Messages

1

General Discussion / Re: opnsense 24.7 does not show any traffic in the traffic graph widget

« on: October 19, 2024, 02:02:17 pm »

Same issue with me, even with default theme.
Running bare metal on a Protectli VP2420.

2

24.7 Production Series / Re: Upgrade to 24.7.5 does not automatically reboot

« on: September 27, 2024, 04:45:46 pm »

To add: Manually rebooting does only work the second time in 24.7.5
Crowdsec seems to be the issue here. Disabling it and rebooting works as normal.

3

24.7 Production Series / Re: Upgrade to 24.7.5 does not automatically reboot

« on: September 26, 2024, 10:03:30 pm »

Same. No reboot with crowdsec installed. Had to reboot manually.

4

Zenarmor (Sensei) / Re: How to Install and Configure CrowdSec on OPNsense?

« on: August 31, 2024, 02:11:30 pm »

I installed it, but I get the feeling that something is not right in the tutorial under the Firewall rules: https://www.zenarmor.com/docs/network-security-tutorials/how-to-install-and-configure-crowdsec-on-opnsense#adding-firewall-rules

Should the Direction not be "in" instead of the stated "out" here in the floating rules? It doesn't make sense to me. The rule as stated in the tutorial seems to do nothing, but it makes sense to flip it to "in": It is working when I test it then. You can simply test it by pinging one of the IP's in the blacklist.

EDIT: I see someone else has made this remark already. Read too fast. They should correct it. I will contact them.

5

24.7 Production Series / Re: Port Forward to 127.0.0.1 works, but not to ::1 [+ workaround]

« on: August 25, 2024, 10:33:58 am »

Cannot confirm this regarding Unbound. No idea about chrony.

Code: [Select]

# sockstat -n | grep :53
59       unbound    75740 5   udp6   *:53                  *:*
59       unbound    75740 6   tcp6   *:53                  *:*
59       unbound    75740 7   udp4   *:53                  *:*
59       unbound    75740 8   tcp4   *:53                  *:*


I found that out too! And SSH'ing in the OPNsense box you van easily do

Code: [Select]

nslookup whatever.com ::1
And that works!

But in practice, doing an nslookup to an arbitrary IPv6 dns server (using the IPv6-address, not the hostname) from a node in my network fails with the ::1 rule in place, while the same succeeds for IPv4 (due to the 127.0.0.1 rule). It's almost if ::1 in this case does not redirect to OPNsense itself but to the machine asking? Weird.

Exact the same goes for Chrony and probably every service. ::1 does not work the way I think it works from a remote host in my network - not the same as 127.0.0.1, I suspect.

6

24.7 Production Series / Port Forward to 127.0.0.1 works, but not to ::1 [+ workaround]

« on: August 24, 2024, 07:59:08 pm »

I wanted a PF rule so all DNS / NTP traffic on my network not going to my OPNsense would be redirected to localhost (the OPNsense box itself) in order to transparantly redirect this traffic. I have a dual stack (IPv4/IPv6) setup.

Easy enough for IPv4, for example DNS, but same for NTP (but different ports and only UDP).
I have allow rules for DNS / NTP under Firewall-Rules-WhateverInterface

NAT Port Forward:

• Interface: Interfaces I want
• TCP/IP: IPv4
• Protocol: TCP/UDP
• Destination / Invert: selected
• Destination: Alias of my OpnSense box
• Destination Port Range: DNS-DNS
• Redirect target IP: Single host or Network: 127.0.0.1
• Redirect target Port: DNS

Works perfectly for IPv4.

For IPv6 however, I would expect that the only things I have to change are:
The 2nd one: TCP/IP: IPv6
The 7th one: Redirect target IP: Single host or Network: ::1

I found out this is not working. Unbound and Chrony, which I use for DNS/NTP, apparently bind on 127.0.0.1, but not on the IPv6 counterpart ::1.

I already found a workaround after too many hours of research and trying:

• Under Interfaces-Virtual IP's make a virtual IPv6 ULA on the Loopback interface, for example fd08::1/128.
• Restart Unbound and Chrony (they now bind to fd08::1/128).

Make a NAT Port Forward rule:

• Interface: Interfaces I want
• TCP/IP: IPv6
• Protocol: TCP/UDP
• Destination / Invert: selected
• Destination: Alias of my OpnSense box
• Destination Port Range: DNS-DNS
• Redirect target IP: Single host or Network: fd08::1/128
• Redirect target Port: DNS

To make things easier you could also make an alias under Firewall-Aliases to fd08::1/128 or whatever ULA you choose.

