Messages

Awesome. Thank you very much!

Hi,

I have not upgraded to 20.7 yet as I noticed that this version jumps to zabbix proxy 5.
Will I still be able to run zabbix proxy 4 after the upgrade? The rest of my infrastructure is still running on 4.

Regards,
Andrea

Hi,

Can I please just spend one minute telling you how great OPNsense is?
No point as if you are reading this, you already know!

You've been my introduction to BSD, and since then a lot of more Unix based systems came my way.

Anyway, the other day I was reading this article on the right software for setting up a homelab and could not help mentioning the amazing OPNsense in the comments: https://opensource.com/article/19/3/home-lab

I keep mentioning OPNsense at work too but it's hard to steer/convince CISCO/Windows engineers that Unix and open source can be a valid alternative. None the less, I keep talking about it! lol

Thanks to all the developers, and keep up the good work,
Andrea

Hi,

I like my systems to be setup all in UTC, so that it's easier to debug issues across timezones.
Apparently I'm not the only one: http://yellerapp.com/posts/2015-01-12-the-worst-server-setup-you-can-make.html :-D

Anyway, the problem is that if I set OPNsense to UTC then the FW schedule (eg to limit the Internet for the kids VLAN) goes off by one hour.

In summary, is there a way to have the OS (HBSD) and the application (OPNsense) to use two different timezones?
Any other workaround/suggestion for the problem above mentioned is welcome too.

Regards,
Andrea

Hi,

I want my pc (10.55.56.77) to manage/access resources on a different subnet (10.55.55.0/24).

With tools like "mtr" I pinged a server (10.55.55.34), setting the interval to 0.1 seconds and not losing a single ping for however long...

Sometimes though, some packages are getting dropped (as shown in the Opnsense UI screenshots attached), and I get kicked out of SSH sessions and web UIs etc.
The SSH sessions I'd say last 20/30 seconds, while web UI look slow at times, and some other times I get logged out too...

I obviously try adding rules which should have allow my management network to access everything, but some packages always end up getting caught.


Can anyone advice on how I should be debugging an issue like that please?


Thanks in advance for any tip.

Regards,
Andrea

[Background story]

Hi,

Background story
I'm half way through setting up an OpenVPN multi site setup.
Site1 is running the OpenVPN server (on OPNsense), while site2 and site3 are running some linux/openVPN clients.

The key to make this setup to work, is to add the openVPN "iroute" config for each client (site2 & site3), so that the openVPN server knows the subnets those clients/sites are providing.

OpenVPN settings
This setting is added in a client specific config file (defined by client-config-dir) which, in a normal linux environment, is normally somewhere like "/etc/openvpn/ccd/".
It took me a little while to find where OPNsense stores this (maybe just because I'm not used to freeBSD), and I found it to be in "/var/etc/openvpn-csc/3/" for some reason.
The number "3" is because this is the third openVPN I setup.

The config files for site2 would be "/var/etc/openvpn-csc/3/site2":
iroute 192.168.100.0 255.255.255.0

and for site3 would be /var/etc/openvpn-csc/3/site3:
iroute 192.168.110.0 255.255.255.0


Issue
I noticed that these configs/files do not get backed up by the standard OPNsense backup utility.

I've also noticed that when I cloned the VPN (as I changed listening port for some reason), these client specific config files were left behind.

Can someone please suggest the best practice here for either:
- including these client specific settings in the OPNsense web UI, so that they get backed up automatically with everything else;
- suggest a way to make sure these files/directories are backed up with the rest of the configs in some other ways.

Any advice would be much appreciated.

Regards,
Andrea

PS: of course I understand I could rsync the configs/directory at the same time I take the OPNsense backup, but I'm looking for the best practice/OPNsense way

alright, that was easy  :o

Thanks for the prompt response!

Regards,
Andrea

Hi,

I'm debugging some routing issues between different sites, is there a way to install MTR (or similar)?

MTR is an improvement over ping/traceroute.
Feel free to suggest a different/better tool to achieve the same results.

Regards,
Andrea

Hi,

I confirm that I'm having the same issue.

In my case I don't actually want to check "Filter DNS requests using OpenDNS" as i want to have the flexibility to use OpenDNS on some specific networks only.

To work around the lack of automatically updating my dynamic IP in "/services_opendns.php", I've installed the "os-dyndns" plugin, which looks great but unfortunately I could not get it to work to update OpenDNS as my WAN interface does not have a public IP address.


