Messages

1

General Discussion / Re: *Something* is filling up my hard drive causing Unbound DNS service to die

« on: October 15, 2024, 11:53:05 pm »

Thank you for the suggestion.

I noticed the problem is with the Firewall's "Plain View" logs. They keep on filling up the hard drive and I haven't found a way to turn them off or to configure its retention time.

2

24.7 Production Series / Re: Puzzling issue with opnsense OPNsense

« on: September 30, 2024, 02:58:57 pm »

Check your disk space. I have a similar issue in which my disk space runs full, which causes Unbound DNS to stop responding.

Anything that was resolved before Unbound crashed will keep working, but anything after that will not be able to resolve.

I haven't found out yet what causing my disk space to fill up, but it happens every few days.

I made a thread in the General forum about my issue:
https://forum.opnsense.org/index.php?topic=43140.0

3

General Discussion / Re: OPNSense has internet access but clients do not? 24.1 bug

« on: September 30, 2024, 02:51:34 pm »

Check your disk-space and if Unbound DNS service is still running.

I have a similar issue at the moment, that *something* is filling up my drive every couple of days causing DNS resolution to fail.

I created a topic for it in case it might help you:
https://forum.opnsense.org/index.php?topic=43140.0

4

General Discussion / *Something* is filling up my hard drive causing Unbound DNS service to die

« on: September 30, 2024, 02:51:14 pm »

Hey everyone,

I recently upgraded to the latest version of OpnSense (24.7). I started getting internet dropouts where DNS would not resolve but teh OpnSense UI would still work and it could still pull updates.

I have OpnSense in a Proxmox VM and switched to VirtIO network drivers because throughput was much higher. Initially I thought that was the issue, so I reverted them back to Intel drivers. Yet, the issue remained.

I recently discovered that the hard drive was full (disk usage showed 106% use). I added about 10 GB of storage space to the VM, yet a few days later the disk was full again. I also noticed that, when rebooting the machine, it would hang on the Netflow Backup script step.

I looked at the Netflow settings and cleared all the data from it. I also disabled logging for it. On the same page I could also clear and disable DNS request logging, which I did. And behold, my drive use went down with 40%. Awesome!

But... a few days later, the disk is full again. I checked the Netflow settings again, they are still disabled. Check other log setting to make sure nothing was verbose logging and check if retentions were set to a reasonable level. Clearing the Netflow data did nothing this time.

So something is filling up my disk space causing Unbound DNS to die and not start again, but I can't seem to find what it is. Anyone have any idea how I can troubleshoot this issue or what might be the cause?

5

General Discussion / Re: Unbound DNS not starting

« on: September 30, 2024, 02:40:43 pm »

Maybe a stupid question, but do you have enough disk space left? Unbound doesn't like it when there is no space left.

6

General Discussion / Re: Some issues with Caddy (Certificate and Routing)

« on: April 16, 2024, 10:18:08 pm »

Thank you for the amazingly fast reply and patch!

At current it's indeed not possible to add a wildcard certificate and a root domain at the same time. I will try your patch, that would already solve a part of my problem.

Once the header feature is released I believe my other problem would be solved as well.

That being said: I don't know what the future plans for the plugin is, but I have a feature request. Where could I log this request?

Thanks in advance!

7

General Discussion / Some issues with Caddy (Certificate and Routing)

« on: April 16, 2024, 10:59:30 am »

Hey everyone,

I was thrilled to find out that OpnSense now has a plugin for Caddy, so I started to migrate my configuration from HAProxy to Caddy. However, I seem to be running into some snags:

1. Wildcard certificates do not seem to include the domain root.

When using a wildcard certificate and browsing to myDomain.com, I get an invalid certificate error. However, when browsing to www.myDomain.com, everything is fine. So it seems that the wildcard certificate does not contain the domain root and I cannot find any way to include it.

2. I cannot replace headers for forwarding requests

In the documentation (https://docs.opnsense.org/manual/how-tos/caddy.html) it states you can manipulate the headers when sending to vhosts, however, the "headers" tab mentioned in the documentation seems to be missing. Since I cannot set the headers, my routing fails.

Is there a way to resolve these problems? And is there a way to see what config the caddy plugin generates?

Thanks!

