Messages

Don't use Dnsmasq.  Kea/Unbound.

This was also happening with the older isc dhcp service.

I also disconnected my 192.168.3.x subnet and turned all the PCs off to check and see of one of my computers was the rogue DHCPer but it didn't change what was happening.

I may have found the issue, or an issue at least. It seems when the corporate PC connects to my wifi but not the IPSEC connection it only gets assigned the 192.168.1.1 dns server like everything else. It only acquires the 192.168.3.41 primary dns address when it connects to the corporate network via IPSEC. Which seems like a lazy and incorrect use of subnet addressing on their end. Perhaps the coincidence of me also having a 192.168.3.x subnet was freaking it out.

I took the equally lazy path and just reassigned my 192.168.3.x subnet to a different address further away from 3 and I have yet to hear any complaints.

I have a computer that needs to connect to a corporate network via ipsec that is having issues connecting using its ipsec client. My opnsense firewall and zenarmor do not seem to be blocking any connections from this computer. The only suspect thing I can find with its connection issues is when this computer connects to my wifi sometimes the primary dns is assigned to 192.168.3.41 and the secondary is assigned to 192.168.1.1(the subnet this pc should be on).

192.168.3.x is a subnet I use for wired clients but none are broadcasting dhcp. 192.168.1.x is my wifi subnet broadcast over two access points. the access points are not configured to assign dhcp or dns, they are just antennas.

I am using dnsmasq for dhcp with a dns listen port of 0 which should disable dns as far as I understand. Dhcp ip ranges are defined in dnsmasq for each subnet, everything else is defaults.

I am using UnboundDNS for dns over tls. Its listening on port 53, nothing else is really configured except for cloudflare, quad9, and google dns servers.

No dns is assigned in system > settings > general.

Yet somehow this one pc keeps getting assigned an ip on 192.168.3.x as its primary dns. Its a corporate owned pc so I cant edit anything in its network settings to force it to use different dns name servers. None of my other clients on the wifi subnet are getting assigned anything more than 192.168.1.1. In fact, this one pc is the only pc getting assigned a primary and secondary dns. The other windows clients are only being assigned 192.168.1.1 as a primary dns and no secondary.

Im a bit stumped as to what could be assigning this dns address. Is there anywhere in opnsense I should look, or some setting to better force dns assignments to this client? It seems to need a more explicit declaration of primary/secondary dns but I cant do that without admin rights on the corporate pc, which I wont ever get.

Thanks for the help

I feel like I should have gotten this to work by now but I am misunderstanding a setting and cant seem to get nginx to work properly.

I have a server hosting two webpages behind opnsense. They are www.mydomain.com/one and www.mydomain.com/two.

The server accepts incoming connections on 443. My current working opnsense configuration to access these webpages from external IPs is to forward all 443 connections going to WAN-IP to MyServer-IP. This works but there is a quite large volume of port sniffing and random access attempts when I do this.

I would like nginx to filter for and forward only requests for www.mydomain.net/(one or two) to MyServer-IP/(one or two). A fairly standard use case for nginx, that I somehow cant get working right. I have ssl certs stored on MyServer for the domain, so in my current setup where I forward all requests on 443, MyServer will do the filtering for any request to www.mydomain.com/(one or two) and serve the correct ssl cert.

I believe the system I am looking for is transparent reverse proxy, where all nginx does is look for a request using my domain name and forwards it without modifying data or serving certs.

These are my current rules to port forward all 443 to MyServer
Firewall > NAT > Port Forward: Interface WAN, IPv4, Protocol TCP/UDP, Destination WAN net, Destination Port Range HTTPS, Redirect target IP MyServer, Redirect Target Port HTTPS

i also have one for internal subnets to reach this server using the domain name

Firewall > NAT > Port Forward: Interface subnet1 subnet2 subnet3, IPv4, Protocol TCP/UDP, Destination WAN net, Destination Port Range HTTPS, Redirect target IP MyServer, Redirect Target Port HTTPS

and then in Firewall: Rules: WAN there is an autogenerated rule for IPv4 TCP/UDP, source/port any, destination MyServer(alias), port 443

The Nginx configuration I have tried is this, based on most write ups I have found
Upstream Server
   Description: MyServer
   Server: (MyServer IP)
   Port: 80
   Priority 1
   Max Conns: 1000
   Max Fails: 10
   Fail Timeout: 60

Upstream
   Description: MyServer Backend
   Server Entries: MyServer
   LoadBalancing: WRR
   Enable TLS: False

Location
   Description: MyServer Root
   URL Pattern: /
   match type: none
   url rewriting: nothing selected

HTTP Server
   HTTP Listen 80
   HTTP Listen 443
   Server Name: www.mydomain.com
   Locations: MyDomain Root
   URL Rewriting: nothing selected

Firewall: WAN: Rules
Protocol IPv4, TCP/UDP, source/port *, Destination WAN Address 443(and same rule with 80), Gateway/schedule *

Whenever I try and connect I get a "Cannot Complete Request" error. Nginx logs show a connection attempt  by my device in http access logs with a status 404 error. I am a little confused here because it seems like I made pretty much the same forwarding rules as I did with NAT forwarding with nginx rules. But for whatever reason these requests aren't getting forwarded the same way. Hopefully it is something simple enough that someone who knows more about this can point me in the right direction.

Thanks,

Getting the policy to drop properly would be ideal for me since the list gets updated from time to time. I frequently need to access the network from random locations and machines so I cant just blot out whole IP ranges or restrict to certain devices.

Its also just a bit frustrating that using the policy to drop anything with the CINS tag doesnt seem to actually do that. It seems to be the only policy this does not work on.

