1
24.7 Production Series / Re: Certificate webConfigurator default is not intended for server use
« on: August 13, 2024, 08:56:08 am »
That worked fine.
Thanks a lot.
Thanks a lot.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
24.7 Production Series / Certificate webConfigurator default is not intended for server use
« on: August 12, 2024, 03:52:46 pm »
While preparing to update from 24.1.10_8 to 24.7.x I'm reading through this forum and find I should adhere to
https://docs.opnsense.org/manual/settingsmenu.html#listen-interfaces
and set "System->Settings->Administration->Web GUI->Listen Interfaces" to All (Recommended).
I had it set to LAN since the beginning (2016 I think).
Problem:
No matter which setting I try to change on that page I get
"Certificate webConfigurator default is not intended for server use"
I do not use a certificate in that configuration. Or am I?
I see a "webConfigurator default" certificate under "System->Trust->Certificates" but that has expired more than eight years ago.
Not sure what to do!?
See attached screenshots.
https://docs.opnsense.org/manual/settingsmenu.html#listen-interfaces
and set "System->Settings->Administration->Web GUI->Listen Interfaces" to All (Recommended).
I had it set to LAN since the beginning (2016 I think).
Problem:
No matter which setting I try to change on that page I get
"Certificate webConfigurator default is not intended for server use"
I do not use a certificate in that configuration. Or am I?
I see a "webConfigurator default" certificate under "System->Trust->Certificates" but that has expired more than eight years ago.
Not sure what to do!?
See attached screenshots.
3
23.1 Legacy Series / [Solved] Missing dependencies
« on: March 24, 2023, 09:55:21 am »
Thanks Franco
4
23.1 Legacy Series / Missing dependencies
« on: March 24, 2023, 09:15:19 am »
I just updated a system from 23.1.2 to 23.1.4_1 and found the following in the update protocol:
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0
>>> Missing package dependencies were detected.
>>> Found 2 issue(s) in the package database.
pkg-static: No packages available to install matching 'python37' have been found in the repositories
pkg-static: No packages available to install matching 'py37-setuptools' have been found in the repositories
>>> Summary of actions performed:
python37 dependency failed to be fixed
py37-setuptools dependency failed to be fixed
>>> There are still missing dependencies.
>>> Try fixing them manually.
Anything I need to worry about?
Is there something I need to do?
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0
>>> Missing package dependencies were detected.
>>> Found 2 issue(s) in the package database.
pkg-static: No packages available to install matching 'python37' have been found in the repositories
pkg-static: No packages available to install matching 'py37-setuptools' have been found in the repositories
>>> Summary of actions performed:
python37 dependency failed to be fixed
py37-setuptools dependency failed to be fixed
>>> There are still missing dependencies.
>>> Try fixing them manually.
Anything I need to worry about?
Is there something I need to do?
6
21.1 Legacy Series / NAME:WRECK Is OPNsense vulnerable?
« on: April 21, 2021, 11:43:42 am »
I just read that FreeBSD 12.1 has some issues with its TCP/IP stack that make it vulnerable for Remote Code Execution attacks that go by the name of NAME:WRECK.
I'm alarmed as we use OPNsense 21.1.4 to secure our company network.
Do I need to worry?
I'm alarmed as we use OPNsense 21.1.4 to secure our company network.
Do I need to worry?
7
Hardware and Performance / Migrate configuration from AMD GX-416RA to AMD GX415GA
« on: September 10, 2020, 02:27:21 pm »
I have two Deciso A10 appliances. One with a GX416RA SOC, the other has a GX415GA SOC.
The first one is currently active, the second one should provide some redundancy (cold stand-by).
So I want to export the config of the GX416 and load it into the GX415.
As I already found out I have to rename the network interfaces from igb0 to em0 etc.
Now when testing I can connect to the stand-by machine and I see that its WAN interface is connected to the internet.
But not a single data packet is moving from LAN to WAN and vice versa.
