Messages

Thanks Bob.

After changed wireguard peer allow ip setting to 0.0.0.0/0, connection to VPN
provider works fine now.

I got a lot to learn about wireguard VPN.

Hi, all

My OpenVPN sever and OpenVPN connection to VPN provider work fine in 25.1. After upgrade to 25.7,
It seems VPN connection need a certificate from VPN provider now. Is this true?

Now I tried to connect to  VPN provider through wireguard but never success yet. Here is the
configuration, hope someone correct what I do wrong.

1. create wireguard instance
Name: Surfshark
Public key: *****
Private key: *****
Listen port: 51820
Tunnel address: 10.14.0.2/16
Peer: SurfsharkJP
disable route: checked

PS: I am confused, why I need a wireguard server occupy a listen port for just establish VPN client connection

2. create wireguard peer
Name: SurfsharkJP
Public key: *****
Allow IP: <my vlan subnet>
End point address: *****
End point port: *****
Instances: Surfshark

3. check wireguard status
ok wg0 interface Surfshark 51820
ok wg0 peer SurfsharkJP ***** 41s 202k 61k

4. assign interface
Surfshark wg0 enable

5. NAT rule
Surfshark any    *    *    *    Interface address    *    NO

6. Surfshark rule
pass IPv4 *    *    *    *    *    *    *

7. vlan rule
pass IPv4 *    VLAN net    *    *    *    GW_Surfshark    *

8. gateway

GW_Surfshark Surfshark IPv4 255 10.14.0.1

With above configuration, VLAN net can not resolve DNS,
I can see 10.14.0.2 connect to 8.8.8.8 udp 53 passed but never receive any ip address.

Thanks for your help,

Thank you very much for your reply.

If I setup auto update rules everyday, I can
receive newest Dshield, Spamhaus block list
by daily base?

If that is the case, these two list should
be good and reliable block list to use.

Hello, everyone

I just turn on my suricata ips and found it useful. Currently I drop traffic from the following rules
and a lot of dns garbage traffic disappeared

ET DROP Dshield Block Listed Source group *
ET DROP Spamhaus DROP Listed Traffic Inbound group *

What I am curious is will suricata receive Dshield and Spamhaus list update frequently?
I google around and found some similar rule on github is very old.

Thanks,

Hi, all

I download config from old device which ethernet is igbx and change it to igcx. Then I upload this config to my new device.

After reboot, everything work as usual but now webui is blocked. Is it possible that I can get webui access without resetting to factory default and apply every setting manually?

BTW: I open firefox developer console when access webui and see ns_binding_aborted or ns_error_net_timeout


-----

After a factory reset and upload config again, it's working normal now. Strange.

Thanks for giving me a good idea to start.

Let me share my experience:

Environment
SG-250 have 2 vlan with id 1,2, opnsense connect to vlan1

Opnsense side
1. add a vlan with id 2
2. assign interface for vlan2
3. enable dhcp service on vlan2

SG-250
1. configure opnsense port to trunk

That's all

Hello, everyone

I just got a cisco SG-250 switch and plan to create 2 VLAN on it.
Opnsense will connect to VLAN1. Is it possible to assign IP to
VLAN2 from opnsense dhcp service? I googled and found a similiar
topic years ago and it say it not possible.

If opnsense can not help, I should build a dhcp server on vlan1 and
use SG-250 dhcp relay feature to assign IP to VLAN2. Is this idea
correct?


Thanks,

Hi, all

I am runngin opnsense 19.1.8.If I uncheck 'Password protect the console menu' option, I can see full function menu in serial console. If I check 'Password protect the console menu' option, I got login prompt, I tried to login using a account which is ok for web ui, I got 'this account is currently not available' error and back to login prompt.
Is there anything I should check to get serial console access?


Thanks,

please take a look at this topic

https://forum.opnsense.org/index.php?topic=12092.0

seem the same issue, it might help

I just migrate to opnsense today and got the same issue. Here is how I solve this problem:

When create certificate for openvpn server, you should have 'X509v3 key usage' and
'X509v3 Extended key usage' options. My first created certificate only has 3 'X509v3 key usage'
digital signaute, non repudiation, key encipherment, and this certificate wont work instead
showed describe error above. While create seconde certificate, I also select 3 'X509v3 Extended key usage'
TLS web server, TLS web client, code signing, and this one accepted by opnsense openvpn
server.

Hope this helps

Thank you very much for your advice. That explains why even Intel core i3 CPU cannot speed up network performance. My NIC are all PCI interface. I will try to replace NIC with PCIe interface.

I thought HD is the bottleneck at first until I borrow this network applicance. OPNsense has 2 interface, DMZ and LAN. ftp server is connect to DMZ and my PC is connect to LAN. If OPNsense hardware is network appliance described earily post, transfer speed from DMZ to LAN can be up to 100Mb per second. If OPNsense hardware is my old PC, transfer speed from DMZ to LAN dropped to 50Mb per second. Upgrade PC's CPU will not increase transfer speed. I can't figure out why PC's transfer speed is slower than network applicance.
BTW: PC's NIC chip is Intel 82540EM.

Hello, all

I am new to forum and use OPNsense for a while. I borrowed a network appliance which is similar to qotom, a small destop equipped Intel celeron N3060 and 4 i211 network port, which can transfer file using filezilla speeding up to 100MB  per second. But my own device is a old PC with AMD sempron 2200 CPU and 2 intel pro / 1000 network adapter for LAN and DMZ, this old PC can transfer file from DMZ to LAN using filezilla only up to 50MB per second. I tried to upgrade this old PC with Intel core i3 560 CPU and mother board once, but transfer speed still only limited to 50MB per second. I wonder what's the bottleneck limited my old PC network performance and how to improve it.

Any advice would be appreciated.