Messages

1

24.7 Production Series / Re: upgrade to 24.7.4 worked perfectly

« on: September 17, 2024, 07:33:42 pm »

Smooth as silk. New Dashboard looks easy to customize.
As I have heard, this release was not easy and smooth as silk .

And that's exactly why: Many thanks to all developers and contributors!

2

23.7 Legacy Series / Re: Full NAT and IPSec

« on: January 19, 2024, 11:24:04 am »

First of all. 192.0.0.0/24 is not a RFC1918 (e.g. its a public ip range), so somewhere its "correct" routed to public internet. Before you can test the NAT you need to solve the routing issue. Is the Opnsense the only default gateway used on the 10.0.0.2 side? Do you see a routing table entry on the opnsense for both networks going into the tunnel? Are there two SA created for it under the ipsec section?

3

23.7 Legacy Series / Re: Help with Selective Routing (wireguard & AirVPN)

« on: January 12, 2024, 02:12:08 pm »

I have AirVPN configs downloaded to my laptop and iPhone and they are blazingly fast.

Try to play with the MTU (On both sides same value - Dont know if your VPN service published their MTU).
Something between 1412 and 1380 should do the trick.
It also depends a bit on IPv4 only or IPv6.
You can try it by hand or follow this guide and test it with iperf: https://gist.github.com/nitred/f16850ca48c48c79bf422e90ee5b9d95

4

23.7 Legacy Series / Re: NAT through wireguard tunnel

« on: January 05, 2024, 02:32:33 pm »

Try to add a SNAT Rule on the dedicated to be inside the 10.90.0.0/24, if this net is included in the wireguard tunnel, it should work. Because now it seems that the public client ip from the request goes into the tunnel. You have to translate the request into something "private" which is included in the tunnel.

5

22.1 Legacy Series / 22.1.9 - DHCPv6 PPPoE Issues

« on: July 07, 2022, 09:35:19 am »

Hi,

I know that there are plenty problems with this combination but mine should be "fixable".
Every night I found out that my PPPoE goes down, maybe because of the forced disconnect by Telekom Deutschland, anyway after this disconnect it seems DHCPv6 are not longer working. Is somehow alive:

Code: [Select]

root@gw:~ # ps auxww | grep dhcp
root 85069   0.0  0.1  12796   2244  -  Is   08:38       0:00.14 /usr/local/sbin/dhcp6c -c /var/etc/dhcp6c.conf -p /var/run/dhcp6c.pid
But the web interface shows a red stop sign and its not possible to start it from there. The only way to bring it back to life is to kill it and start it again both via CLI.

Code: [Select]

root@gw:~ # kill -15 85069

root@gw:~ # ps auxww | grep dhcp
root 50303   0.0  0.0    432    248  0  R+   08:21       0:00.00 grep dhcp

root@gw:~ # /usr/local/sbin/dhcp6c -c /var/etc/dhcp6c.conf -p /var/run/dhcp6c.pid

root@gw:~ # ps auxww | grep dhcp
dhcpd  5501   2.3  0.5 22600 10364  -  Ss   08:21       0:00.02 /usr/local/sbin/dhcpd -6 -user dhcpd -group dhcpd -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid re1_vlan2 re1
root   6550   2.2  0.1 12652  1768  -  Ss   08:21       0:00.00 /usr/local/sbin/dhcpleases6 -c /usr/local/sbin/configctl dhcpd update prefixes -l /var/dhcpd/var/db/dhcpd6.leases
root  94878   0.0  0.1 12796  2100  -  Ss   08:21       0:00.00 /usr/local/sbin/dhcp6c -c /var/etc/dhcp6c.conf -p /var/run/dhcp6c.pid
The relevant log just stops here:

Code: [Select]

<190>1 2022-07-07T03:29:00+02:00 gw.shade.sh dhcpd 7982 - [meta sequenceId="2"] Reply NA: address 2003:cd:d705:a100::1b2d to client with duid 00:01:00:01:25:1e:c1:c1:b8:27:eb:2f:cf:98 iaid = -349188200 valid for 7200 seconds
<190>1 2022-07-07T03:29:00+02:00 gw.shade.sh dhcpd 7982 - [meta sequenceId="3"] Sending Reply to fe80::783c:69eb:a1:416b port 546


6

General Discussion / Re: Cannot get forced redirect of DNS to Pihole

« on: May 11, 2021, 02:28:30 pm »

To solve things like this:

Code: [Select]

dig @8.8.8.8 heise.de   
;; reply from unexpected source: 10.20.30.4#53, expected 8.8.8.8#53
;; reply from unexpected source: 10.20.30.4#53, expected 8.8.8.8#53
;; reply from unexpected source: 10.20.30.4#53, expected 8.8.8.8#53
Where 10.20.30.4 is one of my internal DNS server.

