Messages

Hello,
we have the same situation here some websites like google, bing, wikipedia.... don't load anymore !
If we deactivate the UT1 blacklist, everything is fine.
Like Pawel we are adding the sites to the white list but it's not quick and users are screaming...

Has someone resolved this ?
Thanks

hello,
my bad: no IP adresses in the "Listen  IPs" field and the service starts and runs...
I was thinking this field was for the supervision server IP address but you put nothing and it works...

Thanks for the information :)

Hello ! :)
I just read that some people manage to make opnsense work on old netgate appliance.
So I'm wondering if we can put Opnsense on SG-1100 in place of PFsense ?
the appliance seems nice and at a good price. (around 160 $/€)
thanks

hi,
I'll try :

backend log :

Feb 20 11:44:33   configd.py: [60db9247-d6ef-4d95-b2f1-c803fcfac02d] request pfctl byte/packet counters
Feb 20 11:44:27   configd.py: [2fa07971-1ac9-4867-b40e-e33acc8ad4bf] request pfctl byte/packet counters
Feb 20 11:44:22   configd.py: [ae5ef72a-f62f-4c18-9336-961536ede693] returned exit status 1
Feb 20 11:44:22   configd.py: [ae5ef72a-f62f-4c18-9336-961536ede693] starting Net-SNMP

general log :

Feb 20 11:44:22   root: /usr/local/etc/rc.d/snmpd: WARNING: failed to start snmpd

SNMP service is enable, Community has a simple name (public) and I put the listen IP of my Centreon. I tried with the layer 3 visibility check or uncheck and that changed nothing.

What other informations can I give you ?

Hello,
I use SNMP to check my distant sites (via openvpn)
Until now I used the old SNMP plugin and have no problem with it.
I tried once to make the new one work but it didn't so I let the old one.

but with the 19.1, there is only the net-snmp available. And it doesn't start at all.
When I removed the plugin and install it again I saw these :

**** This port installs snmpd, header files and libraries but does not
     start snmpd by default.
     If you want to auto-start snmpd and snmptrapd:, add the following to
     /etc/rc.conf:

   snmpd_enable="YES"
   snmpd_flags="-a"
   snmpd_conffile="/usr/local/share/snmp/snmpd.conf /etc/snmpd.conf"
   snmptrapd_enable="YES"
   snmptrapd_flags="-a -p /var/run/snmptrapd.pid"

**** You may also specify the following make variables:

   NET_SNMP_SYS_CONTACT="zi@FreeBSD.org"
   NET_SNMP_SYS_LOCATION="USA"
   DEFAULT_SNMP_VERSION=3
   NET_SNMP_MIB_MODULES="host smux mibII/mta_sendmail ucd-snmp/diskio"
   NET_SNMP_LOGFILE=/var/log/snmpd.log
   NET_SNMP_PERSISTENTDIR=/var/net-snmp

     to define default values (or to override the defaults).  To avoid being
     prompted during the configuration process, you should (minimally) define
     the first two variables. (NET_SNMP_SYS_*)

     You may also define the following to avoid all interactive configuration:

   BATCH="yes"
Checking integrity... done (0 conflicting)
Nothing to do.

So, we really have to do theses modifications to make it work ?
In that case, I prefer the old one...
I don't have an error I can use when I try to start manually the service :

root: /usr/local/etc/rc.d/snmpd: WARNING: failed to start snmpd

thanks fo any help

hello
So i installed a 18.7 and didn't update.... and I can put 2 networks in the field.. so I suppose it is a bug from one of the latest release...

[s]

hello :)
I have some openvpn clients running fine for the last months and I am trying to do a new one.

It was a long time since I did one, so I was surprised when I wanted to put 2 IPV4 networks on the IPV4 remote network field (my LAN and VOIP networks as usual) and I get this message :

Code Select Expand

The field 'IPv4 Remote Network' must contain a single valid ipv4 CIDR range.
But the help text still says :

These are the IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank to only communicate with other clients.