8

20.7 Legacy Series / Re: [FIXED] Web-gui not accessible after last upgrade

« on: February 17, 2021, 10:00:27 pm »

And in 21.1 you still have the same issue?

I updated to 21.1 recently and since then the UI is not working anymore. So I should pull the WAN cable and then I should have access to the UI again?

That is kind of odd. WAN should be blocked, but not LAN.

9

20.7 Legacy Series / Re: [FIXED] Web-gui not accessible after last upgrade

« on: February 16, 2021, 11:26:02 pm »

Any update on this by any chance?

10

21.1 Legacy Series / Re: After upgrade to 21.1.1 Web UI is not working on Safari@iPhone, works on Chrome

« on: February 16, 2021, 11:23:16 pm »

I can't get the UI to work at all...

In Firefox and Chrome I get error: SSL_ERROR_INTERNAL_ERROR_ALERT

In the console I see: Starting web UI .... Done

So it seems to start correctly, but it's not working.

Sadly enough I don't have enough Linux skills to try to fix this myself.

11

German - Deutsch / Re: HAProxy als Reverse Proxy

« on: March 17, 2019, 02:31:41 am »

Keine Ahnung warum du deine Wordpress Seite auf Port 8080 belegst anstatt 80 oder 443, aber egal.

In deine Konfiguration steht folgendes "Listen Addresses: xyz.abc:8080" für die Public Einstellungen. Dies soltest du umschalten auf 0.0.0.0:8080. Dies ist nämlich der Adresse wo drauf HAProxy wartet für einkommende Verbindungen.

12

General Discussion / Re: So many problems ... what is going on!?

« on: March 12, 2019, 08:28:22 pm »

I finally got most of it resolved, but it has been a hassle. It seems to be a lot of issues coming together which made it very difficult to figure out what was going wrong. But at the moment everything seems to be working quite well.

So yes, not necessarily OpnSense issues, but at some places the help text could be updated to be more clear or give a more truthful example, this would have set me in the right direction to fix the problem. Now it was a lot of online searching and trial and error.

@deZillium

The Ip conflict, in retrospect, appeared to not be an IP conflict, but a problem with the Fritz!Box I am using. If I put the Fritz!Box in Client-IP mode (become part of the existing network) the issues appear. When I just set it to use the existing LAN connection (NAT the connection and provide own IP addresses) I do not have the disconnection problems anymore. I tried the same with another, newer, Fritz!Box model, this one does not seem to be suffering from that problem. So in that one Client-IP works fine. But those things are really sh*t to figure out.

13

General Discussion / Re: So many problems ... what is going on!?

« on: February 13, 2019, 04:37:27 pm »

Guess I'm not the only one with problems then...

Still having internet dropouts. Oddly enough only on wireless... or at least it seems that way, maybe wired recovers faster, I don't know. Either way, the internet connection is not stable. I read that this might be because of using VirtIO drivers for the virtual nics (my opnsense is running in proxmox), but as for now I see no improvements.

I also tried to block any DMZ connections coming into my LAN. Set blocking rules on the LAN as well as on DMZ interfaces and it's still coming through. Oddly enough, when I try to access LAN from DMZ, in the firewall, the rule gets listed under the LAN interface, which seems odd to me.

The path is:
DMZ > DMZ Gateway > LAN
=
192.168.10.4 > 192.168.10.1 > 192.168.20.7

And the resulting rule in the Live Log is:
LAN Source =192.168.10.1, Destination = 192.168.20.7

How is 192.168.10.1 LAN? It's the DMZ gateway...

Apparently you need to change the "LAN can go anywhere" rule in order to block the DMZ stuff... this makes no sense to me. So either something is wrong or my understanding of this stuff is worse than I thought.

I though DMZ firewall rules would apply to anything coming into DMZ, WAN firewall rules to anything coming into WAN and LAN firewall rules anything coming into LAN. So I had set my LAN firewall rule, that it should block anything coming from DMZ... doesn't work though.

It's really disheartening sometimes...

14

General Discussion / Re: So many problems ... what is going on!?

« on: February 02, 2019, 12:36:41 am »

Added updates inline of original post

15

General Discussion / So many problems ... what is going on!?

