Messages

In case anyone in the future finds it, this worked for me.

Code Select Expand


chmod +w /boot/device.hints

# Add this line to /boot/device.hints
hint.sdhci_pci.0.disabled="1"


Attached is the screen after 2 iterations of the error.  That error repeats itself maybe 10 times (not sure how many).  But it does EVENTUALLY boot after like 5 minutes maybe. 

What is causing this.  I've searched for the same error and see a few people with similar issues but no resolution.

The computer this is running off of is a fitlet2 with the following specs:

Code Select Expand


fitlet2 - build-to-order
    CPU: Atom x7-E3950 [CE3950]
    RAM: 4 GB [D4] $34.80
    TPM: Not installed
    Storage:  M.2 SATA 32 GB [M32S]
    FACET-Card: FC-M2LAN 2x Gbit Ethernet [FLAN]
    Top cover: Standard top-cover
    Temperature range:  Commercial temperature range 0°C to 45°C
    DC input:  Standard DC input range 7V - 20V


It's worth noting again that OPNSense works, entirely, in this state.  But startup takes about 20x longer than it should because it keeps waiting for whatever that is.

OPNSense version on that is 22.1.

So then what would I use for the addresses?  The end goal is the VM be accessible from everything on the 10.0.0.0/16 subnet and vice versa.

My whole LAN resides on the same `10.0.0.0/16` subnet currently.  The addresses I want to use for wireguard clients is `10.0.2.0-10.0.2.255`.

Client:

Code Select Expand


[Interface]
Address = 10.0.2.10/16
ListenPort = 42001
PrivateKey = redacted


[Peer]
PublicKey = redacted
Endpoint = vpn.example.com:42001
# Route only vpn trafic through vpn
AllowedIPs = 10.0.0.0/16
# Route ALL traffic through vpn
#AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 21


Server:

Code Select Expand


interface: wg0
  public key: redacted
  private key: (hidden)
  listening port: 42001

peer: redacted
  endpoint: PUBLIC:42001
  allowed ips: 10.0.2.10/32
  latest handshake: 1 minute, 45 seconds ago
  transfer: 1.86 KiB received, 2.43 KiB sent
  persistent keepalive: every 21 seconds


Situation: I'm trying to create a site-to-site tunnel with a VM in the cloud.  Currently it can connect to OPNSense's wireguard and traffic can flow freely between OPNSense (10.0.0.1) and the VM (10.0.2.10).  But trying to access any other LAN IP from the VM will timeout, and vice versa.

So trying to ping 10.0.0.20 from the VM fails, and 10.0.0.20 can't ping the VM.

I assume the issue is somewhere with rules, but I can't find out where.  Can someone help me figure out why the VM can't connect to other devices on my LAN?

Attached are the rules I currently have applied.

Some network info:
- 10.0.0.0/16 is the LAN subnet
- 10.0.2.0/24 is the range of addresses I will assign to wireguard clients
- 10.0.0.1/16 is the OPNSense LAN address
- 10.0.2.10/16 is the intended VM address.
- wg_networks is an alias for 10.0.2.0/24
- WG0 is the interface I created for wireguard
- WireGuard interface is the hidden interface that the plugin creates.

I'm working on setting up WireGuard to tunnel between cloud VMs and my local network.  I'm unsure however as to what exactly Im supposed to put for some addresses.

OPNSense LAN address: 10.0.0.1/16
VM WAN address: X.X.X.X
VM desired LAN address: 10.0.1.42/16


Current VM wg0.conf

Code Select Expand

[Interface]
# set address to next address
Address = 10.0.1.42/16
ListenPort = 51820
PrivateKey = REDACTED
# I want it to use OPNSense for DNS to resolve internal names
DNS = 10.0.0.1



[Peer]
PublicKey = P9EmfDRcTCDxzjCDuXkPY8kBieWmx337zusMIqEUfTE=
Endpoint = vpn.example.com:51820
AllowedIPs = 10.0.0.0/16
PersistentKeepalive = 21


Attached is the OPNSense config.