I would like to block the IP addresses in the various "IP Groups" from this list but I cant seem to get the policy correct. Some remain allowed, and others are blocked.

I have CINS selected in the tag drop down menu and "new action" set to drop but for this one list that does not seem to be enough to get suricata to actually drop everything from this ET CINS list.

The IPs involved arent being flagged by other lists first, it just seems like something about this list is still overriding my attempts to drop the connection.

Well I sort of fixed it by disabling my firewall rules and re-enabling them. As well as flushing the arp tables. Something must have hung up in the update that a restart did not clear out.

I had the same problem. They said they would manually review the application and contact me but never did. I assume it was because of the IP address i was using and my email is not to a normal domain like @gmail or whatever. It probably thought I was spam.

If you used a public IP and normal looking email address then perhaps it is just broken.

I have a computer on my network hosting a webpage at www.mydomain.com. External requests were forwarded to the host computer using opnsense port forward rules and I had the nat 1:1 reflection option enabled to allow other devices on my network to reach the website using www.mydomain.com instead of having to use the IP address of the host machine.

Strangely, after the most recent update of opnsense the host computer can no longer reach its own website using www.mydomain.com. It can get there using its own IP address. Every other computer on the network can still get to the page using www.mydomain.com, as can devices from external IPs.

So did something change with the way NAT reflection or forwarding rules work recently? I need an API on the host machine to be able to contact the website using the www.mydomain.com address so the ssl certs are valid.

The host computer is on its own subnet, all other machines are on various other subnets. The host is running debian stable with a LAMP stack. I am not seeing requests on the firewall from the host machine trying to reach itself, but can see other local subnet addresses communicating with the host machine, as well as external addresses. So it seems like a setting somewhere is blocking domain name resolution for this one machine all of a sudden.

I just got a 1gbps connection and a new sb8200 modem to handle that speed upgrade. It has two NICs for link aggregation for use on connections over 1gbps.
But I was wondering if there was any benefit at all if I used both lines on my 1gbps connection. Maybe like a load balancer or to help decrease latency if a bunch of devices are communicating through my opnsense box at the same time.

Most of the stuff I could find online was for intranetwork speed improvements for a NAS or commercial access points. Its a new concept to me so I am just looking to get up to speed on any capabilities this could bring to the table.

It kind of seems like LAG would be helpful on my PCs that are using wired connections but that would require quite a few hardware upgrades and I only have one free ethernet port on my router and one on the sb8200 for now to play with.

This happens to me sometimes and is really frustrating.

Going into the ARP section and flushing the table gets things to work again. Rebooting wont work.

I think somehow, a device will be assigned an address from dhcp, like 192.168.1.133 and then that computer will disconnect from the network and log back in. The DHCP server will give the device a new IP of 192.168.1.122 and will update the ARP table accordingly(viewed from the webgui)  but traffic will be routed using the old IP even though nothing in the system is registered to that IP. The firewall sees this is a foreign/unregistered IP and blocks it.

So there is some sort of situation where traffic will get routed briefly based on some other identifier besides the IP assigned by DHCP. For the record, I am only using DHCP to assign ip addys to people on my wifi and this only happens to users on my wifi. I am not using anything other than the stock configuration for adding devices to my network. My wifi is provided by access points that have static IP addresses assigned to them that arent available to the dhcp range and will occur whether I have one AP or multiple ones(so I think its not a roaming issue caused by the APs)

I have a Sierra EM7565 LTE modem I use on a laptop for roaming around and for whatever reason I wanted to try passing it to a KVM of OPNsense.

I am using Virt-Manager to do this and I am passing just the USB device to OPNsense. Then when I log into OPNsense via the terminal(in the KVM window) I can see under /dev that there is a cuau0 device being added. The OPNsense webgui also sees the /dev/cuau0 device under PPP devices. Unfortunately I cant get OPNsense to communicate via AT commands to the modem.

I tried configuring the modem settings between MBIM(USBIF) and Legacy-Generic, as well as switching from qmi to mbim mode for the data link but none of the settings seem to communicate in OPNsense. For whatever reason the device does not seem to want to talk to OPNsense but will talk to Debian just fine.

The error I get in the webgui is "failure to issue AT command" and in terminal I can use

Code Select Expand

cu -l /dev/cuau0 which gives me a CONNECTED status, but I cant enter anything after that.

I was thinking I might need to pass the whole USB bus, but there is only one bus and that would take all of my USB ports, touchscreen, etc. with it.

Does anyone have any experience doing this? I don't have any other modems to try so I cant be too sure it isn't a BSD issue with this particular modem.

I installed it and got it to work just fine.

But I will second the documentation is somewhat lacking.

I upgraded to 21.1, im using the libressl flavor, and then went to install the sensei plugin(first time). After it installed it never showed up in the menu tab. When I looked at the plugins page it said both the sensei plugin, and the chrony plug in were outdated. It also listed no packages or plugins besides those two. When I tried to check for new updates it said it could not contact the repository.

Uninstalling the sensei plugin reverted everything back to normal. Pretty strange, my guess is that's not supposed to happen.

I think I got it working, hope this helps anyone else.

The firewall time seemed to update itself. But since it was suggested to add a cron job I just did this:
crontab -e
which opened up the cron jobs already enabled in opnsense. Then I added

*    3    *    *    *     (ntpdate -v -u 192.168.1.1) > /dev/null

So hopefully this means it will update tomorrow morning at 3am. And every day after.

Thanks, ill get on the suggestions. I goofed not specifying the subnets correctly.