Messages

I have read the opnsense docs on firewall rules.
It says that "When changing rules, sometimes its necessary to reset states to assure the new policies are used for existing traffic. You can do this in Firewall ‣ Diagnostics ‣ States."
I have done that with no change.

This is the current set of rules enabled on the LAN40 interface.
                automatically generated rules:
       IPv6 *    *    *    *    *    *    *    *    Block all IPv6    
      IPv4+6 *    *    *    *    *    *    *    *    Default deny / state violation rule    
      IPv4+6 TCP/UDP    *    0    *    *    *    *    *    block all targeting port 0    
      IPv4+6 TCP/UDP    *    *    *    0    *    *    *    block all targeting port 0    
      IPv4+6 TCP    <sshlockout>    *    (self)    22 (SSH)    *    *    *    sshlockout    
      IPv4+6 TCP    <sshlockout>    *    (self)    443 (HTTPS)    *    *    *    sshlockout    
      IPv4+6 *    <virusprot>    *    *    *    *    *    *    virusprot overload table    
      IPv4 UDP    *    68    255.255.255.255    67    *    *       allow access to DHCP server    
      IPv4+6 UDP    *    68    (self)    67    *    *       allow access to DHCP server    
      IPv4+6 UDP    (self)    67    *    68    *    *       allow access to DHCP server    
      IPv4+6 *    *    *    *    *    *    *    *    let out anything from firewall host itself    
      IPv4+6 *    (ix0)    *    ! WAN net    *    WAN_GW    *    *    let out anything from firewall host itself (force gw)    

               Rules I have added

      IPv4 *    192.168.40.11/32    *    LAN20 net    *    *    *       Out rule for a single host to any internal network   
      IPv4 *    192.168.20.70/32    *    192.168.40.5/32    *    *    *       In rule for Security Camera    
      IPv4 *    192.168.40.5/32    *    192.168.20.70/32    *    *    *       Out Rule for Security Camera    
      IPv4 *    LAN40 net    *    LAN20 net,  LAN30 net, LAN50 net    *    *    *       Default block out to private subnets rule    
      IPv4 *    LAN40 net    *    LAN20 net, LAN30 net, LAN50 net    *    *    *       Default block in to private subnets rule    

                 Default created at installation
      IPv4 *    LAN40 net    *    *    *    *    *       Default allow WiFi to any rule


Can anyone clue me in?
What am I missing here?
I have tried only In rules and only Out rules and both.   
Nothing seems to work.

NVR is on LAN40 and the camera in question is on LAN20.
LAN40 is used for things that I don't want to have access to the other networks.
Putting that one camera on LAN40 would cost another POE injector, and I already have a POE switch in that location on LAN20 ...

I added out and in rule because I need to be able to register the camera to the NVR and it needs bi directional traffic?
The rules right below block all traffic between those networks if I understand them correctly.

changing to /32 from /24 made no difference. 
Do I need to disable and reenable, or reboot?

I just upgraded to 25.7.9_7 and adjusting networks afterwards. 

I have separate physical subnets for various purposes.
One I use for all WIFI and a security camera NVR.
I need _one_ camera on  LAN40 to talk to the NVR on LAN40.
I had the Wifi subnet isolated from the other subnets by the 3rd and 4th rule (successfully I thought).
I tried adding the top two rules for any protocol/any port between 192.168.20.70 and 192.168.40.5
I'm missing something because the block tot eh subnet appears to be working, but the rules prior to that do not.
I'm not sure what I'm missing here, but if anyone can explain it to me like I'm a dummy, I'd appreciate it.


                Automatically generated rules    
      IPv4 *    192.168.20.70/24    *    192.168.40.5/24    *    *    *       In rule for Security Camera    
      IPv4 *    192.168.40.5/24    *    192.168.20.70/24    *    *    *       Out Rule for Security Camera    
      IPv4 *    WIFI net    *    LAN20, LAN30, LAN40, LAN50    *    *    *       Default block out to private subnets rule    
      IPv4 *    WIFI net    *    LAN20, LAN30, LAN40, LAN50    *    *    *       Default block in to private subnets rule    
      IPv4 *    WIFI net    *    *    *    *    *       Default allow WiFi to any rule    

> Unless .. the keyboard mapping done at installation has changed?

