Messages

Hello,

Recently I have installed adguard and had to disable unbound. Unfortunately, I have not been able both get work in harmony. adguard is acting as sole dns server. Everything seemed normal after those changes.

I wanted install a vpn server in opnsense box.  Because of that I changed the cable modem operating mode to bridge which was operating in router mode. Everything seemed working normal, I realized packaged updates, check are failing. I thought that it was a mirror problem, change several mirrors with the same result.

I do not certainly know that it is because of initial misconfiguration of adguard or modem bridge mode change. I have not changed any setting in the wan part.

I really appreciate any insight.

Soruyu  tam anlamadım,  LAN'da bulunan cihazların statik sanıyorum, bunların çıkışları ile ilgili mesele nedir tam anlamadım. Normalde yapman gereken LAN içindeki bilgisayara statik ip verirken, gateway tanımında opnsense ip adresini gateway olarak tanımlaman lazım, eğer daha büyük yerel ağda ise ve vlanlar var ise, her vlan/subnet için gerekli gateway girmen lazım. vlanlar arası routing yapan switch üzerinde bunları opnsense yöneltmen gerekiyor. Bunun haricinde aradığın nedir?  Opnsense default ayarlarında zaten lan adreslerini otomatik dışarı izin vermek üzere ayarlanmış durumda. Ek bir güvenlik duvarı ayarı yapmana gerek yok. Eğer içerden dışarı çıkacak trafigi kısıtlamak istiyorsan o başka.

Hello,

I have the similar problem, I receive "gzip is failed" error during updates. Did you find a solution to your problem?

Cevap için sağolun. f klavye için ayarlar nasıl olmalı?

Hello,

I am kind of newbie. I have set up opnsense about two years ago, after that it worked, and I updated it a couple of times. This morning the I could not access the internet, I detected that unbound was not working, I restarted it and saw that internet is accessible again.  I also checked the updates and saw that my firmware is end of life and I unlocked and pressed ugrade button. I do not remember my current firmware but it was 20 something. The router rebooted successfully, the internet was  accessible, but  later, internet and the router has become not accessible, I rebooted the router, now I can not even ping the router. It is completely not accessible.

I really need advice how to handle this situation

Below post describes the root of the problem. Basically it was dhcp left over static entries.Dhcp server was relay mode but static entries were somehow still honored by opnsense. This is new to us.

https://forum.opnsense.org/index.php?topic=16908.msg76956#msg76956

Problem is solved and it seems our bad. However there is unexpected behaviour of opnsense.  I have been using separate dhcp server backed by a radius server. Opnsense dhcp normally not active and just relaying to the separate dhcp server. Once there was a problem with the internal server and I migrated the dhcp to opnsense for a short period of time. I have defined static entries. After the separate dhcp server is activated again, the opnsense dhcp server is disabled and was put again in relay mode. However, the static entries were left, with reasoning that they might be needed it in the future. There was a checkbox which said do not pass unknown clients, it was also ticked. Contrary to our expectation, this setting was active and was not allowing any new machine that was not defined in dhcp static enteries. dhcp entries even take precedence of firewall rules. Machines not whitelisted can not even ping the firewall nor pass it even though the firewall rules allows.

Hello,

Upgrade broke my system. Every new computer added to the system can not pass the firewall, eventhough there are correct rules based on aliases defined for the new machines.

The symptom is follows:

From the live log view of the firewall, it shown that based on the active pass rule the packets from the machine allowed to pass to internet.
However from the machine, even firewall can not ping and internet can not accessed. The machine can access local network and other network resources such as shared folders etc.

Hello,

Upgrade broke my system. Every new computer added to the system can not pass the firewall, eventhough there are correct rules based on aliases defined for the new machines.

The symptom is follows:

From the live log view of the firewall, it shown that based on the active pass rule the packets from the machine allowed to pass to internet.
However from the machine, even firewall can not ping and internet can not accessed. The machine can access local network and other network resources such as shared folders etc.

[From the firewall live logs, by filtering for the ip address of the machine, I can see that packets, icmp and others are allowed from this machine, even though machine strangely can not go outside and can not receive ping responses.]

Hello

TLDR
In my network, only one machine can not access the firewall but also internet. Machine ip address is defined as pass rule in the rule settings. I can see the packets are allowed to pass from firewall live logs. However I can not ping the firewall from the machine as well as access the internet. I have given different ip addresses that are granted accesses to the firewall but the same happens.The machine, I believe based no mac, is not granted access. firewall is not using radius etc.

Long story:


I am runnig one opnsense firewall in my network. I have internal radius backed dhcp server. opnsense firewall relays dhcp request to the internal dhcp server.
I have a windows 10 machine that have not been used for quite sometime. Recently I booted it up, it received its preconfigured ip address from internal miktotik radius backed dhcp server.

