Messages

You have to import the Microsoft-CA in System --> Trust --> Authorities. The Windows Update CA is not trusty on other Clients than Windows..

I think this one: https://update.microsoft.com/

Gesendet von meinem Mi 10 mit Tapatalk

Hey guys,
I have a running Site-to-Site Tunnel just for one site with configured Tunnel network 10.0.31.0/30.
The Server and Client instance on both sites is assigned to separate Interfaces.
On the main site there are 3 different OpenVPN server instances with all /24 Tunnel networks which are working very well.
Now I want to change the Tunnel Network of this specific instance from /30 to /24 to be able to connect more sites.
The problem with this is that if I change the Tunnel network on both sites to whatever (<30 Bits), the connection gets established, but no traffic will pass.
Changing the Tunnel network to /30 makes it work again.
I tried the following:
- rebooting both sides after change of Tunnel network --> same problem
- disabling and re-enabling and restart of client/server ovpn-instances --> same problem
- Re-Applying the assigned Interfaces of the OVPN Interfaces (unconfigured) --> same problem
- Cloning of the server/client instances and assign the clones to the Interfaces --> same problem
I would be happy if someone has another hint for me..

Thx

Gesendet von meinem Mi 10 mit Tapatalk

Hi all,
i would like to use NGINX to Offload Letsencrypt Certificates on my internal services SMTPS, SUBMISSION and IMAPS.
In https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/ it is stated that you need to configure nginx with the following arguments: --with-mail --with-mail_ssl_module.
Our nginx plugin is configured with the arguments --with-mail=dynamic and --with-mail_ssl_module.
Is this setup possible with our default nginx plugin?

THX

If i go to Interfaces->Diagnostics->DNS-Lookup and insert a hostname of the overriden domain, i get randomly different results:




If i look at the generated overrides in conf, there is the ending .(dot) missing in the zone name.
In opnsense the zone name is

forward-zone:
name: "example.com"
forward-addr: 10.0.0.1

The fqdn of the overridden domain should be example.com.(dot)
The guys at archlinux also use that syntax in their documentation (https://wiki.archlinux.org/index.php/unbound#Include_local_DNS_server).
There is also someone over at pfsense who is talking about a similar problem.
https://redmine.pfsense.org/issues/9189

Hey guys,

i still have problems with Unbound and DNS-Overrides.
It persists since my last Thred (https://forum.opnsense.org/index.php?topic=7252.0).

But last week i made an important discovery.
I had a setup with wan on dhcp and set up domain and host overrides. Worked like a charm.
But then i changed the wan to pppoe and since then the overrides stopped working correctly.
I tried to disable "allow dns to be overridden by pppoe" and set static upstream dns, but without luck.

Any ideas?

Hey Guys, I am trying to get the version of OPNSense through the API.
Currently I am calling ,,https://opnsense-ip/api/core/firmware/info" and extract $.product_version out of the output.
My problem is that I generate thousands of lines with all installed and available packages, changelogs etc. to only extract a string like ,,19.7.3".
Maybe someone has an an idea on how to do this without such a big overhead?

THX


Gesendet von iPhone mit Tapatalk

Got fixed, see here:
https://github.com/opnsense/core/issues/3584


Gesendet von iPhone mit Tapatalk

I can recommend to use OpenWRT.
In my setups i use it with Management-VLAN and each SSID with different VLANs. And 802.11r for Roaming between 2,4 and 5 GHz Networks.
Hardware-Recommendation: Archer-C6.
In you Need Central Management for that: OpenWISP.


Gesendet von iPhone mit Tapatalk

Oh okay, bei mir sind es rund 30 Standorte, an denen aber meist auch noch zusätzliche Windows Server stehen. Jetzt machen die halt DNS...

Gesendet von meinem Pixel 2 XL mit Tapatalk

Hi, das Problem hab ich schon lange.
Siehe hier:
https://forum.opnsense.org/index.php?topic=7252.0
Hab dann mein DNS Setup geändert und den DNS von OPNSense weggenommen.


Gesendet von iPhone mit Tapatalk

Hey guys, is it somehow possible in the GUI to let squid do ssl-bump on LAN and only do SNI-Filter on WiFi-Interfaces?
Thx


Gesendet von iPhone mit Tapatalk

Hey Guys, i searched something to generate reports/documentations from configuration files and found pfFocus.
I adjusted the code a bit to work with OPNSense configuration files.
https://github.com/AndyX90/OPNReport
There are some issues but in principle it works.
Maybe someone with python knowledge can help to fix the port-alias parsing?
Another question is the <version> section in OPNSense configuration files.
Am I wrong or is this dropped somehow? I noticed that it is not present anymore in 19.x.

Thx

Did you verify via tcpdump that packets are coming from 2nd firewall and not from local WAN? Maybe a routing issue and packets are actually received from local WAN?

Sorry for the late reply. Yes, the traffic is on the other interface.
It is a HA-Setup between 2 DEC-4630.
Another example is the Carp-Traffic.
I see the traffic on the HA-Interface (separate 1G-Interface between both firewalls), but in Insight the HA-Interface is empty and the Carp-Traffic is also displayed on WAN... :-\

Hey guys,

i have a Problem regarding Netflow/Insight and specific WAN-Traffic.
Basically i have one WAN Interface, one LAN Interface and one Interface linked to another firewall.
There are Internet-connections coming into my LAN from the other firewalls interface.
But Netflow displays them on my WAN-Interface.
Any suggestions?

Thanks in advance!

Problem solved!
I had to force a reinstallation of flowd.
The version remains the same, but it runs now.
Note: I upgraded from 19.1-RC2.