All set and done. Posted this for the benefit of the earth but also: I can't handle that I don't understand why it doesn't work with ::1? Or did I accidentally found a bug (probably not)? Maybe someone here could explain that, so I can sleep and give my brain some rest.

Thanks and cheers!

7

24.1 Legacy Series / Re: Where to view IPv6 prefix assignment

« on: February 24, 2024, 02:57:50 pm »

The interfaces overview has been rewritten from scratch for 24.1 and for some reason the delegated prefix (and some other information like DNS servers) wasn't included.

https://forum.opnsense.org/index.php?topic=38223

Thanks, missed that. Posted it there (too).

8

24.1 Legacy Series / Re: New interfaces overview - the good, the bad and the ugly

« on: February 24, 2024, 02:57:25 pm »

Being able to see the delegated prefix seems pretty important. It would be really nice if it was added back somewhere in the UI. I'm not even sure what if any command I can run in the terminal to retrieve it as a workaround. Does anyone know?

Ran into this myself and posted about it. I think it should be (re)added. I now have to do a

Code: [Select]

ifctl -6pi [interface]
on the console to see it.

9

24.1 Legacy Series / Re: Where to view IPv6 prefix assignment

« on: February 24, 2024, 02:09:25 pm »

You can do it on the CLI using ifctl and the OS's interface name

example: ifctl -6pi pppoe0

Thank you, that worked.
But it used to be also in the GUI.
Shouldn't it be added in the GUI, or is it somewhere I haven't looked?

10

24.1 Legacy Series / Re: Kea DHCP not listed in Services

« on: February 17, 2024, 12:17:39 pm »

So having sorted my own stoopidity... I note Kea is IPv4 only... is there a plan to bring the IPv6 Kea to the build?

I have the same question.

11

24.1 Legacy Series / Where to view IPv6 prefix assignment

« on: February 17, 2024, 12:09:32 pm »

Just updated to 24.1.1 and I spend last 30 minutes to look for my view IPv6 prefix assignment. I could usally view it in Interfaces-Overview-WAN, but I can't seem to find it now. I expanded it and looked at the datails... Where is it?

Edit: This issue is already discussed here.

12

23.7 Legacy Series / EOL OpenSSL 1.1.1 Sept 11 2023

« on: September 12, 2023, 08:48:36 pm »

OpenSSL 1.1.1 has ended their support for version 1.1.1 on sept 11 2023. OPNsense is on 1.1.1 and I think it's because of FreeBSD stable is still stuck on 1.1.1. There are packages on ports for OpenSSL 3+ though...

There are people warning for this for some time now. When is the switch to 3.0 or 3.1 planned? Is it posible OPNSense goes ahead with it before FreeBSD does, or is that too complex? Couldn't find info on this subject, except that FreeBSD is planning it fot 14.x somwhere in 2026! Shouldn't it be quite soon, because official support for 1.1.1 upstream has now come to an end?

13

23.1 Legacy Series / Re: Wireguard kernel not working like it should

« on: January 27, 2023, 01:24:03 pm »

Thanks, patch is working.
Do I have to worry with updates in the future after patching? Like, do I have to do anything with the next update or will all things be handled automatically when this is updated in the main version?

14

22.7 Legacy Series / [Solved]PHP error on mongodb after installation to 22.7

« on: July 31, 2022, 02:51:49 pm »

I had serveral PHP errors after installation of 22.7 (problem detected in GUI). One of them displayed here:

Code: [Select]

PHP Errors:
[31-Jul-2022 12:38:35 UTC] PHP Warning:  PHP Startup: Unable to load dynamic library 'mongodb.so' (tried: /usr/local/lib/php/20200930/mongodb.so (Cannot open "/usr/local/lib/php/20200930/mongodb.so"), /usr/local/lib/php/20200930/mongodb.so.so (Cannot open "/usr/local/lib/php/20200930/mongodb.so.so")) in Unknown on line 0

Turns out it was a leftover from Sensei (probably) I had once installed.
Logging in via SSH and doing a

Code: [Select]

pkg remove php74-pecl-mongodb
solved it. Thanks to the German forums.
Posting for reference.

15

General Discussion / Re: Firewall Rules: Use "Foo.net" in source or "any"

« on: March 25, 2022, 11:36:25 am »

It is not if there is no firewall rule in place to enforce that behavior. if you use "any", devices can use any source address.

Oh oke, thanks. So that means for allow rules I put VLAN10.net (in this example) and I can put any for deny rules?

But what about floating rules? They are for multiple interfaces, but I can only put 1 Source there...?