Messages

Hello,

I added a mediatek mt7921 wifi m.2 adapter to my j3455itx board but there is no available devices in the web gui

interfaces -> wireless -> devices -> (click add) ->  Parent interface (nothing selected) drop down menu contains nothing,

Pci dump shows in the relevant section the device is 'none2'

Code Select Expand


# pciconf -vl
none2@pci0:2:0:0:       class=0x028000 rev=0x00 hdr=0x00 vendor=0x14c3 device=0x7961 subvendor=0x17aa subdevice=0xe0bc
    vendor     = 'MEDIATEK Corp.'
    device     = 'MT7921 802.11ax PCI Express Wireless Network Adapter'
    class      = network

The driver I used is from freebsd repo after editing /usr/local/etc/pkg/repos/FreeBSD.conf

https://www.freshports.org/net/wifi-firmware-mt76-kmod/

Code Select Expand

pkg install wifi-firmware-mt76-kmod

Any ideas how to make the wifi adapter available in opnsense?

Is it possible for the opnsense team to add the wifi firmware to opnsense package repo?

Thanks in advance.

Hello,

I have upgraded my opnsense instance to the latest 22.1.1_1. But is there a way to enter '@' (without quotes) as the hostname in the GUI setting?

Services: Dynamic DNS: Settings -> Edit account: hostname

Currently, if I use @, then I could not save because an error message pops up

'please specify a valid address (IPv4/IPv6) or hostname'

I can log into the console and edit ddclient.conf manually to use @ as the hostname but that won't persist after a reboot.

Thanks,
AG

[Services: Intrusion Detection: Administration]

Hello,

As of now, we can use Services: Intrusion Detection: Administration to add User-defined rules to block domains associated with given SSL Fingerprint. This is a manual process since when define the rules we have to copy and paste SHA1 of the certificate. Is there a way to update the rule automatically when the cert expires, e.g., say

35:00:2E:BF:32:62:B6:6D:0F:EA:A2:E6:72:26:D6:51:3F:7F:CB:42

is the SHA1 for the cert of this forum, it expires 2/17/2021. Do we have a design such that a week before the expiration date, as in the above example, 2/10/2021, OPNsense can query about a potential new cert then extract the new expiration date, so that user defined rules can be renewed with an update using the new SSL Fingerprint?

Thanks. 

But wasnt it TLS1.3 which should be strongest?

The solution is mainly for Windows 7 as only Windows 10 has TLS 1.3 support? (and only experimental as of now).

I checked my Mac and Linux machines, when they successfully negotiated a handshake connection to freeRadius, it was using TLS 1.2 . So I think the freeRadius side will most likely accept TLS 1.2?

I found a solution to the handshake failure problem on Windows 10 and 7 machines. It can be solved by following this page.

https://www.windows-security.org/2c488aac52906551ff218fd5c2bdaddc/ssl-cipher-suite-order

Go to

Code Select Expand

HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002!Functions

then add TLS 1.2 GCM cipher suites and delete old unsafe ones. Reboot then it should be OK.

But on Android devices, I haven't figured out a way to change the order of cipher list yet.

Are you sure you have the root certificate installed on windows trusted store? Or do you accept unknown root authorities in Windows?

I'm not aware of a change in radius plugin or freeradius itself, I also don't have a setup for this here.

I did install OPNSense generated Root CA cert and server cert on Windows machines, then move them to Trusted Root CA store, right click then choose the purposes (Server authentication etc.). But I am not sure whether it is the same thing as what you suggested. And not only Windows devices, Android devices suffer the same problem too. So I think it might be a freeRadius TLS problem?

Do you use LibreSSL or OpenSSL?
Server receives TLS1.3 from client but only supports 1.2 I'd guess.

Thanks. Oh, my OPNSense is the OpenSSL flavour. So what you are saying is freeRadius at the moment does not support TLS 1.3? That's weird, since Win 10 by default doesn't support TLS 1.3 either, however it is the Windows machines that won't make connections to WPA2 Enterprise network; Linux and Macs are OK.

Hello,

I am running OpnSense on 20.1.9 with plugin os-freeradius 1.9.7 installed. Windows 10 & 7 and Android 10 devices won't connect to a WPA2 Enterprise wireless network set up with EAP type: MSCHAPV2. Connections to the same WPA2 Enterprise network using devices with Mac Catalina 10.15 and Debian 10 are OK. Details of the handshake failure were captured when radiausd debug mode was enabled. The most relevant part was highlighted in red. See below.

According to the error, there is a mismatch of TLS versions, but I am confused, is it freeradius requiring TLS 1.3  or the user is only capable of TLS 1.3?

Thanks.