7

21.1 Legacy Series / Upgrade failed with "Newer FreeBSD version"

« on: February 13, 2021, 02:46:19 pm »

Hey,

after upgrading to 21.1 the system cannot be upgraded to newer versions.
I always get a mismatch in freebsd version for different packages.
E.g.

Code: [Select]

root@gw:~ # pkg update
Updating FreeBSD repository catalogue...
Fetching packagesite.txz: 100%    6 MiB   6.4MB/s    00:01   
Processing entries:   0%
Newer FreeBSD version for package php73-pear-channel-horde:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1202000
- running kernel: 1201000
Ignore the mismatch and continue? [y/N]:
pkg: repository FreeBSD contains packages for wrong OS version: FreeBSD:12:amd64
Processing entries: 100%
Unable to update repository FreeBSD
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Error updating repositories!
root@gw:~ # uname -a
FreeBSD gw 12.1-RELEASE-p12-HBSD FreeBSD 12.1-RELEASE-p12-HBSD #0  3c6040c7243(stable/21.1)-dirty: Mon Jan 25 12:27:52 CET 2021 root@sensey:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64

8

20.1 Legacy Series / Re: Multiwan conection issue / dpinger latency

« on: July 02, 2020, 11:37:09 am »

Looks like for now "Disable State Killing on Gateway Failure" is a solution for that. I have to test what happens when my main line is down - Would be really nice to have such a feature only for the non active gateway.

9

20.1 Legacy Series / Re: Multiwan conection issue / dpinger latency

« on: July 01, 2020, 03:47:39 pm »

I already tried with different priorities (255 on LTE backup and 254 on main line). No change in behavior when the LTE backup reached the threshold e.g. is offline.

Could be "Disable State Killing on Gateway Failure" a solution for that?

My problem is, i have a lot MQTT devices in different VLANs, every time the LTE Backup have a problem, the MQTT devices also disconnects because the OPNSense is the gateway and firewall for my VLANs at home.

Looks like there is already a discussion about this: https://github.com/pfsense/pfsense/pull/4159

10

20.1 Legacy Series / Re: Multiwan conection issue / dpinger latency

« on: July 01, 2020, 03:09:03 pm »

Same problem here with LTE as backup... the whole gateway has a short hicup when the Backup Line is dead or has reached the threshold.

https://forum.opnsense.org/index.php?topic=16666.msg76127#msg76127

11

20.1 Legacy Series / Re: Dual WAN - WAN2 should really be used only in case WAN1 is dead (WAN2 metered)

« on: April 20, 2020, 08:52:26 pm »

Are you sure you're using a Active / Standby Setup? I have here a similar setup (VDSL with LTE backup). If my VDSL is stable for a long time, i only have a very few data (from the ping monitoring) on my LTE WAN. There should be no DNS resolving on Tier2 (WAN2) if you're using it as standby line. It's not recommended to disable gateway monitoring if you're using a multi wan setup. Afaik you have to set gateway priority only if you're using a active / active setup with load balancing over both lines.

12

20.1 Legacy Series / Re: Question about "let anything out from firewall host itself"

« on: April 18, 2020, 07:51:49 pm »

The Rule "let out anything from firewall host itself" you are searching is under "Floating" Rules Tab and there on the upper right you'll find a symbol named "Automatically generated rules".

13

20.1 Legacy Series / Re: syslog and syslog-ng

« on: April 17, 2020, 03:40:19 pm »

And... I do not have syslogd on any potential receiving server, but only systemd-journald. Can I use that also?
Thank you.

Don't think so... you need at least rsyslogd or syslogd installed and configured to receive logs from remote devices.

14

20.1 Legacy Series / Re: syslog and syslog-ng

« on: April 17, 2020, 03:32:40 pm »

Should be listed there, look at the screenshot.
Btw. syslog-ng is for remote-logging and syslog for local logging.

15

20.1 Legacy Series / Re: IPsec VPN Problem 20.1.4

« on: April 16, 2020, 11:34:22 am »

Don't think a Signal 6 had something to do with the SA Lifetime... this looks like a more serious error to me.