Messages

It is indeed extremely buggy in some areas. I cannot get the policy routing through VPN gateway working, something as simple as that is broken. Came back here after some years with pfSense, hoping to get the Wireguard going, just to find out that even simple stuff isn't working.

Shameless bump, but can anyone please help create a pptp interface without GUI?

Looking at past posts it seems that the newest driver version (1.95) is or was OKish. Do you know if there is a way to restart the ethernet interface without rebooting? I can watchdog the interfaces and if something is wrong do a "service netif restart" or similar. That would be faster than rebooting... My freebsd skills are close to nill.

I would probably try to determine who's at fault first, i.e. connect a monitor and see what's happening. I've seen drivers causing hard locks, the whole system freezes, in which case no ehternet restart can help or can even be performed.

How about connecting a monitor once it freezes to see what's going on? Perhaps it's the NIC drivers that are "locked up", Realtek is known for that.

Good idea. Not going to be easy (not a lot of space where the firewall is installed)  but worth a try!
If Realtek is know for that is there a fix?

The only fix I know of is to avoid it like the plague.
Try to find the exact chipset and google for known problems in freebsd, that might give you a clue.

How about connecting a monitor once it freezes to see what's going on? Perhaps it's the NIC drivers that are "locked up", Realtek is known for that.

Seems like there's a bug filed already about inability to create l2tp interfaces: https://github.com/opnsense/core/issues/2707

In the mean time I tried to create a tunnel manually. I created a mpd5 config file and was able to bring the tunnel up. The 'ng0' interface is being created but cannot be used in the web gui. It is also not listed as valid interface from the command prompt when I tried to do option 1) Assign interfaces via SSH. Does anyone know why?

I'm trying to set up a PPTP tunnel and ran into the issue that is very similar to this: https://github.com/opnsense/core/issues/678

Interface 'pptp0' is never created. Can someone confirm/deny if this functionality is indeed broken?
I'm running the latest:

OPNsense 18.7.9-amd64
FreeBSD 11.1-RELEASE-p17
OpenSSL 1.0.2q 20 Nov 2018

Thanks.

Outbound interface localhost?

Nailed it! Thanks.

[mayo]

This recipe is described here https://www.routerperformance.net/opnsense/dnsbl-via-bind-plugin/ doesn't seem to work without firewall rules, which basically eliminate unbound altogether. Just like mayo, I wasn't able to get it to work with unbound 'forward-addr'. Not sure what the issue is, and the unbound log just says that the UDP query to 127.0.0.1:53530 timed out with no signs of DNS queries on the BIND side. Would really appreciate it if some gurus could shed some light as to what might be happening here.

Update: I tried to do unbound forwarding to a pi-hole instance I have running on my LAN, and forwarding didn't work either. There might be something crucial we're missing in unbound configuration, just have to figure out what that is.

I don't think such a risk exists in this configuration. FW enforces ALL traffic through the tunnel and NO traffic through WAN. So even if your OS/browser overrides the DNS settings, to reach DNS server it still has to go through firewall (and tunnel), no way around that.

This would probably work if you wanted all devices to route through VPN.
My use case is a little different, I only need certain devices VPN'ed, so the DNS traffic has to route through both WAN and VPN. However, to enforce all traffic (including DNS) for those devices I used FW rules as described here:https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN. DNS leak test came back negative, so I'm guessing it works as expected.

If you think about it, it all makes sense. You're ignoring the settings OpenVPN server provides you with, so you're responsible for setting up the routes yourself. This includes DNS settings. DNS Resolver cannot respond to DNS queries from devices connected to VPN, so you have to manage these as well. That's at least how I picture things in my head. I'm not a networking expert, just trying to explain things to myself ;)

Hey guys,

I've been running opnsense on my brand new J3355 box for a couple of weeks now, so far so good. One thing I'm noticing is the memory usage grows over time. It started at 10% upon boot up, after 17 days of up time it is now at 18%. I've been monitoring it for 5-6 days now and it's raising gradually. I do have IDS running, and my adblock list for DNS Resolver is quite big too. Plus the firewall rules from FireHOL. Could this be the cause? Is this normal? I'm not worried just yet since 8 Gig will hopefully never be exhausted, but at some point it might require a reboot to reclaim the memory. Thanks in advance.

The only solution to this I've found was to specify DNS servers in DHCP static mapping for devices that need to connect through VPN. Not sure if anything else is possible with DNS Resolver, without it I had no DNS traffic coming through at all.

Hello crowd,
Newbee in opnSense here, and I'm trying to accomplish something similar to OP.
I run a script on the same box that aggregates hosts from multiple sources, then I simply copy the resulting file to /usr/local/www. My adblock alias is set up to grab the URL Table from local web server. Not sure if there's a better way to do it, but I figured this would be simple enough and should work.
Now, the questions OP have asked are still very relevant. Could somebody from local gurus step in and try to answer them? Especially these:

• Is there a limit as to how many IPs I can have for an alias?
• What is a healthy amount of IPs inside an alias?

Any input will be greatly appreciated.