What else do I need to change in the config?
The first one is currently active, the second one should provide some redundancy (cold stand-by).
So I want to export the config of the GX416 and load it into the GX415.
As I already found out I have to rename the network interfaces from igb0 to em0 etc.
Now when testing I can connect to the stand-by machine and I see that its WAN interface is connected to the internet.
But not a single data packet is moving from LAN to WAN and vice versa.
What else do I need to change in the config?
8
20.1 Legacy Series / Re: [Modified] No traffic from secondary local network to WAN
« on: April 18, 2020, 10:30:09 am »
This setting is switched on.
So IPv4 is preferred.
So IPv4 is preferred.
9
20.1 Legacy Series / [Modified] No traffic from secondary local network to WAN
« on: April 17, 2020, 08:46:43 am »Quote
not sure what auto-detect does, but can you try setting the gateway address instead?The problem in the topic you mention seems a bit different from mine.
in https://forum.opnsense.org/index.php?topic=13456.0 there was a similar problem, and setting the gateway address seems to have solved it.
Well, according to the help available (Info button) I should not change this value for non-WAN interfaces.
Thanks anyways
10
20.1 Legacy Series / [Modified] No traffic from secondary local network to WAN
« on: April 16, 2020, 04:18:22 pm »
Well what I found by adding a test machine into the BBB network is this:
The root of the problem is not inbound NAT.
It is a routing problem from BBB to WAN. No packets going that way.
The BBB related entries in System/Routes/Status look fine (Similar to the LAN entries).
I have a firewall rule in place for the BBB network that allows anything.
I have not done anything special regarding gateway configuration.
IPV4 Upstream Gateway is set to Auto-Detect.
Call me stupid, maybe I am.
But this did work before in 20.1.3.
Where should I look?
Stefan
The root of the problem is not inbound NAT.
It is a routing problem from BBB to WAN. No packets going that way.
The BBB related entries in System/Routes/Status look fine (Similar to the LAN entries).
I have a firewall rule in place for the BBB network that allows anything.
I have not done anything special regarding gateway configuration.
IPV4 Upstream Gateway is set to Auto-Detect.
Call me stupid, maybe I am.
But this did work before in 20.1.3.
Where should I look?
Stefan
11
20.1 Legacy Series / Re: SIP NAT Issue?
« on: April 15, 2020, 01:06:38 pm »
Bart,
maybe I did not express myself as clear as I should...
We host the conference system ourselves. On company premise on our own hardware behind OPNsense.
Right now I can't do any further tests because of this:
https://forum.opnsense.org/index.php?topic=16764.0
Thanks for your help
Stefan
maybe I did not express myself as clear as I should...
We host the conference system ourselves. On company premise on our own hardware behind OPNsense.
Right now I can't do any further tests because of this:
https://forum.opnsense.org/index.php?topic=16764.0
Thanks for your help
Stefan
12
20.1 Legacy Series / Re: SIP NAT Issue?
« on: April 15, 2020, 11:56:48 am »
Bart,
don't know if your question goes in my direction but anyways, here I go:
According to the documentation of my conference system (BigBlueButton) I do not need a STUN server if the firewall's WAN interface has a fixed IP. In that case I can hardcode that IP in one of the configuration files instead of STUN server address and port. That's what I have done. Maybe that is not enough if clients are behind a router.
Stefan
don't know if your question goes in my direction but anyways, here I go:
According to the documentation of my conference system (BigBlueButton) I do not need a STUN server if the firewall's WAN interface has a fixed IP. In that case I can hardcode that IP in one of the configuration files instead of STUN server address and port. That's what I have done. Maybe that is not enough if clients are behind a router.
Stefan
13
20.1 Legacy Series / Re: SIP NAT Issue?
« on: April 15, 2020, 08:53:24 am »
Sorry, I cannot help, I'm just seing a similar problem here.
