Messages

Hi,

vielen Dank für die Tips.
Habe dann nach mehrfachem Probieren und Lesen diverser Anleitungen/Posts meinen Fehler gefunden:

Man stellt in den FW Regeln für NAT für DNS "NAT Reflection - disabled" ein.
In FW Settings | Advanced | NAT darf man dann aber NICHT die erste Option "Reflection for Port Forwards" anklicken, sondern muss die 3. Option "Automatic outbound NAT for Reflection" auswählen.
Dann klappt die Chose.
Uff.
Mit den dazu analogen FW Regeln kann man dann auch als NTP Server die Sense forcen... :-)

Ja ich weiß, das Theman gibt's in verschiedenen Ausprägungen...

Mir hat es am Wochenende de Sense zerlegt: Irgendwas (ich vermute ntopng oder netflow) hat der Sense (apuc2d4) die root partition komplett zugemüllt
Aufgeräumt und nach dem reboot keine Interfaces mehr (keine IP zuordnung). Config Backup hat nicht geholfen.

Also habe ich, weil ich Internet im Netz für's HomeOffice brauche, die Sense frisch aufgesetzt.
v22.1.2 vom Stick gebootet und installiert, Adressen vergeben und OK.

Dann wollte ich das wie bisher:
Schritt 1:
IPv4 only
Sense hinter einem ISP Fiber Router         192.168.10.10
Sense macht DNS over TLS (Unbound)     192.168.100.3 LAN     bzw. 192.168.10.3  WAN
Sense macht DHCP im 100er Netzwerk
pi-hole macht DNS Filter   192.168.100.13     
DHCP gibt pi-hole als DNS Server aus.

Schritt 2:

UND ich möchte, daß der pi-hole geforced wird. (Also nix mit lokal eingestelltem DNS auf 8.8.8.8 oder so.

Mehrere Anleitungen gelesen und probiert;
Teil 1 klappt.  Ich komme ins Internet und der pi-hole filtert, solange ich den DNS server mit DHCP beziehe.

Nur wenn ich einem Laptop den DNS Server auf 8.8.8.8 setze kommt dieser nicht ins Internet.
Heißt: z.B. nslookup www.spiegel.de kann nicht aufgelöst werden...

PIHOLE ist ein aliias auf 192.168.100.13


Meine Rules:
Firewall NAT: 
LAN    TCP/UDP    *    *    ! LAN address    53 (DNS)    PIHOLE      53 (DNS)    Force DNS trafffic always to PIHOLE    
         LAN    TCP/UDP    *    *    *    53 (DNS)    127.0.0.1    53 (DNS)    FALLBACK:redirect and pass DNS

Firewall DNS:

IPv4 TCP/UDP    PIHOLE     *    LAN address    53 (DNS)    *    *    Allow PIHOLE DNS traffic    
      IPv4 TCP/UDP    *    *    PIHOLE    53 (DNS)    *    *    Allow DNS requests to PIHOLE    
      IPv4 TCP/UDP    *    *    *    53 (DNS)    *    *    Block any DNS traffic not being handled yet



Was fehlt denn da noch?

Nachtrag: Ich habe jetzt gesehen daß:
-der DNS Request an 8.8.8.8 vom Laptop rasugeht, redirected wird zum pi-hole aber ich sehe keine Antwort...
So als ob die Rückrichtung vom NAT nicht ginge... Mhhh...
Sieht nach : "Mit 'nem Wireshark drangehen...." aus


Gruß Axel

Hi,

today after having read
https://forum.opnsense.org/index.php?topic=24124.msg115384#msg115384


I checked the gateway for my WAN interface.
See picture (WAN_GW.JPG)

If it is set like this I have internet access, but NTP service is unable to communicate with any NTP server in internet.

Since I do not have a Multi-WAN config, I switched back to "Automatic".
Good. Services NTP shows connection to time servers and offset and..and....
But - BAD - No more http(s) access to the internet - www.google.com times out...

And vice versa:   Specific GW specified - Internet access works, but ntp service not!

Then I update the Firewall Rule that allowed outgoing ntp traffic from the firewall with
gateway to be the WAN_ROUTER it worked!

Uff. Still do not understand this, but at least it seems to work now!

Axel

Hi,

today I stumbled over the fact that my opnsense did no longer provide the ntp time.
(Configuration of Raspberry Pi OS on a Pi4 fails due to missing synchronized time)

I checked some logs and tried all I could find for 21.1.7....finally upgraded to 22.1, without change.

