Messages

Ciao,
non so quali siano le tue necessità ma io eviterei di esporre il nas direttamente all'esterno, specialmente su una porta nota. meglio collegarsi in vpn e consultarlo così.

ciao,
su opnsense c'è il plugin per il wake on lan, il problema è laccesso da remoto che va fatto in vpn sul firewall (opnense) e non sul router vdsl.

Andrea

"RR" is not something i wrote anywhere, it comes from opnsense (intended as "from the service")

as long i can remember maybe there's a client without hostname which actually has an ip given by the dhcp.
and the ip 192.168.0.100 is free...

i had to rebuild the firewall since i believe the configuration was completely f**ked.
now Unbound dns is working but if i check the option "Register DHCP leases in the DNS Resolver" the service stops. to start it again i have to unchek the flag.
in the and log there are this errors:

May 15 11:49:56   unbound: [97525:0] fatal error: Could not set up local zones
May 15 11:49:56   unbound: [97525:0] error: Bad local-data RR .tortuga.local IN A 192.168.0.100

but i don't really know what they mean...

I'd suggest you remove the localhost IP from the first entry, if you actually have a DNS server running on the firewall LAN IP then change it to that.

nothing changed after this try...

I'd suggest you remove the localhost IP from the first entry, if you actually have a DNS server running on the firewall LAN IP then change it to that.

uh, i forgot to delete it, that was one of the many things i tried...

Hello,
after something that i don't know  happened the dns server on my firewall it's not resolving anymore.
atthached the screenshot of my setup.

if i query a dns lookup from a client (DHCP gives the firewall ip ad first dns to the clients) i got a time out, what am i missing?

Andrea

thanks a lot, i'll try it soon!

This is basically the script you need to run, you'll need to set up the cron event to run it

It's very simple, it uses ifconfig to look for the ipv4 IP address, if it starts wih 100. then it will take down the WAN interface, wait 5 seconds and bring it back up.

You'll need to set the parent interface name to match yours... and as an afterthought change it to pppoe0. :)

Code Select Expand

#!/bin/sh
# Testing for invalid wan IP

inteface="igb0"

test_string="net 100."
result=$(ifconfig pppoe1 | grep "inet ")

if [ "$result" != "${result%"$test_string"*}" ]; then
ifconfig $interface down
sleep 5
ifconfig $inteface up
fi


That's correct, it' s a private class used by the ISP due to a lack of public ip  . Extracted from the your second link:

[...]It is anticipated that Service Providers
   will use this Shared Address Space to number the interfaces that
   connect CGN devices to Customer Premises Equipment (CPE).[...]

here you can see my connection log:

Code Select Expand

Mar 26 08:08:16 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 100.115.X.X) (interface: EOLO[wan]) (real interface: pppoe0).
Mar 26 06:29:23 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 78.134.X.X) (interface: EOLO[wan]) (real interface: pppoe0).
Mar 26 04:28:04 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 78.134.X.X) (interface: EOLO[wan]) (real interface: pppoe0).
Mar 22 16:27:39 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 78.134.X.X) (interface: EOLO[wan]) (real interface: pppoe0).
Mar 20 19:06:21 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 78.134.X.X) (interface: EOLO[wan]) (real interface: pppoe0).
Mar 20 19:04:16 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 100.119.X.X) (interface: EOLO[wan]) (real interface: pppoe0).

buono a sapersi, avevo lo stesso problema...

Hi,
my opnsense uses pppoe to connect to the internet. sometimes my isp assigns me a private ip (100.xxx.xxx.xxx) which doesn't allow mu to VPN home using dyndns, there's a way to check wan ip address and force reconnect if is a private one?

Andrea

I don't use them ("inappropriate"), I use only p2p. Everything else I block by port or by DNS.

ok, i' finally going this way too. but now i have a little OT question: how do you handle different blocking profiles by DNS? i mean: i have 2 subnets, i would like have a very restrictive profile on subnet 1 (guests) and a more permissive one in subnet 2 (private lan)

but....at this point.... maybe the "ET open/emerging-inappropriate" rules are almost... useless?

Cool! if my tests won't be successful i'll give this a try.