What I ended doing (as suggested above) is writing a cron for the following command:
curl -s -u 'username@gmail.com:myPassword' https://updates.opendns.com/nic/update?hostname=myServiceUsername

In case it helps anyone else:
1) create the cron file as: /usr/local/opnsense/service/conf/actions.d/actions_update_opendns.conf,
with content similar to:

Code Select Expand


[update]
command:/usr/local/bin/curl
parameter:-s -u 'username@gmail.com:myPassword' https://updates.opendns.com/nic/update?hostname=myServiceUsername
type:script
message:Updating Dynamic DNS for OpenDNS
description:Update Dynamic DNS for OpenDNS


2) service configd restart

3) Find your newly added cron in the "/ui/cron" add menu, and set it up to run every 10 minutes or so.

Hope it helps.

Regards,
Andrea

Hi,

Maybe it's just me, but I can't get this to work!

I can connect to the openVPN server, that is never been a problem.

I created a subnet 10.55.59.0/24, whose hosts are the only ones which should go through the VPN.

When I connect to the VPN, the router itself goes through the VPN (which it should not).
You can see from traceroute below:

Code Select Expand


root@routy:~ # traceroute 8.8.4.4
traceroute to 8.8.4.4 (8.8.4.4), 64 hops max, 40 byte packets
1  c-46-246-84-1.ip4.frootvpn.com (46.246.84.1)  34.104 ms  33.843 ms  33.998 ms
2  178.73.195.97 (178.73.195.97)  35.006 ms  34.265 ms  34.585 ms
3  be-1.cr1.sto2.se.portlane.net (80.67.4.208)  35.372 ms  35.370 ms  35.383 ms
4  72.14.216.118 (72.14.216.118)  34.637 ms  34.987 ms  34.275 ms
5  108.170.253.161 (108.170.253.161)  35.504 ms
    108.170.254.33 (108.170.254.33)  35.479 ms  35.283 ms
6  216.239.58.43 (216.239.58.43)  34.759 ms
    72.14.236.85 (72.14.236.85)  34.908 ms
    74.125.37.157 (74.125.37.157)  34.624 ms
7  google-public-dns-b.google.com (8.8.4.4)  34.819 ms  34.505 ms  35.023 ms



The dafault gateway is correct (10.55.50.1), but somehow it goes through the openVPN one.

Code Select Expand


root@routy:~ # netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          46.246.84.1        UGS      ovpnc1
default            10.55.50.1         UGS        igb0
[..]




Hosts in other subnets (other than the VPN one), cannot get on the Internet:

Code Select Expand


root@willy:~# traceroute google.com
traceroute to google.com (172.217.22.174), 30 hops max, 60 byte packets
1  routy.home (10.55.55.1)  0.200 ms  0.170 ms  0.179 ms
2  * * *
3  * * *
4  * * *
5  * * *


I've attached the NAT/outbound rules, as I'm pretty sure I'm doing something wrong there, as I don't really know what they should look like (10.55.59.0/24 is colour coded "black").
I found rules along those lines in some "random" tutorials, and a pfsense tutorial from 4 years ago! :-/

I tried both Hybrid and manual NAT rule generation (plus all sorts of combinations). No luck!

If anyone can give me some hints, it would be much appreciated.

Regards,
Andrea

have you guys tried the latest 18.1.6 yet? I haven't.

Hi Seamus,

Unfortunately I made no progress since my last post.

Regards,
Andrea

I use local name resolving.

Anyway I don't think my problem is DNS related.
After having stopped pulling new routes from my VPN provider, every VLAN/subnet can go on the Internet freely.

The problem I have right now is that even the VLAN which should go on the Internet through the VPN only, does not go through the VPN tunnel.

So either I need to find a way to specify a different gateway for the "VPN VLAN", or I need to understand policy based routing.

So far I've been following this instructions by M4DM4NZ (BTW, thank you very much!!!), but if there is a better way (particularly now with 18.1.x) to achieve what I need, I'm all ears.

Regards,
Andrea

PS: is there a single place where to retrieve all FW rules? I have lots of subnets...

I'm using Unbound default settings (I think).
Anyway "Enable DNS Resolver" is ticked, while "Enable Forwarding Mode" is unticked.

actually, possibly the biggest routing problem experienced (in my case) came from this rule:
0.0.0.0/1          46.246.85.1        UGS      ovpnc1

I thought this was added by OpnSense (for some reason) but it isn't; this rule is added by the VPN provider I use, therefore ticking either "Don't pull routes" or "Don't add/remove routes" (not too sure about the difference at this stage) stops OpnSense from pulling extra routes and mess my routing table.

Now all VLANs can go on the Internet even when the VPN is enabled/working.
The only problem I'm left with now, is that the VLAN which should be tunneled through the VPN, isn't.

I'll have to investigate in that direction.

Regards,
Andrea