So I thought i messed something and go on my working openvpn clients and try to modify the adresses in the field, and if I let 2 networks comma separated, I have the same error message ! (since there are working fine, I didn't push further)
So is it a modification I missed ? or a bug ?
If it's by design, how I put my 2 networks ? 2 clients ??
thanks a lot.

thanks a lot for the WPAD addition to the latest version.

I was naïve, I didn't think it was so complex to add WPAD after that.
I was thinking since you add only the address and the port of the proxy in firefox/chrome/IE/..., so you have to only chose which DHCP send the information and voila, that's all...

But all the rules/proxies/matches things are a bit hard to handle. :(

But thanks anyway for the update !

thanks for your answer, I will check how to log 1 year of proxy access :)

Hello :)
The proxy logs in the GUI shows only the latest cache/auth/store logs (more or less last 30 entries).
I suppose that there is more elsewhere but not visible from the OPNSense gui ?
How many days are logged by default ? can we read it easily ? Do we have to clean it to avoid that the file becomes too huge ?


thanks a lot.

Hello
and thanks for the information.
I would not use the dev version 'cause we are in production with schools working.
So we will wait :)
Thanks again.

Hello,
Since I can't use transparent proxy I am looking for the WPAD/PAC feature described in the wiki.
I search the forum and understood that this feature was removed.
But messages since 2017 are saying it will be back in the 18.7 serie...
But 18.7.2 is out and still no option for WPAD.
Can we have an educated guess for the release version please ? :P
thanks a lot  :)

Hello,
I have an opnsense with the standard proxy (not transparent) linked to my LAN interface.
I would like to put a splash screen saying to the people trying to connect that they have to change their proxy settings.
So I activated a captive portal with no authentification for that but I get no splash screen, even if the proxy settings are good, you can use the Internet with no warning...

Captive portal works only in transparent mode ?
thanks

Hello :)
I have 2 distant sites connected to my main site with IPsec VPN.
At first everything was fine...
and then, after less than a day, no more VPN !
The IPsec connexion status on each site said that everything was connected and routed but nothing go through them...
And then, with no reason it was up again ! and after some times (could be 45 mn or 6 hours) it was down again...

It happend with both distant sites, not at the same time (one is running fine, not the other, then the 2 of them, them none,...)

I activated DPD on everyone but it changes nothing...
So what can I check or change ? work or dont work I can understand but when it's random it's not easy to find...

Thanks

I put my log of the main site, in case of :

