Messages

And another question...

Last year I wrote a post about how selecting the "auto-detect" option in my WAN interface breaks the outbound connection on our OPNSense (in version 19.1) [https://forum.opnsense.org/index.php?topic=13456.msg61967#msg61967]. Due to a lack of time I could not investigate further in the last months and in the meantime this thread has been moved to the archive, thus I cannot reply there and open a new thread here... B/c my situation is still the same as in my previous post (just with version 20.1.1) I just copy & paste the relevant part:

--
The situation in short: My OPNSense has a public WAN IP (e.g. 100.0.0.100) and I created a "gateway" entry (e.g. for IP 100.0.0.1), which I marked as "default". As soon as I select "auto-detect" on my WAN interface the attached clients on LAN are unable to reach any external system. Switching to gateway "100.0.0.1" restores the capabilities.
The OPNSense itself is able to access (ping) all hosts regardless of the concrete selection.
--

I was asked if there were any outbound NAT rules when the "auto-detect" was selected - and in fact those rules are missing. If the gateway is selected I see two rules instead...


Any help on that topic is much appreciated!

Hey guys,

we've got multiple VLANs and the DHCP servers running on them assign different domain names per interface.
Those domain names get assigned correctly, but since dnsmasq and unbound only support one domain name (and in my case that domain name is different from the one assigned to my test system), the reverse DNS lookup (executed as part of "hostname -A") returns the wrong domain name.

Is it somehow possible to work around the "one domain name only" restriction (e.g. by starting a separate dnsmasq instance per interface)?

I explicitly don't want to configure static leases for each system that should be accessible under a different domain name than the default!

Thanks in advance.

EDIT: I also found this post (and to be honest in the beginning I also thought that DHCP is the problem), but there is no solution given: https://forum.opnsense.org/index.php?topic=9692.msg44208#msg44208

EDIT2: In the meantime, I've been looking around the source code and found that regarding DHCP leases, unbound delivers what is in the dhcpleases.conf file.
This file is created by the script "unbound_dhcp.py". It should be possible to set a different domain in this script depending on the IP range to which a lease belongs, right?

Hey guys,

a few months ago I wrote a post (https://forum.opnsense.org/index.php?topic=11314.0) about how setting the "auto-detect" option for the gateway on WAN interface breaks my outbound connection on OPNSense 18.7. Back then I got no response/help but thought this problem will be fixed in newer versions. Unfortunately it is still present on 19.1.

The situation in short: My OPNSense has a public WAN IP (e.g. 100.0.0.100) and I created a "gateway" entry (e.g. for IP 100.0.0.1), which I marked as "default". As soon as I select "auto-detect" on my WAN interface the attached clients on LAN are unable to reach any external system. Switching to gateway "100.0.0.1" restores the capabilities.
The OPNSense itself is able to access (ping) all hosts regardless of the concrete selection.

Can anybody help? Thanks in advance.

Hi guys,

I am trying to setup a working LDAP auth server connection, but the only response I get when I click "Select" to show the Authentication containers is a blank popup - and in my logs I can see "opnsense: LDAP bind error (Can't contact LDAP server)". I am using StartTLS and I suppose there must be an error in my config, but I cannot figure out what to change.

My server has a certificate with its FQDN set as CN and the (self-signed) root and intermediate CAs are added (as separate entries) to the list of CAs shown via "System" -> "Trust" -> "Authorities".

If I try the following script (I put it in the same directory as all the other php files, i.e. /usr/local/www) using the values from the LDAP config page I get a list of all attributes for "my.user":

Code Select Expand

<?php   $ldap="ldap-srv.mydomain.com";   $usr="uid=srv-acc,ou=serviceaccounts,dc=sub,dc=mydomain,dc=com";   $pwd="secret";    $ds=ldap_connect($ldap);   $ldapbind=false;   if(ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3))      if(ldap_set_option($ds, LDAP_OPT_REFERRALS, 0))         if(ldap_start_tls($ds))             $ldapbind = @ldap_bind($ds, $usr, $pwd);                $ldapse = ldap_search($ds,"dc=sub,dc=mydomain,dc=com","uid=my.user");             var_dump(ldap_get_entries($ds,$ldapse));       ldap_close($ds);?>



The same username and password work if I use them inside a LDAP auth stanza in my Apache2 config.

I also tried setting "TLS_REQCERT never" in /usr/local/etc/openldap/ldap.conf but that doesn't change anything.

Can anybody tell me what I am doing wrong?

[For single WAN interfaces a gateway must be created but set to auto-detect]

Hi folks,

I've got a strange problem I'd really like to get support on.
My system has two interfaces:
LAN has IP range: 10.0.0.0/24
WAN has a public static address - let's say it is 192.0.0.100/24. Additionally I configured one (and only one!) gateway with IP 192.0.0.1 and checked the "default" box.

Now pings to a linux system inside the WAN net via "Interfaces->Diagnostics->Ping"  work as expected. But if I try the same on one of my LAN clients no ping succeeds.
That only changes if I manually force the WAN interface to use the gateway, i.e. changing the gateway setting from "auto-detect" to the configured GATEWAY entry. Then I've got no problems at all reaching systems that are not on the LAN.

The help text shown next to the gateway options says:

If this interface is a muti-WAN interface, select an existing gateway from the list or add a new one using the button above. For single WAN interfaces a gateway must be created but set to auto-detect. For a LAN a gateway is not necessary to be set up.

Why do I have to set the gateway explicitly?

Thanks in advance!

EDIT: My system is running OPNsense 18.7.10.