I have 2 FreeIPA servers set up in HA configuration.  I want to be able to go to https://ipa.example.com and view the web UI.

Problem is however, when I do said thing, it rewrites the URL to https://ipa1.example.com/ipa/ui/

How can I prevent this so that it continues to use ipa.example.com?

I have a FreeIPA server setup to manage lan.example.com.  I want to be able to access the web UI on ipa.example.com with ACME certs, so I set up HAProxy to do so.

Real server: ipa1 ipa-server1.lan.example.com:443

Backend: ipa1

Frontend: listen ipa.example.com:443

And it works... somewhat.  It does properly redirect to the backend.  But it seems to be getting rewritten to the lan.example.com host.

Ex, when I visit it, the URL changes from ipa.example.com to ipa-server1.lan.example.com/ipa/ui/.

How can I prevent that host rewrite so that it stays as ipa.example.com?  When it redirects it also prevents using the proper SSL certificate because its connecting directly to the backend now.

I'm planning on using metallb with bgp configuration for a kubernetes 3 node cluster on my home network.  I plan to use BGP instead of layer2 because I frequently get timeout errors with layer2.  I am currently uncertain if this is due to OPNSense or MetalLB. 

I figured that if I configure BGP, then the timeout issues will go away.  However, I can't find any information on how to configure BGP in OPNSense. 

How would I configure BGP to allow for allocation of IP addresses between 10.0.15.0-10.0.15.255?

Am I able to add wildcard overrides to unbound? 

Say, if an override doesn't exist for SOMETHING.example.com, it will default to the override for *.example.com.

Or if it doesn't find any match, but ends in example.com, have it forward to that IP.

I'm trying to add LDAP auth to my OPNSense installation.  I got the server set up and can confirm it works with the tester by entering a valid username/password.  I'm using FreeIPA as the LDAP server. 

But I don't see any import icon when I go to System > Access > Users. 

Details for System > Access > Servers > FreeIPA server:
Hostname: ipa.example.com
Port: 389
Peer CA: OPNSense
Bind Credentials: (blank)
Base DN: dc=example,dc=com
Authentication containers: cn=users,cn=compat,dc=example,dc=com
User naming attribute: uid


Am I doing something wrong?

I have a bunch of subdomains (ex1.example.com, ex2.example.com, ...) pointing to my OPNSense router (10.0.0.1).  I also have HAProxy to proxy requests on 443 to their respective backends.

I don't recall changing anything, but now, they won't work from the outside.  Only if the DNS resolves to 10.0.0.1, and not my WAN ip, will it proxy the traffic correctly to their backends.  If you try from WAN, it gives the warning about DNS rebind attack.

How can I prevent this behavior and make it proxy correctly?

Is there a file that contains the contents of the output of the command `radvdump`?  I need to enable radvd on my dd-wrt wireless router to be able to get an ipv6 address and it would work best if I can just copy its radvd to the radvd location on dd-wrt.

I tried siwtching it between none and track.  It worked at the time.

Also didn't know that THAT is what the prefix ID is for, and why when I changed it I got a different prefix that still started with 2601.  The last 4 of the prefix were different, which means comcast is probably giving me at least a /48 prefix, right?

And yes, 2601 was the LAN ip, which seems to be correct in that that's whats being dished out by the ISP, and I can access the router using both its LAN ip (2601) and WAN IP (2001)

And if SLAAC can't do DNS at all, what would the best method be for syncing them to DNS records?  Currently my v4 network tracks all DHCP clients (including static leases) as {hostname}.lan.example.com, and I want all ipv6 clients to be mapped in {hostname}.lan6.example.com.   (I use unbound DNS for this).  When I used DHCPv6, my servers weren't grabbing an IP address at all (seemed like dhclient wasn't running on the servers, all ubuntu 18.04).