Code Select Expand

Jun 11 16:40:46 charon: 11[NET] <con1|68> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (464 bytes)
Jun 11 16:40:46 charon: 11[IKE] <con1|68> retransmit 1 of request with message ID 0
Jun 11 16:40:45 charon: 09[IKE] <con2|3> CHILD_SA con2{5} established with SPIs c2e53322_i cc5291b7_o and TS 10.0.0.0/24 192.168.20.0/23 === 10.2.1.0/24 192.168.71.0/24
Jun 11 16:40:45 charon: 09[IKE] <con2|3> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 11 16:40:45 charon: 09[ENC] <con2|3> parsed CREATE_CHILD_SA response 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Jun 11 16:40:45 charon: 09[NET] <con2|3> received packet: from 88.188.61.125[4500] to 192.168.13.4[4500] (528 bytes)
Jun 11 16:40:44 charon: 09[NET] <con2|3> sending packet: from 192.168.13.4[4500] to 88.188.61.125[4500] (468 bytes)
Jun 11 16:40:44 charon: 09[NET] <con2|3> sending packet: from 192.168.13.4[4500] to 88.188.61.125[4500] (1236 bytes)
Jun 11 16:40:44 charon: 09[ENC] <con2|3> generating CREATE_CHILD_SA request 0 [ EF(2/2) ]
Jun 11 16:40:44 charon: 09[ENC] <con2|3> generating CREATE_CHILD_SA request 0 [ EF(1/2) ]
Jun 11 16:40:44 charon: 09[ENC] <con2|3> splitting IKE message with length of 1616 bytes into 2 fragments
Jun 11 16:40:44 charon: 09[ENC] <con2|3> generating CREATE_CHILD_SA request 0 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Jun 11 16:40:44 charon: 09[IKE] <con2|3> establishing CHILD_SA con2{5}
Jun 11 16:40:44 charon: 11[CFG] received stroke: initiate 'con2'
Jun 11 16:40:44 charon: 13[JOB] <67> deleting half open IKE_SA with 80.14.223.215 after timeout
Jun 11 16:40:42 charon: 16[NET] <con1|68> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (464 bytes)
Jun 11 16:40:42 charon: 16[ENC] <con1|68> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 11 16:40:42 charon: 16[IKE] <con1|68> initiating IKE_SA con1[68] to 80.14.223.215
Jun 11 16:40:42 charon: 15[CFG] received stroke: initiate 'con1'
Jun 11 16:40:34 charon: 16[IKE] <67> sending keep alive to 80.14.223.215[500]
Jun 11 16:40:26 charon: 16[IKE] <con1|58> establishing IKE_SA failed, peer not responding
Jun 11 16:40:26 charon: 16[IKE] <con1|58> giving up after 5 retransmits
Jun 11 16:40:23 charon: 16[IKE] <con2|3> sending keep alive to 88.188.61.125[4500]
Jun 11 16:40:14 charon: 16[NET] <67> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (489 bytes)
Jun 11 16:40:14 charon: 16[ENC] <67> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jun 11 16:40:14 charon: 16[IKE] <67> sending cert request for "C=NL, ST=ZH, L=Middelharnis, O=OPNsense, E=spam@opnsense.org, CN=internal-sslvpn-ca"
Jun 11 16:40:14 charon: 16[IKE] <67> remote host is behind NAT
Jun 11 16:40:14 charon: 16[IKE] <67> local host is behind NAT, sending keep alives
Jun 11 16:40:14 charon: 16[IKE] <67> 80.14.223.215 is initiating an IKE_SA
Jun 11 16:40:14 charon: 16[ENC] <67> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 11 16:40:14 charon: 16[NET] <67> received packet: from 80.14.223.215[500] to 192.168.13.4[500] (464 bytes)
Jun 11 16:40:03 charon: 05[IKE] <con2|3> sending keep alive to 88.188.61.125[4500]
Jun 11 16:39:56 charon: 05[JOB] <66> deleting half open IKE_SA with 80.14.223.215 after timeout
Jun 11 16:39:50 charon: 05[NET] <66> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (489 bytes)
Jun 11 16:39:50 charon: 05[IKE] <66> received retransmit of request with ID 0, retransmitting response
Jun 11 16:39:50 charon: 05[ENC] <66> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 11 16:39:50 charon: 05[NET] <66> received packet: from 80.14.223.215[500] to 192.168.13.4[500] (464 bytes)
Jun 11 16:39:46 charon: 05[IKE] <66> sending keep alive to 80.14.223.215[500]
Jun 11 16:39:37 charon: 05[NET] <66> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (489 bytes)
Jun 11 16:39:37 charon: 05[IKE] <66> received retransmit of request with ID 0, retransmitting response
Jun 11 16:39:37 charon: 05[ENC] <66> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 11 16:39:37 charon: 05[NET] <66> received packet: from 80.14.223.215[500] to 192.168.13.4[500] (464 bytes)
Jun 11 16:39:36 charon: 05[CFG] ignoring acquire, connection attempt pending
Jun 11 16:39:36 charon: 16[KNL] creating acquire job for policy 192.168.13.4/32 === 80.14.223.215/32 with reqid {1}
Jun 11 16:39:30 charon: 16[IKE] <con2|3> sending keep alive to 88.188.61.125[4500]
Jun 11 16:39:30 charon: 16[NET] <66> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (489 bytes)
Jun 11 16:39:30 charon: 16[IKE] <66> received retransmit of request with ID 0, retransmitting response
Jun 11 16:39:30 charon: 16[ENC] <66> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 11 16:39:30 charon: 16[NET] <66> received packet: from 80.14.223.215[500] to 192.168.13.4[500] (464 bytes)
Jun 11 16:39:26 charon: 16[NET] <66> sending packet: from 192.168.13.4[500] to 80.14.223.215[500] (489 bytes)