Yes, it's a per install setting not found in the config.xml export. We debated the good and bad about making it more persistent, but it did not seem very important unless you have a special keyboard (diverging from a basic US layout) AND use special characters from the special keyboard.

This doesn't happen for SSH or the web GUI, but it's a possibility for the console.

I mention 1. and 2. because:

With 1. you have to check the authentication settings (an OTP will not allow your plain password to be used, NTP needs to work in order for OTP to work too) and there is a GUI tester for that as well.

For 2. if you have a special keyboard layout and know your password it's easy to infer that it could be susceptible to this problem, but nobody else can tell and certainly not from a password hash. It's also why the default password is rather plain which makes keyboard mapping issues like that very unlikely.

In either case you have all the data to identify the problem and we can help assist with this after diagnosing which one it is.


Cheers,
Franco

At the end of the day I just need to figure out the proper procedure to recover a backup to an identically configured computer (but with obviously different MAC addresses for each interface).

So long as the NIC assignments are done based on interface order Ix0, Ix1 and so on, I should be good -- I know which interface will be the LAN interface and I assume that attaching a laptop directly to that port will allow me to login to the UI (using the known GUI password) and address the console password issue?

I use a standard US keyboard and keyboard layout -- selecting the default in the installer on the recovery installation and _pretty sure_ but not 100% positive I did the same on the original install. 

Sounds like my best approach is to start over and document every step of the recovery.

What's your goal? Breaking access?

The <password/> entry has been compatible across versions forever.

The only thing that could change are:

1. authentication settings
2. console keyboard mapping


Cheers,
Franco

Well, unless a restore does one or both of those things, that's not what this is. <shrug>


Unless .. the keyboard mapping done at installation has changed?
Could that do it?
It's been a while since I did the install of the one I'm restoring, and it's gone through a few upgrades...
I selected the one I always use on the fresh install -- it's common enough I didn't even think about it.

What setting would that be in the backup file?

The config I restored didn't require a login on the local console.
Can't put it on the network to even try the GUI until I am sure the interfaces are properly assigned.

Can I just edit the config file to remove the root/admin userid?
The whole <user> or just blank  <password> like this:  <password></password>
 

I spun up a new install of 25.7.
After getting to the login and doing the basic wizard setup bit, I restored a backup of my running OPNSense running 25.1

None of the passwords from either setup work on the console after reboot.

Is this expected?
Should I have modified the backup file and blanked password fields?
I don't recall seeing anything particular in the docs other than restore steps.

Or is this just some incompatibility between versions?
 

How long does it take to sync up?  Still almost 10 minutes out from local cell tower service time and internal time service from where I work.

Code Select Expand


Network Time Protocol Status
Status Server Ref ID Stratum Type When Poll Reach Delay Offset Jitter
Unreach/Pending us.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
Unreach/Pending opnsense.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
Outlier 134.215.155.177 216.239.35.0 2 u 410 512 377 47.497 +3.974 1.502
Outlier 158.51.99.19 17.253.26.125 3 u 302 512 377 41.426 +1.647 1.390
Outlier 72.14.183.239 127.67.113.92 2 u 42 512 377 16.133 +2.344 2.951
Candidate 108.61.215.221 162.159.200.1 4 u 511 512 377 22.939 +3.755 0.809
Candidate 192.155.94.72 132.163.96.2 2 u 33 512 377 24.175 +4.978 1.317
Outlier 62.72.0.70 209.151.225.100 3 u 163 512 377 50.970 -0.212 4.214
Active Peer 45.79.111.114 127.67.113.92 2 u 258 512 377 56.906 +2.950 1.572
Candidate 72.14.183.39 80.72.67.48 3 u 413 512 377 16.710 +3.197 2.877
Candidate 162.159.200.1 10.162.8.47 3 u 168 512 377 10.624 +2.746 5.546


