Messages

1

Virtual private networks / How to route only specific networks/addresses over VPN?

« on: September 21, 2021, 02:03:42 pm »

I was happily using a US based VPN to get around the geolock for pandora.com (I don't live in the US).

I think an update might have broken that setup, so I'm trying to re-create it.

I have the US VPN connected as a VPN client and showing as connected in the status page.

Then I go to interfaces, and create a USVPN interface using ovpnc1 as the interface. Once I do that, I can't setup that interface to be DHCP for IPv4 (I'm getting an error message: "Cannot assign an IP configuration type to a tunnel interface.")

If I create the interface anyway and leave it at None for IPv4 config, and then add a rule on my LAN network in the firewall to pass packets to pandora.com over the USVPN gateway, the packets are caught by the rule but go over the regular WAN gateway instead; and pandora.com sees my non-US IP.

How do I selectively route packets to pandora.com over the US VPN, and all the rest over the regular WAN interface?

2

21.1 Legacy Series / Re: Is there a limit to the number of subnets I can put in a Shaper rule?

« on: May 03, 2021, 10:32:26 am »

I think this is working now in 21.1.5. ipfw has issues with "large" number of addresses in the rule syntax.


Cheers,
Franco

I updated to 21.1.5 and it indeed works now. Thanks!

3

21.1 Legacy Series / Is there a limit to the number of subnets I can put in a Shaper rule?

« on: April 23, 2021, 09:17:10 am »

I have tried making a shaper rule with over 100 subnets in it, and the rule just gets ignored. If I edit that rule to only have 10 subnets, then it shows in the live status page and it is actually enforced.

So is there a limit to the number of subnets we can put in any given shaper rule? What is that limit?

4

20.7 Legacy Series / Re: I tried to block all but approved DNS servers. It didn't do anything.

« on: November 13, 2020, 11:33:58 am »

Well, that's embarrassing. I should move that rule all the way down, right? If I remove it all traffic will be blocked?

This rule is enabled by default. It should be removed and you should create your own ruleset. When you remove it, you'll still be able to access the GUI but your internet access will be blocked. So you should add the most important rules (destination ports 80 and 443 for example).

And you don't need any block rules (apart from some scenarios). If traffic is not allowed it will be blocked automatically.

I'm worried this would break a lot of things on my network, like consoles and other things that need uPnP to work.

5

20.7 Legacy Series / Re: I tried to block all but approved DNS servers. It didn't do anything.

« on: November 13, 2020, 11:30:37 am »

And also, what do I need to add so that devices with a hardcoded DNS that isn't one of the allowed ones get forwarded to the firewall instead?

6

20.7 Legacy Series / Re: I tried to block all but approved DNS servers. It didn't do anything.

« on: November 13, 2020, 11:27:01 am »

Well, that's embarrassing. I should move that rule all the way down, right? If I remove it all traffic will be blocked?

7

20.7 Legacy Series / I tried to block all but approved DNS servers. It didn't do anything.

« on: November 13, 2020, 11:17:52 am »

I'm trying to block all DNS queries, and only allow queries to the opnsense firewall's DNS or nextdns.io's DNS.

Attached is my config.

I try to enable or disable logging for these two rules and run `dig @1.1.1.1 example.com` but it never ever shows anything in the log (either in the web UI, or using option 10 on the serial/ssh console to opnsense) and it gets a response for any domain name I try. I would expect dig to timeout instead, and the firewall logs to show the packets were caught by the rule.

What's going on? How do I block ALL DNS queries and only allow devices inside my network to query OPNsense's internal DNS or nextdns'?

8

German - Deutsch / Verbindung zu Swisscom Glasfaser nicht möglich

« on: September 30, 2019, 08:32:35 pm »

Nutzt jemand OPNsense mit Swisscom FTTH? Ich kann es nicht zum Laufen bringen.....