(11) eap: Peer sent packet with method EAP PEAP (25)
(11) eap: Calling submodule eap_peap to process data
(11) eap_peap: Continuing EAP-TLS
(11) eap_peap: Peer indicated complete TLS record size will be 131 bytes
(11) eap_peap: Got complete TLS record (131 bytes)
(11) eap_peap: [eaptls verify] = length included
(11) eap_peap: (other): before SSL initialization
(11) eap_peap: TLS_accept: before SSL initialization
(11) eap_peap: TLS_accept: before SSL initialization
(11) eap_peap: <<< recv TLS 1.3  [length 007e]
(11) eap_peap: >>> send TLS 1.2  [length 0002]
(11) eap_peap: ERROR: TLS Alert write:fatal:handshake failure
tls: TLS_accept: Error in error
(11) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher
(11) eap_peap: ERROR: System call (I/O) error (-1)
(11) eap_peap: ERROR: TLS receive handshake failed during operation
(11) eap_peap: ERROR: [eaptls process] = fail
(11) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
(11) eap: Sending EAP Failure (code 4) ID 2 length 4
(11) eap: Failed in EAP select
(11)     [eap] = invalid
(11)   } # authenticate = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
(11) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(11)   Post-Auth-Type REJECT {
(11) attr_filter.access_reject: EXPAND %{User-Name}
(11) attr_filter.access_reject:    --> LGN5
(11) attr_filter.access_reject: Matched entry DEFAULT at line 11
(11)     [attr_filter.access_reject] = updated
(11)     [eap] = noop
(11)     policy remove_reply_message_if_eap {
(11)       if (&reply:EAP-Message && &reply:Reply-Message) {
(11)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(11)       else {
(11)         [noop] = noop
(11)       } # else = noop
(11)     } # policy remove_reply_message_if_eap = noop
(11)   } # Post-Auth-Type REJECT = updated
(11) Login incorrect (eap_peap: TLS Alert write:fatal:handshake failure): [LGN5/<via Auth-Type = eap>] (from client Home AP port 23 cli 8c3ae3735337)
(11) Delaying response for 1.000000 seconds

Thank you so much for your help!! :-*

Thank you.

Then is there a path to migrate i386 to amd64 install without reinstall and reconfigure everything, like overwrite i386 binaries with amd64 version? I know there is a restore setting tab but it seems some individual package settings will be lost after new install. 

[System:Firmware:Plugins]

Hello,

My router is on

OPNsense 19.7.4_1-i386
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2s 28 May 2019

Is it true that dnscrypt-proxy plugin is not available for i386 firmware? I cannot find it as an installable plugin under tab System:Firmware:Plugins.

Thanks.

Hello,

My web server (only one server active when renewing cert) is behind an Opnsense router with hdproxy. Haproxy was set up with "Option pass-through: Add send-proxy" under "Real Servers Tab". This is used for logging real IPs of those who visited my website. But when send_proxy is present as pass-through option, Letsencrypt cert (on the server, not Opnsense router) has difficulties renewing itself. It will show error "Type: connection Detail: Error getting validation data".

As soon as I turn off "Option pass-through: Add send-proxy", I can renew cert without problems. So this means, I cannot use crontab to auto renew certificate; rather, I have to turn send_proxy on and off whenever I have to renew a cert.

I was wondering if there is an automatic way of keeping send_proxy and renewal of Letsencrypt cert.

Thanks.

Hello,

I was wondering besides providing OS, saving configurations and logging what else does a storage device do in OPNsense. More importantly, does a hard drive's health affect the integrity of data packets passing through OPNsense? Or the data filtering happens in RAM so hard drive is not relevant?

I ask this question since I am new to OPNsense and at this stage I am playing with a retiring hard drive which SMART plugin reports it is failing. But the whole OPNsense set up has been running for days and my use of internet seems fine.

Many thanks in advance.

[EDIT]

EDIT: I got it working. During setting interface I unchecked 'track ipv6' then it worked.

Hello,

I am new to OPNsense and please bear with me for my stupid questions.

I recently turned an old thinkpad x40 to an OPNsense appliance with the
following hardware set up

- thinkpad x40 (provides cpu + ram)
- thinkpad docking base (provides hard drive + one LAN port)
- SMC cardbus ethernet plugged into thinkpad (provides one WAN port)

I have installed the latest OPNsense on this appliance and updated it. However I
don't know how to and where should I insert it to my current network. What I
want is just use it as a firewall for my home network.

My current network topology is like this

Internet --> ATT NGV599 modem (IP passthrough) --> (WAN port connected) Netgear
AR6250 wifi router --> one LAN port connected server + several WIFI devices

My intention is to insert the OPNsense appliance between the modem and router so
the traffic can be firewalled, i.e., the new topology would become

Internet --> ATT NGV599 modem --> [intended] cable goes to WAN interface of
OPNsense thinkpad then let thinkpad LAN port connect to --> (LAN port connected)
Netgear AR6250 router --> one LAN port connected server + several WIFI devices

But the problem now is there is no internet access coming out of LAN of
OPNsense. What I did was

- I plugged cable from modem into the thinkpad WAN port
- Then the OPNsense thinkpad LAN port went to my computer directly for testing
  the internet access
- The computer (on windows 10) immediately after OPNsense thinkpad appliance
  could not visit the Internet. It says it has IPv6 Internet however no access
  to any website (I tested google.com).

Any suggestions? Thanks in advance.