My time is about 9 minutes off -- compared to two other professionally (more than me at least) managed networks.
The default opnsense pool reported in the logs DNS resolution failure

Error    ntpd    error resolving pool 1.opnsense.pool.ntp.org: Name does not resolve (8)

so I added pool.ntp.org ans us.pool.ntp.org and I'm still seeing status like below.
I do see this and many more servers in the list -- is the "Unreach/Pending" just a side effect of not being in sync?
Although the offset column shows I'm not as far off as it really is ...

I'd really like my gateway to sync up and provide NTP for  the local networks ...

Code Select Expand

Status     Server     Ref ID     Stratum     Type     When     Poll     Reach     Delay     Offset     Jitter
Unreach/Pending     us.pool.ntp.org     .POOL.     16     p     -     64     0     0.000     +0.000     0.000
Unreach/Pending     opnsense.pool.ntp.org     .POOL.     16     p     -     64     0     0.000     +0.000     0.000
Unreach/Pending     134.215.155.177     216.239.35.0     2     u     14     64     7     48.304     +1.936     0.174
Unreach/Pending     158.51.99.19     17.253.26.125     3     u     16     64     7     42.716     +0.857     0.319
Unreach/Pending     72.14.183.239     45.79.1.70     3     u     13     64     7     16.266     +0.373     0.067
Unreach/Pending     74.208.25.46     198.46.254.130     3     u     13     64     7     36.483     +5.648     2.497


I don't disagree with Patrick, but [System -> Settings -> Administration -> Secure Shell -> Listen Interfaces] is a thing....

That only appears to allow a single interface or all.  All is the default.

Update on my months-long struggle with Spectrum:

First off, I have a business account.
Static IPV4 IP
Actually, a /29 subnet of IPV4 - 5 IPs and a gateway IP.

The issue I described manifested as certain streaming services displaying what is supposed to be "local" content for areas that varied wildly across the State of Texas.
We should get "local" content for the DFW area.
     Example - wife subscribes to Peacock to get the Dallas NBC news stations - we are far enough away that terrestrial antenna won't work - 
                      At random intervals, something from spectrum causes geo-location ip information across the internet to update and shift us from Dallas to Houston, or Austin, or San Antonio, or El Paso, or Colorado, or New Jersey ..   You never new if you would get local content or something from New York.

We started with each of the streaming services first -- at least for the ones you _can_ get help for, the rest I forced a cancellation.  (I have been very unpopular) for months.
Everyone of them just said you need to talk to your provider, so we moved on to Spectrum.
After weeks of arguing with first level techs (I had one young lady tell me - in effect - that "geo-location of IP addresses doesn't exist" and _clearly_ didn't understand basic network routing).

BTW, if you call Spectrum and mention to anyone anything about "streaming services" they immediately proceed to do all sorts of wonderful testing and validation of the Spectrum Streaming app.  No matter how hard you try to tell them it's an issue with streaming a different service over the internet -- it's like their employees live in a world where nothing other than Spectrum exists, and they don't really believe other services are possible.

 I finally got a case -- Which Spectrum will not share case numbers with you for reference on future calls -- you just have to hope the next tech that picks up can "find" your ticket --  escalated to ... someone.
I got a promise that a "ticket was in, but could take up to 30 days to process".

45 days of content hopscotch later still no fix.

I escalated the escalation, and even had ...someone... leave a voice mail about the issue.
Another week or so is the current guesstimate.


Spectrum has their own Streaming App that carries Spectrum produced "local news".
So long as that is "working", it's hard to get past 1st level support.


I have suspected they are doing carrier grade NAT and load balancing may be why the geo-location for us kept changing.
If anyone knows of a way to verify that without Spectrum's help I'd love to know it.
I have yet to speak to any first level tech that even knew what NAT might be, and anyone above that level has been very careful to just ignore any direct questions about it.