* For every machine in the local network, there are aliases and rules are defined. The rules for the machine is also active. Basicall this machine is allowed to access outside.
* Machine's windows firewall is disabled.
* Machine can ping all machines in the local network except opnsense firewall and internet ipaddresses. Machine can access shared folders and other resources in the local network/lan.
* From the firewall live logs, by filtering for the ip address of the machine, I can see that packets, icmp and others are allowed from this machine, even though machine strangely can not go outside and can not receive ping responses.
* However unbound gives following error for each request made by this machine to firewall

2020-04-21T02:08:04   unbound: [98722:0] notice: remote address is ip4 192.168.1.23 port 51715 (len 16)
2020-04-21T02:08:04   unbound: [98722:0] notice: sendto failed: Invalid argument
2020-04-21T02:08:04   unbound: [98722:0] debug: using localzone xxxx.home. transparent
2020-04-21T02:08:04   unbound: [98722:0] info: 192.168.1.23 wpad.xxxx.home. A IN
2020-04-21T02:08:02   unbound: [98722:0] notice: remote address is ip4 192.168.1.23 port 51715 (len 16)
2020-04-21T02:08:02   unbound: [98722:0] notice: sendto failed: Invalid argument
2020-04-21T02:08:02   unbound: [98722:0] debug: using localzone xxxx.home. transparent
2020-04-21T02:08:02   unbound: [98722:0] info: 192.168.1.23 wpad.xxxx.home. A IN

* Unbound has following settings active in its general settings.

Enable DNSSEC Support
Register DHCP leases
Register DHCP static mappings

* Unbound does not have any access list configured other than generic ones as below.

Internal    Allow    127.0.0.1/8
Internal    Allow    ::1/64
Internal    Allow    192.168.1.1/24
Internal    Allow    fe80::2e0:67ff:fe10:ab4a/64

In summary: OPNSense reports that packets are passing from the firewall, but the machine can not ping or access the firewall even though there are not any setting in the unbound. Unbound does not have specific setting for the machine

What could be the reason? Any help much appreciated. By the way, every machine in the network based on firewall rules can access internet without problem. Only this machine has this problem.

UPDATE.
--------
I have disabled the UNBOUND and enabled the dnsmasq as dns server. The same problem continues. I have not seen anything in the dnsmasq logs (there is not option of controlling log level in the settings similar to unbound)

[This strange behaviour in effect overrules anti lock rules, I can not access anything about firewall until I enter a valid address listed in the dhcp.]

Hello,

I have switched from mikrotik dhcp server to opnsense built-in dhcp server. I selected deny unknown clients option in general configuration. I also checked the Enable Static ARP entries and for each static entry I checked the Arp Table Static Entry option.

After these settings applied, the firewall does not even respond to ping request from  the clients not in the list. I have ip's statically set devices such as nas and switches and there is also allow icmp request rules from all lan subnet before all other rules in firewall rules. There is also pass through rules for statically entered ip addresses for example nas devices in the firewall rules. However unless explicitly typed in dhcp static list, they are still blocked.

According to me this is not proper behaviour, hidden feature or bug. Dhcp enteries becomes somehow firewall rules and even more than overrules the firewall rules. For example, test purposes, I manually assigned an ip address to my daily used labtop, which has valid passthroug address in firewall rules, that is not listed is dhcp static enteries, and I can not even ping the firewall and can not access the firewall.

This strange behaviour in effect overrules  anti lock rules, I can not access anything about firewall until I enter a valid address listed in the dhcp.

This must not be static lease behavior of dhcp or the affect of the setting must be explicity showed in the firewall rules according to me..

I appreciate any insight.

Thank you..

My configuration is as follows

-----------------------------------------
OPNsense 19.7.7-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.0.2t 10 Sep 2019

Hello,

I had a zywall usg firewall which I ditched in favor of opnsense. Since the zywall capability was limited I used a mikrotik router for dhcp and radius server. Mikrotik has a radius server package which called userman. It has web interface. With this one interface, I was able to control ever device in the network. Mikrotik dhcp server asks validity of mac address to the radius server, if authorized then ip addres is assigned. I also use it to control wifi mac address authentication. Via CAPSMAN, I can control several mikrotik wifi from userman. I only made entries to the userman(radius server), and the clients are automatically can get ip address and can connect to wifi network.

In opnsense, I have not been able to do this in one place. I have keep two different but actually same database, one with freeradius and one with dhcp server.

How can I control wifi and dhcpc mac address restrictions from a single place in opnsense?

Thanks in advance..

Hello,

I asked this question a couple of days ago and got no answer. I revise and simplify my question. Any response much appreciated.

I really need to know if  opnsense has the capability of  authenticating dhcp request with mac  via built-in dhcp server  against freeradius server installed as a plugin. (I want to have a single interface for entering authorized client access)

This is crucial for me, otherwise I will switch back  to another solution. I installed opnsense and spent great deal amount of learning and configuring it, I took this feauture as granted and never thought it could not be possible. 

If the answer is yes, I also appreciate for further directions about how to do it? 

Open sense kurdum. Ancak konsol abd klavye düzeninde kaldı. setxkbmap komutunu bulamadığı için çalışmıyor. Nasıl klavyeyi türkçe f yaparım?

Hello,

I have the same issue.

As far as understand, this is a freebsd bug (feature).  Details are at this link https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=230172
Bug affects new generation intel celeron machines, and maybe machine with intel graphic card...
I tried to install pfsense and pfsense stuck at the very same point.

The same problem passes down to both  opnsense and pfsense. pfsense documantation covers this. freebsd bug has not been seem properly fixed but there are several work arounds as stated in bug discussions.

The one which seems easier and which I used is as follows.

During installation when you see the boot options press space bar  stop counter and select 3 to set boot options
Then type following

set kern.vty=sc
boot

After boot command, system boot  normal and passes the point where it stucks.

kern.vty="sc" must be manually added to /boot/loader.conf.local file. Otherwise it does not persist between boots. This file does not normally exist. To do that login as root after installation, you are given many selections. Select the shell option and create a new file at /boot/loader.conf.local with "kern.vty=sc" (without apostrophes)
After saving the file exit from the shell and reboot for test. I hope this helps.