The last sync seems to have occured on July 31 2021 according to the ntpstats logfile.
Very strange I can ping all the ntp servers, but it seems that any request sent out just doesn't get an answer.

My configuration:
Fibre Router from ISP (CALIX 854-G2), IPv4 and IPv6 enabled (I cannot disable v6), Firewall active, blocking a bunch of incoming traffic.  NTP request to my address are blocked, but outgoing traffic is allowed)
Fixed address an LAN side 192.168.10.10


OpnSense 22.1:  2 Interfaces WAN and LAN.   WAN address 192.168.10.3, LAN address 192.168.100.3
Unbound DNS, DNS over TLS, IPv6 disabled.

NTP server config: 0/1/2.de.pool.ntp.org, Listening on LAN and WAN

Status:

Network Time Protocol Status
Status    Server    Ref ID    Stratum    Type    When    Poll    Reach    Delay    Offset    Jitter
Unreach/Pending    185.242.112.53    .INIT.    16    u    -    512    0    0.000    +0.000    0.000
Unreach/Pending    144.76.81.222    .INIT.    16    u    -    512    0    0.000    +0.000    0.000
Unreach/Pending    193.141.27.1    .INIT.    16    u    -    512    0    0.000    +0.000    0.000





root@OPNsense:~ # ntpdate -d 1.de.pool.ntp.org
6 Feb 17:38:41 ntpdate[25933]: ntpdate 4.2.8p15@1.3728-o Mon Jan 24 04:11:49 UT                              C 2022 (1)
arp: 00:08:9b:f1:71:16 attempts to modify permanent entry for 192.168.100.42 on                               igb0
transmit(136.243.66.91)
receive(136.243.66.91)
receive: server not found
transmit(65.21.190.104)
receive(65.21.190.104)
receive: server not found
transmit(94.16.114.254)
receive(94.16.114.254)
receive: server not found
transmit(176.9.157.155)
receive(176.9.157.155)
receive: server not found
transmit(136.243.66.91)
transmit(65.21.190.104)
transmit(94.16.114.254)
transmit(176.9.157.155)
transmit(136.243.66.91)
transmit(65.21.190.104)
transmit(94.16.114.254)
transmit(176.9.157.155)
transmit(136.243.66.91)
transmit(65.21.190.104)
transmit(94.16.114.254)
transmit(176.9.157.155)
136.243.66.91: Server dropped: no data
65.21.190.104: Server dropped: no data
94.16.114.254: Server dropped: no data
176.9.157.155: Server dropped: no data

6 Feb 17:38:50 ntpdate[25933]: no server suitable for synchronization found


ntptime
ntp_gettime() returns code 5 (ERROR)
  time e5aa7875.88488000  Sun, Feb  6 2022 17:40:21.532, (.258532356),
  maximum error 16871500 us, estimated error 16000000 us, TAI offset 0
ntp_adjtime() returns code 5 (ERROR)
  modes 0x0 (),
  offset 0.000 us, frequency 41.412 ppm, interval 4 s,
  maximum error 16871500 us, estimated error 16000000 us,
  status 0x41 (PLL,UNSYNC),
  time constant 3, precision 0.000 us, tolerance 496 ppm,
  pps frequency 41.412 ppm, stability 0.000 ppm, jitter 0.000 us,
  intervals 0, jitter exceeded 0, stability exceeded 0, errors 0.



Firewalls rule: floating
IPv4 TCP/UDP    This Firewall    *    *    123 (NTP)    *    *    NTP traffic for local NTP server
Allowed

PING 0.de.pool.ntp.org (173.249.33.207): 56 data bytes
64 bytes from 173.249.33.207: icmp_seq=0 ttl=54 time=27.121 ms
64 bytes from 173.249.33.207: icmp_seq=1 ttl=54 time=20.731 ms
64 bytes from 173.249.33.207: icmp_seq=2 ttl=54 time=20.546 ms
64 bytes from 173.249.33.207: icmp_seq=3 ttl=54 time=20.928 ms


Mir gehen jetzt die Ideen aus, kennt jemand sowas Blödes?
Und viel wichtiger: eine LÖSUNG. :-)

Hi,

Danke für die Hinweise.
Ich hab' jetzt mal die Rules entrümpelt.
WAN hat noch einen Eintrag für die Fritzbox, die nur Telefonieserver macht.
Floating ist leer (bis auf die generierten Einträge)
LAN_100 ist auch einfacher geworden.
Mit IPv4 TCP/UDP Source: ! (not) PIHOLE (192.168.100.13)   Port 53 (DNS) VOR der z.Zt. noch noetigen "Default allow LAN to ANY Rule" klappt auch das Blockieren von DNS Anfragen die sonst nach draußen gingen...

