Messages

1

Development and Code Review / ArrayField->getNodes() returns empty array after write_config()

« on: February 25, 2020, 09:00:44 pm »

After a write_config(), getNodes() returns null/empty array for type ArrayField.
Don't know if this is a bug or me just missing how to refresh the config.

Example model test script attached.

2

18.1 Legacy Series / Re: /usr/local/etc/bogonsv6 too big

« on: April 07, 2018, 10:11:20 pm »

Not setting the maximum table entries to an appropriate size when bogons v6 is enabled is a bug in my opinion.  Whether or not some other product does is irrelevant.

Been running maximum table entries at 1,000,000 "forever" precisely for this reason.  But it should be set to an appropriate size automatically when/if bogons v6 is enabled.

3

18.1 Legacy Series / Re: When is 18.1.6 going to be released?

« on: April 06, 2018, 05:56:50 am »

15.1.1 2015-01-12
15.7.1 2015-07-08
16.1.1 2016-02-02
16.7.1 2016-08-02
17.1.1 2017-02-09
17.7.1 2017-08-31
18.1.1 2018-02-02

Past performance is not a guarantee of future results.  But your rough estimate doesn't look promising. 

4

General Discussion / Re: Blocking incoming traffic at the LAN/OPT level instead of the WAN

« on: April 05, 2018, 09:22:41 pm »

Not that I'm aware of.

Interface rules are only applied to ingress traffic on the interface.
Floating rules can be configured as ingress and/or egress.

WAN ingress traffic is egress on the interface it is routed to.
To evaluate traffic at the routed to interface a floating egress rule would be needed.

In most cases it is typically better to leave everything blocked at the WAN and only open/NAT the things that are needed.  Allowing the WAN to be wide open puts the router at higher risk of compromise.  Don't think you'll find this to be a very common practice for an internet facing WAN.  Certainly not a BKM.  It may seem like more work, but think a compromised router would end up being far more work and impact.

5

18.1 Legacy Series / Re: When is 18.1.6 going to be released?

« on: April 05, 2018, 08:47:05 am »

I've been waiting for 18.1.6 to release so I could ask when 18.1.7 will be released.

A watched pot never boils.

6

General Discussion / Re: Blocking incoming traffic at the LAN/OPT level instead of the WAN

« on: April 05, 2018, 08:30:18 am »

If I tell WAN to just pass the traffic through, even if I have a rule blocking ICMP on VLAN 5, it still goes through. As well as I can tell, this is because when the rule was matched to accept the traffic at the WAN level, it stopped caring about everything else and just let it go on through.

Nope.  That's not how it works.  Interface firewall rules are applied on ingress.  Traffic route to VLAN is egress.  So VLAN interface rules will not be applied.

How do I set this up? Basically I just want WAN wide open so I can filter incoming on my VLANs as I see fit.

With floating rules.  They can be configured for ingress and/or egress.

I know you didn't query for opinions.  But I'm with elektroninside.  Traffic is typically best block earliest possible.

7

18.1 Legacy Series / Re: How difficult is it to get an OpenVPN server working, really?

« on: April 01, 2018, 10:31:48 am »

If the objective is to manage their network for them (what it sounds like in your original message).  Then road warrior may be better than site to site.  With site to site you have to be at one of the sites.  Road warrior would provide remote access from anywhere.

Site to site is what you want if the two sites are to be like "one".  For instance you use their stuff like servers printers etc. and likewise they use your stuff.  All as though it is "local".

8

18.1 Legacy Series / Re: How difficult is it to get an OpenVPN server working, really?

« on: April 01, 2018, 03:35:38 am »

Think your questions can be answered by backing up your system and going through the process.

Setup SSL VPN Road Warrior
https://wiki.opnsense.org/manual/how-tos/sslvpn_client.html

IMO it is not difficult.

9

18.1 Legacy Series / Re: OpenVPN with unbound dns leak

« on: March 31, 2018, 02:38:16 am »

However, if I run dnsleaktest:
- with unbound not running I get clean results (freedns.zone lookups)
- with unbound running I get leaks (ISP nameserver lookups)

Maybe there is an unbound config option that needs to be adjusted.
I use local zone type static and custom options local-zone: "home" static where "home" would be your domain.  Don't know if relevant to your situation but maybe some things to research.

Also if the DNS Query Forwarding option is enabled, maybe try disabling.

10

18.1 Legacy Series / Re: OpenVPN with unbound dns leak

« on: March 30, 2018, 09:26:39 pm »

Which OpenVPN configuration options have you tried?  There are some that relate to DNS.

Don't know if still the case but in the past I had to use "block-outside-dns" in order to keep road warrior clients from using DNS of the local network they were on.

Maybe there is something similar for your situation.

11

General Discussion / Re: For all ill-intentioned pfsense fans

« on: March 27, 2018, 11:14:20 pm »

Sound like the political climate here in the US where we have trolls everywhere trying to discredit.

Heard a term recently that I think describes it pretty well.

Welcome to the "post-truth world we are living in".  The house of falsehood cards will ultimately collapse.  But until then watch your back and don't take anyone's word for anything.  Especially if it comes from ANY means of mass communication.  Consider it to be false propaganda.

What makes it possible is the masses with no discernment ability i.e. lack of critical thinking skills.  Largely a result of government schooled brainwashing.

Makes it so easy for politicians to whip people up into a frenzy with false and misleading propaganda.

12

General Discussion / Re: For all ill-intentioned pfsense fans

« on: March 27, 2018, 01:33:33 pm »

I get the sense that some people here are overly sensitive.  But I could be wrong, they may be ultra sensitive, so I won't call out any names.

13

18.1 Legacy Series / Re: Firmware Update Fails

« on: March 27, 2018, 04:30:12 am »

Another suggestion that I have is regarding disabling the list of every single update from the day OPNsense was launched (15.1) Since all branches other than 18 is not supported or even revertible to having this in the update tab serves no purpose as the information is available on the OPNsense webpage anyway.  It would be much cleaner to have only the last few updates listed (maybe 4)

Then don't click the "Click to view full changelog history." link.

They are already disabled by default.  Only the most recent dozen show here.

As for serves no purpose; au contraire!  It is very convenient to look at change history for a fix etc.

14

General Discussion / Re: No console menu after update

« on: March 22, 2018, 11:22:15 pm »

System: Firmware: Updates: Check for updates
There are 31 updates available, total download size is 107 MB. This update requires a reboot.
Update now
The firewall will reboot directly after this firmware update.
The upgrade has finished and your device is being rebooted at the moment, please wait... 

No console menu

Have never changed the tunables.  Don't see anything there that would expect to disable or lock console menu.

Applied the patch and rebooted.
opnsense-patch bf658e80
reboot

Still no console menu

15

General Discussion / No console menu after update

« on: March 22, 2018, 07:46:31 am »

No console menu after update

Before and after config diff doesn't show anything that would expect to disable/lock console menu.  Doesn't seem to be anything else unusual.  SSH as root still works.

Haven't seen anyone else mention it so may be a me thing.

Same for both production and devel.

opnsense-update -t opnsense

OPNsense 18.1.5-amd64
FreeBSD 11.1-RELEASE-p8
LibreSSL 2.6.4

opnsense-update -t opnsense-devel

OPNsense 18.7.a_264-amd64
FreeBSD 11.1-RELEASE-p8
LibreSSL 2.6.4