« on: January 31, 2019, 12:47:04 am »

Hey everyone,

With everything I do I seem to encounter some bug of some sort which has made setting up OpnSense a real pain in the butt. 2 evenings of work only got me as far as a working internet connection and internet from my DMZ and LAN towards my WAN... quite abysmal result if you ask me.

What has been happening

Problem 1, getting the internet to work over PPPoE:

This was with the previous OpnSense version I was running. For the life of me I could not get PPPoE to connect. I found in some forums that this could be caused by a race condition in which a blocking system call in the PPPoE deamon would not return in a timely fashion causing the connection request to drop.

I solved this by connecting through the internet using a router I had, and connecting OpnSense WAN to the router. I then upgraded OpnSense and all plugins to the latest version (OPNsense 18.7.10_3-amd64). After that PPPoE connection was instantaneous.

Problem 2, getting Dynamic DNS to work:

When I set up Dynamic DNS to update my Namecheap domain I get the following error when the service tries to start:
parser error : Space required after the Public Identifier in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 1072


I logged a bug for this here: https://github.com/opnsense/plugins/issues/1156
No solution yet.

Problem 3, getting HA Proxy to start:

Had this working on the previous install, but now I cannot get it to start. I don't know why. In the log it only says: "HAProxy failed to start" and "returned exit status 1". Amazingly helpful. So if anyone has some pointers, I am all ears.

I had HAProxy problems before, here an update to the latest version did the trick. However, this latest version does not seem to be working for me again. Probably something stupid that I did or did not do, but no idea what.

-- update: 2019-02-02 --

I finally got HAProxy to start. The issue was the listen address in the public pool. I had it set to 127.0.0.1, and it should have been 0.0.0.0. The help description provided is thus very misleading since it suggest the following: "Configure listen addresses for this Public Service, i.e. 127.0.0.1:8080 or www.example.com:443". This should really be adjusted.

Found the solution by going through a few tutorials I found.

What else hasn't worked so far?

- DHCP instabilities:
-- Setting a DHCP range from x.x.x.5 to x.x.x.20 and having the client work with x.x.x.4 (??), even after disconnecting or forcing a reconnect to get a new IP via DHCP
-- Static DHCP leases not being used/detected (lease is added, but when the client asks for an IP, DHCP does not seem to realize it is a lease and give another IP (probably related to above)... and yes, the MAC address was correct, I checked multiple times.
- Wifi on the laptop switched between internet/no internet connection. The network stays connected, but all of a sudden a ping won't work or a website won't load. After a few seconds it works again for a short time, then it starts all over. I do not have this on my cellphone and only had it on my laptop since I use OpnSense as firewall/dns. It seems like the firewall crashes or it can't route to the internet anymore, ... something like that.

-- update: 2019-02-02 --

It appears I had an IP conflict on my network which caused most of the strange behavior mentioned above. Once I got that resolved everything seems to be much more stable.

- Getting DHCP hostname registration in DNS (or at least the resolving of them) to work
- NetBIOS resolving (still need to look into this, but probably the same as above?)

-- update: 2019-02-02 --

Switching to DnsMasq, seems to work now, but it might have been a misconfiguration in Unbound DNS. Not sure, but don't care. It's working

What's next?

I don't know what else I will encounter. I still have quite a lot of things to set up:
- Configure HAProxy (once it feels like starting) --> DONE - no issues
- Setting up Let's Encrypt
- Setting up VPN
- Routing RDP from LAN to DMZ --> DONE - no issues

Haven't even touched on:
- Intrusion Detection
- Clam AV
- Port forwarding

Obviously I am not "a linux guy", but I have managed before. Either way, to me this feels like an awful lot of issues/problems for the little I have been able to set up in 2 days time.

Anyone experiencing issues like this or know about any solutions to these issues? I am really getting frustrated with this, especially since I am hosting a few websites and I obviously haven't been able to get them online.

Some final specs:

OPNsense 18.7.10_3-amd64
FreeBSD 11.1-RELEASE-p18
OpenSSL 1.0.2q 20 Nov 2018

OPNSense is running as a virtual machine under Proxmox version 5.2-7.
WAN, DMZ and LAN are separate hardware NICs, each bridged to their own virtual NIC on OPNSense