Also Problem erstmal geloest! Merci.

Dann kann ich mich ja dranmachen mein Netzwerk / Firewalling zu planen.
(WLAN über den Ubiquity AP in eigenes Subnetz/VLAN, ein SubNetz über VPN nach draußen, manche Devices per Default in dieses Subnetz, ) Ich denke ich werde da wahrscheinlich noch ein paar Dinge hier erfragen müssen... :-)

Hi,

seit gestern habe ich eine frisch aufgesetzte opnSense 20.1.7 Installation mit Import der Konfiguration von 17.7.x  (Update Funktion war schon länger tot)

Ich habe seit 2018(??) DNS-over-TLS in Unbound konfiguriert und heute morgen dies von General Options nach Miscellaneous verschoben. Klappt anscheinend auch.

Ich habe nur WAN (192.168.10.x) und LAN (19.168.100.x) konfiguriert. OpnSense ist jeweils die .3 .

Ich habe einen raspi mit pi-hole laufen. 192.168.100.13   DNS zeigt auf 192.168.100.3 (opnSense)
Der DHCP server in opnSense liefert diesen .13 auch als DNS Server aus.
Das funzt auch. Clients mit diesem DNS per DHCP werden über pi-hole geschützt/geblockt.

So jetzt will ich erzwingen, daß man NUR über den pi-hole DNS aufloesen kann.
Also in LAN_100 DNS 53 con pi-hole an OpnSense erlauben und von allen anderen blocken.
2 Rules, 1 Pass, 1 block.
Soweit die Theorie.

Stelle ich bei meiner Workstation den DNS manuell auf 8.8.8.8 geht die Anfrage auf eigentlich geblockte Seiten aber durch.... :-(

Wo ist mein Denkfehler, bzw. was mache ich falsch?

In den Rules is PIHOLE ein Host-Alias
Axel

This was one of the first things I tried. Tried 3 different mirrors. Same result.
The strange thing is, that I can reach the page for download from the browser, but pkg update cannot.

Hi,
yesterday I tried to update OPNsense 18.7.5 via Check for Updates. Timeout....
I searched around, checked various things DNS... and so, tried pkg update -f:

Updating OPNsense repository catalogue...
pkg: Repository OPNsense load error: access repo file(/var/db/pkg/repo-OPNsense.sqlite) failed: No such file or directory
pkg: http://mirror.dataroute.de/opnsense/FreeBSD:11:amd64/18.7/latest/meta.txz: No address record

Internet access works fine, I have Unbound DNS with the DNS over TLS activated.

Today I had the ides to check if I can get the file/the mirror site directly:
Pasted the http:// URL from the error message into the browser: And - yep I get the index page for amd64/18.7/latest.

So what's wrong there? Why can't I get possible updates, when access basically is working.

Axel

You can also return to a backup from before the certificate change.  Option 13 from the console.

Bart...

Thanks for the reply, this looks like it could work. I'll try that.

Yep! worked like a charm.
Ready for the next trial.... :-)

You can also return to a backup from before the certificate change.  Option 13 from the console.

Bart...

Thanks for the reply, this looks like it could work. I'll try that.

You need to import the CA certificate into your Windows trust store to make it work because Chrome is using it. If you cannot continue, you can use Firefox or IE to download the CA certificate from OPNsense.

Thank you for the reply.

I know that I have to import TWO certificates: one for the self-signed CA. That worked, but the certificate for the site (OPNsense) failed.... and I can't find it locally...
And ALL the browsers request https, OPNsense answers (probably correctly) but due to the missing 2nd certificate the connection/authentication fails...
Currently there's no way (regardless of browser) to connect to the OPNsense firewall router using http/https.

Hi,

I wanted to get rid of the no-https problem preventing me to use Firefox to access the OPNsense GUI and looked for a solution. I found a description of how to generate and install a self signed CA and certificate.
The part on OPNsense worked fine. But on the client side (Windows, Firefox, Chrome) something went wrong (most probably that I made an error myself) and now I can't access the GUI any more. :-(

Chrome gives me a NET::ERR_CERT_INVALID and when I click on the error I get:
PEM encoded chain, followed by two different certificates.

Can these help me to solve the problem? If yes, how?
I'm really not familiar with signing/certificates....