Dies ist meine Konfiguration:

 


 


 


 

Code: [Select]

# /usr/local/etc/dhclient_wan.conf
interface "igb0_vlan10" {
        #DHCP Protocol Timing Values
        timeout 60;
        retry 15;
        select-timeout 0;
        initial-interval 1;

        #DHCP Protocol Options
        send dhcp-class-identifier "100008,0001,,OPNsense dhclient";
        script "/sbin/dhclient-script";
}

Wenn ich eine IP bekomme, die mit 100.x.x.x beginnt, dann kann ich zu swisscom.com/registration gehen, aber es fragt nach einem 6-stelligen Code, den ich nicht habe und bei dem der Kundenservice ahnungslos ist. Wenn sie fragen, welches Modem ich benutze und ich sage, dass es nicht das Swisscom-Modem ist, sagen sie: "Viel Glück, dass du alleine bist".

Wenn ich eine IP ab 85.x.x.x erhalte, kann ich nicht einmal auf die Swisscom-Registrierungsseite zugreifen.

Wie haben Sie Ihren FTTH-Anschluss mit OPNsense funktioniert?

9

18.1 Legacy Series / How to enable IPv6 dynamic DNS?

« on: July 10, 2018, 06:24:40 pm »

I have found the settings for IPv4 which is the default. But how do I update my he.net AAAA record on a dynamic IPv6?

10

Documentation and Translation / Step 1 for "Configure IPv6 Tunnel Broker" fails

« on: May 21, 2018, 02:07:26 am »

Here: https://wiki.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html

In the screenshot, it shows that GIF tunnel local address should have /64 after the address.

If you try to save with that setting, the UI complains that this isn't a valid address. The only way to save the settings is to remove the /64.

I don't know if this is a bug in the form validation or if it is an error in the wiki. Either way, it's confusing and blocks the process.

Thoughts?

11

Web Proxy Filtering and Caching / How can I exclude domains from the caching proxy?

« on: May 19, 2018, 11:49:05 pm »

For example, I don't want Spotify (which I pay for) to get a free ride and fill up my cache with music. I'd rather cache useful stuff like apt packages etc.

How do I tell squid to not cache certain domains and their subdomains? I don't want a particular host to bypass the proxy and cache, and I want to use domain names rather than IPs.

Is there a way? Or can I edit the squid.conf file manually and add it there? The header in the file says not to.

12

18.1 Legacy Series / Squid eating up all my free space despite max cache size limit set

« on: May 19, 2018, 10:46:37 pm »

I have setup a squid transparent proxy, my SSD is 16GB and I have set the limit for Squid's cache (under General proxy settings > show advanced > Cache size in MB) to 8500.

And yet I was bitten again: squid used up all the free space, the disk was full, and OPNsense freaked out. I was lucky this time, I was able to make some space and reboot (it got corrupt last time and I had to reinstall).

df -h shows I have 13G on /, out of which 1.8G are used by OPNsense (that's what I have after deleting squid's cache). So why is a hard limit on the cache size of 8.5G still makes it use up all the free space?

Code: [Select]

root@router:~ # df -h
Filesystem         Size    Used   Avail Capacity  Mounted on
/dev/gpt/rootfs     13G    1.8G     11G    14%    /
devfs              1.0K    1.0K      0B   100%    /dev
tmpfs              2.8G    308K    2.8G     0%    /tmp
devfs              1.0K    1.0K      0B   100%    /var/dhcpd/dev

What am I missing? How much space does OPNsense need to live happily?

13

17.7 Legacy Series / Re: Filebeats and Logstash

« on: March 23, 2018, 08:41:12 pm »

Trying to achieve that as well. Any luck OP?

14

18.1 Legacy Series / Router defaulting to the wrong route for OPT1

« on: February 18, 2018, 04:31:32 pm »

My configuration is as follows:

igb0 is WAN
igb1 is LAN (192.168.1.0/24)
igb2 is OPT1 (192.168.0.0/30)

I have added rules to OPT1's firewall to let traffic through. I don't think I need to add anything to LAN's rules?

But I can't ping 192.168.0.2 from the LAN or the router. I can ping 192.168.0.1.

When I take a look at the routes, it knows that 192.168.0.0/30 should go on Link#3, but 192.168.0.2 goes out the WAN gateway.

Why is that? How does it make any sense if 192.168.0.0/30 is on Link#3? Why would it send 192.168.0.2 out WAN?

15

18.1 Legacy Series / Re: Can't access device on OPT1 from LAN

« on: February 18, 2018, 12:00:54 am »

Nevermind, it's an issue with the device not remembering its default gateway