In the office I'm running a conference server (audio, video, whiteboard, chat and so on) behind an OPNsense firewall.
I can connect to the system itself just fine (well at least I could until I ran into the problems mentioned here yesterday).
No matter what connection path login works and whiteboard can be used. Chat system works.
But audio (SIP/RTP) and video (WebRTC) do not work when I try to connect from my home office where I am behind a AVM DSL router (Fritzbox).
Neither PC, nor iPad or iPhone can use audio/video when connected to the Fritzbox WIFI.
That same iPhone works fine when I shutdown WIFI and connect via LTE.
And the iPad works fine as soon as I use the iPhone as mobile hotspot with the phone.
The PC can connect from my homeoffice WIFI if I connect to the company network via OpenVPN (OPNsense road warrior setup).
In short everything using TCP works. UDP is the problem.
The problem looks very similar to yours. Difference being my homeoffice is just behind a AVM Fritzbox instead of a second OPNsense.
Just my 2 cents.
Stay safe everyone
Stefan
In the office I'm running a conference server (audio, video, whiteboard, chat and so on) behind an OPNsense firewall.
I can connect to the system itself just fine (well at least I could until I ran into the problems mentioned here yesterday).
No matter what connection path login works and whiteboard can be used. Chat system works.
But audio (SIP/RTP) and video (WebRTC) do not work when I try to connect from my home office where I am behind a AVM DSL router (Fritzbox).
Neither PC, nor iPad or iPhone can use audio/video when connected to the Fritzbox WIFI.
That same iPhone works fine when I shutdown WIFI and connect via LTE.
And the iPad works fine as soon as I use the iPhone as mobile hotspot with the phone.
The PC can connect from my homeoffice WIFI if I connect to the company network via OpenVPN (OPNsense road warrior setup).
In short everything using TCP works. UDP is the problem.
The problem looks very similar to yours. Difference being my homeoffice is just behind a AVM Fritzbox instead of a second OPNsense.
Just my 2 cents.
Stay safe everyone
Stefan
14
20.1 Legacy Series / [Modified] No traffic from secondary local network to WAN
« on: April 14, 2020, 08:19:37 pm »
After the update to 20.1.4 I seeing some NAT problems.
This is on a Deciso DEC2630 or DEC2640 device.
I have two internal - physically seperated - networks. LAN on igb0 (172.16.30.1/16) and a new one called BBB on igb2 (172.31.30.1).
WAN is on igb1 with a fixed IP.
I have some NAT rules to 172.16.x.x which are all LAN clients. These still work.
And I have some rules to 172.31.0.2 which is a server in the BBB network. These do not work anymore after the update. The server itself is listening to all ports, I checked that from behind the firewall. Coming in over WAN I only get connection timeouts (10060).
I double ( and triple) checked my rules. They look good and unchanged.
Any changes in the last update that could cause this trouble?
Is there an easy way back to 20.1.3 to do some cross checks?
Regards, stay safe
Stefan
This is on a Deciso DEC2630 or DEC2640 device.
I have two internal - physically seperated - networks. LAN on igb0 (172.16.30.1/16) and a new one called BBB on igb2 (172.31.30.1).
WAN is on igb1 with a fixed IP.
I have some NAT rules to 172.16.x.x which are all LAN clients. These still work.
And I have some rules to 172.31.0.2 which is a server in the BBB network. These do not work anymore after the update. The server itself is listening to all ports, I checked that from behind the firewall. Coming in over WAN I only get connection timeouts (10060).
I double ( and triple) checked my rules. They look good and unchanged.
Any changes in the last update that could cause this trouble?
Is there an easy way back to 20.1.3 to do some cross checks?
Regards, stay safe
Stefan
15
19.7 Legacy Series / Re: Use DNS servers just from one uplink or add priority
« on: August 05, 2019, 04:27:05 pm »
Maurice,
you are right, sorry.
Stefan
you are right, sorry.
Stefan