Short version, if you have any other option, take it!
I have been lucky -- I have had Verizon Fiber and later Frontier when they took over in the Dallas area.
It was pricey but under verizon it just worked 24x7.
Frontier took over and there were some hiccups, but it smoothed out OK.
Moved out here and wound up with spectrum.
It's like they have taken the Comcast playbook as their bible :/

Not that I'm probably any sane reference, but do you need new equipment?
If you are like me and don't mind running retired enterprise gear ...

I'm using an Arista 7050TX-64 and a 7050SX-64.
T model is 48 10GB RJ45 ports and 4 QSFP+ ports.
S Model is 48 10GB SFP+ ports and 4 QSFP+ ports.

Bought them both for less than the cost of the last unmanaged 8 port TP-link 10GB switch off Amazon.

[quotr]
I don't mean to hijack your thread, but did you find a reasonable path to getting IN-ADDR set on your block? Time Warner had a dedicated e-mail address for that, but it's gone now. AT&T appears to have a dedicated e-mail address; Frontier has Frontier Hostmaster. All I could find for Charter/Spectrum was "call business support". (My former employers offered delegation, but few do that for less than a /24 these days.)

I doubt you'll ever get a straight answer about pathing, unless you get a particularly dedicated support tech, or a network tech decides to contact you. Wacky pathing can vary between bug and feature, and I wouldn't expect it to affect geolocation... but that's not my gig. Allocation could be an issue, e.g. if small allocations are drawn from a single large pool and scattered all over the network. It's a bit unlikely (it would take some really lousy planning), but you can't easily evaluate that from outside.

Aside: Instead of a logical /28, Frontier assigned me (effectively) a /29 and a couple /30s (i.e. basically a random set). Ouch.
[/quote]

For Spectrum business the only option is "call business support" and wade through 1st level to get someone who even knows how to do internal DNS requests.
I really haven't had much issue with them on that front -- all I'm looking for is to have proper forward/reverse lookups working.  When they update the PTR record on their end it usually propogates within 24 hours.

I finally ran into a second level resource names "Zak" - that's all I could get for contact info - that said he would "put in a ticket" to have this geolocation issue resolved and it would take "up to 30 days". 
He would not share any details on what exactly they were changing though.

This is all new fiber build out in the last year -- I was promised when we signed up that within 6 months we would have the same up/down speed "as soon as we upgrade a bit of equipment upstream in your area".
That hasn't happened either.

At least I have fiber instead of the DSL and Line of sight radio we had before :/

This has nothing to do with OPNsense -- this is firmly with the provider - Spectrum in Texas.

Spectrum has recently added fiber to my area.
I have a /29 of static IP addresses (Spectrum calls this a "5 block").
At random intervals, geolocation for my static IPs update to various major metro areas in Texas.
When running my IP through various ip tools on the internet you can see the different tools will show different locations.
I assume that those various tools update their location information to some extent at least to routing to/from the IP address, perhaps?

Spectrum tech support has been way less than helpful so far -- most of the 1st level responses haven't even understood the issue.
Most of them don't understand what a PTR record is and will argue about their ability to alter them. :=(
At one point, on escalation I was told that Spectrum will route traffic outside the spectrum network in various physical locations, based on network load.
None of them will answer any questions about how spectrum routing and traffic paths work, or how this could affect the geo-location of the public, static IP addresses for which I pay extra.

Traffic that originates coming to me seems unaffected -- the IP addresses do appear to appear to be public.  Where this shows up as a a major PITA is that I frequently get security alerts from places like ebay - " A device logged into your account from San Marcos, Tx - was that you?" - next login I have to go through account verification. again.
Some streaming services provide "local" channels.
Makes life interesting if you never know if "local" will be Dallas/Ft Worth, Houston, Austin or San Antonio ... 

Any one else on Spectrum or encountered anything like this?

Closest answer so far -- I think I prefer just having another drink. 

Better go back to sleep and sober up.