Axel

Why use DHCP on the WAN interface to the modem?
Is the configuration of the LAN interface of the cable modem locked?
If not, I would always assign a fixed IP addresses in that network (e.g. 92.168.100.3 for the OPNsense WAN Ifc in that case).

One could even restrict this network to /31 or /28 to limit the possible IPs in the DMZ, but this not
necessarily needed.

In the case that the cable modem could not deliver data, the interface to the OPNsense router should stay up.
If the cable modem forces a link-down on its NON-WAN interface when it loses connection on its WAN interface,
then I would consider this a BUG.

Just my 2cts
Axel

Hi,

I just want to share my experience with OPNsense as my future FW/router when my internet connection will be FTTH (200MBits/s down, 80MBit/s?? up).

Coming from a 1.5 MBit/s DSL line this will be cool..

I planned to use VLANs and LAGG link for the connection to the network, (Meanwhile all switches are smart/manageable) and use the Ubiquity AP's capability to have multiple SSIDs using different VLANs (Guest, Family 2.4G, Power 5G, Geo-VPN).Captive Portal for Guests.

After the initial problems with the setup on the APU2C4 I started configuring...and everytime I activated some VLAN related setting in OPNsense or on a switch I ended up locked out....
The switches are easy, just reboot, since the changes were only applied but not SAVED to the configuration, a reboot helps.
With OPNsense applying a setting, directly adds it to the config.... and the last / lockout setting wold come back after reboot.

I then understood, that switching the network to VLAN cannot be done partially...it's all or nothing.
8-port POE-Switch --- 24 port Main switch  and  8-port switch in the office, 5 port switch near the TV..
I will have to thoroughly plan it...

Ok, to be ready, I decided to first start with a simple solution.
LAN , WAN and WLAN_AP networks to the APU2C4 interfaces.
OPNSense 17.7.12 on APU2C4 with Serial Console via Ethernet.

LAN, WAN is set up, AVM Fritzbox (former router and phone/VOIP master) moved to network between DSL-router OPNsense. Avoids VOIP port forwarding.... but I want it back into LAN with VOIP data passing the FW.

When the fast internet pipe is up,  I will exchange the DSL-router with the Fiber-Router, adjust IP adresses and it should work again.  (Fiber should already be working, but someone has left a cable with fibers unconnected in an underground cable distribution box somewhere in the village. Shall be fixed this week. I'm the first one in the village to have FTTH in the house. ) 

Currently the Firewall rules allow all traffic.

I have configured DHCP on OPNsense and some static entries, forward the DNS to a pi-hole (which is the default DNS for the clients) and use the OpenDNS servers. 
I can see that the DNS requests are being filtered, but I can't see the host names being resolved on the pi-hole.


I was looking at the traffic graphs. Nice. Insight nice.
But I'm still asking how I could get some nice statistical graphs for a day....for top clients.
What I stumbled upon:
Currently my DSL line goes up to 1.9 MBit/s.
My PC was doing a GB+ Win10 update yesterday and today the line was saturated for more than an hour.
And the graphs for 24 hours just show a max. peak of 230 KBits/s and total in/out bytes of 160 MB...

After the last update of Firefox I'm unable to login to the OPNsense Dashboard.
Before I always had to add an exception for self-signed certificate.
Now FF 58.01 tries to perform a TLS handshake and waits...and waits....
Switched over to Chrome: No prob. Tells me https.// NOT SECURE, but works.
Ok, started to read about Let's encrypt. Hard stuff.
Did not find a good how-to for getting a certificate for a local web page.
What I found was some guy saying to get the certificate for a sub-domain of a real domain.
Using a real domain would simplify everything.

 
Enough for today, to be continued.
Axel

I have googled, searched on this forum but all answered provided have not yet solved my issue. Am trying to write the VGA image(v. 17.7.5) on to a USB drive so as to install on my desktop pc with the below specs;

Model: Dell optiplex 755
BIOS : A22
RAM: 2GB
HDD:160GB

I have tried using all softwares i.e rufus,win32 disk imager but with no luck. Rufus says the "image is either not bootable or is not supported by rufus" while win32 disk imager will write to disk but when i plug onto my
Druplex.

Hi,

I found Rufus to be reliable in creating bootable USB sticks.
Can you provide some more information:
- General:Are you able to boot from a USB stick with some other content (Clonezilla, Knoppix, other Linux...)?
- Rufus: You have to tell Rufus that the image is a dd image (Drop-Down-List, default is FreeDOS...)
- Rufus: Did you bunzip the downloaded image? You specify/select the .img file.

Axel