.xx.xx.xx [400 - {"class":"Client::BadRequest","message":"Zone not found"}]This happens both with native and ddclient backend.

It seems some issues can be caused by not having protocol set to "ovh", which can't be done in the GUI.
Hence I edited /usr/local/etc/ddclient.json directly but this doesn't seem to apply at all.

Does anyone here have dynDNS with a .com at OVH working?
#4
25.7, 25.10 Legacy Series / Re: netcup dynDNS
January 18, 2026, 08:42:25 PM
Quote from: viragomann on January 18, 2026, 08:34:16 PMNote that you can run the ddclient in two different mode, selectable on the general settings tab: native and ddclient.

That's just the hint I was looking for! Thank you very much! :-D
#5
25.7, 25.10 Legacy Series / [Solved] netcup dynDNS
January 18, 2026, 08:17:04 PM
Hello,

I was trying to add a domain on netcup to ddclient for dynDNS. However, netcup is not selectable from the menu.
Yet, according to the documentation it should be available: https://docs.opnsense.org/manual/dynamic_dns.html#provider-specific-configuration

After some digging, I came across this nifty python script: https://github.com/opnsense/plugins/blob/master/dns/ddclient/src/opnsense/scripts/ddclient/lib/account/netcup.py

Could this be an issue of missing GUI integration or am I overlooking something obvious?
#6
Layer 8 strikes again (๑﹏๑//) Sorry for sending you on a wild goose chase! It's indeed already in 3.1.1, this is simply a case of GUI integration.

As a test I added HE_DDNS_KEY="the_generated_key" in /var/etc/acme-client/accounts/[...]/account.conf, called acme.sh with --dns 'dns_he_ddns' instead of --dns 'dns_he' and the certificate is created.

Currently, in the GUI username/password are supplied for all domains under "Challenge Type". As this new feature is per-domain, it's probably reasonable to add a checkbox which enables per-domain tokens to be supplied in each certificates' dialogue?
#7
Glad to hear it! :-)

Yes, that's the commit.
I assumed it to be integrated in a way that simply takes the user/password input in ACME's challenge types. But that was overly optimistic to naive. Guess I should finally RTFM the plugin documentation^^
#8
You're absolutely correct, pulling in everything is probably just asking for trouble. Yet, doing individual pulls for non-critical issues creates too much work for projects as big as OPNsense.

I felt somewhat naked without having 2FA activated on my Hurricane Electric account. However, as HE apparently doesn't support global access tokens, that requires ACME.sh to support record-specific API keys - which is safer anyways: https://github.com/acmesh-official/acme.sh/pull/5237

Cheers,
Fabian

PS: Thank you, I'm doing great and hope you are as well! :-)
#9
Thank you both for the insights! So it's either back to waiting for a new release tag or building from git myself.
#10
Hi,

the release cadence of acme.sh can be slow with gaps of up to a year. If I understand the readme correctly, one should use the latest code instead of waiting for new tags anyway:
Quoteacme.sh is in constant development, so it's strongly recommended to use the latest code.

Since the last release from April, useful new features such as the DNS API of Hurricane Electric have been added. Would it be possible to update OPNsense with the latest code from github? Thanks!
#11
Those who are having issues with "503 Service Unavailable" only for internal access might want to try this:

Part 7 Step 4:
Services --> HAProxy --> Settings --> Rules & Checks --> Conditions
Don't set the condition to "Source IP is local" but select "Source IP matches specified IP" and input the private IP ranges you actually need, e.g. 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12.

This fixed the issue for me.

Also, in case your local servers only accept http connections, make sure to remove the SSL checkmark of the respective "real server" entry. Even though that should be somewhat self-evident :-)
#12
Hi,

are there any plans to simplify captive portal login via QR codes?
From what I could find, a patch was created but never merged. https://github.com/opnsense/core/pull/3388
This would be a great feature.
#13
Quote from: franco on September 24, 2024, 09:52:40 PM
There was a recent submission which probably fits here...

https://github.com/opnsense/core/commit/2a1ccae9

# opnsense-patch 2a1ccae9


Cheers,
Franco

This solves the issue for me, thanks!  :)
#14
I'm seeing the same issues on OPNsense 24.7.4_1-amd64. However, even when setting no limit and selecting all categories via multi-select, no logs are shown. Any idead how to fix this? ???
#15
23.7 Legacy Series / Re: Dpinger broken
December 31, 2023, 01:52:03 PM
Well, turns out this one is a combined OPNsense AND layer 8 issue:
https://github.com/opnsense/core/issues/6907
Increasing "Time period" to a higher value allowed Dpinger to come up again.