Messages

1

24.7 Production Series / [SOLVED] Cron job for Wake on Lan service fails

« on: August 21, 2024, 10:24:41 am »

My own fault. Forgot to input the associated subnet addresses in the parameter's field.

Encounter this problem on a fresh 24.7.1 install having multiple WoL cron jobs defined.
Configd_20240821.log entries are:
Waking up host B4:99:Bx:Bx:Ex:Dx followed by returned exit status 1 and next by message ... ['B4:99:Bx:Bx:Ex:Dx' ''] returned Error (1). Same goes for the other WoL jobs.
Running the manually the Wake on LAN service in the GUI performs well and the log entries are just Waking up host B4:99:Bx:Bx:Ex:Dx and no exit status 1 or Error (1).
Other Cron jobs for Letsencrypt and Proofpoint seem to run fine.

2

24.7 Production Series / Re: Nginx Plugin Fails to Modify Log Folder Due to Ownership

« on: August 21, 2024, 10:24:05 am »

I encounter the same problem as it looks like.
I had lots of (13: Permission denied) entries in /var/log/nginx/latest.log and after altering the rights of the /var/log/nginx folder those entries were gone and log lines were stored properly in the belonging log files.
You wrote that the /var/log/nginx rights were root:wheel that differs from mine which were root:staff.
Log entries are written by nginx as user www which is as expected. I haven't tried a reboot yet but if the case is that this is changed back after every reboot that would be very inconvenient.

3

24.1 Legacy Series / [SOLVED] Re: Cannot get OpenVPN fixed client IP addresses to work

« on: July 19, 2024, 10:13:51 am »

[SOLVED] because I've got it to work but [NOT SOLVED] because I don't understand why.
After a hairpulling night I decided to assign another user and that worked right away().
So next I added all the users who should have VPN access and all worked fine with the proper assigned IP address.
After a deep thought I remembered that the only difference I could think of was that with the first account I struggled with I had generated the client Certificate in System->Trust->Certificates and NOT using the System-> Access->Users page option used for the other clients. Not that I believe it matters but for completeness I should say that all users are imported from a LDAP server.
So I unlinked in the Cert of my first troublesome user in the System-> Access->Users page and created a new client Cert from the same page. Exported the config and voila it worked as should.
Now I'd like to understand why a Cert generated  in System->Trust->Certificates caused this problem. This maybe something for the developers to sort out.

4

24.1 Legacy Series / Re: Cannot get OpenVPN fixed client IP addresses to work

« on: July 18, 2024, 11:01:15 pm »

CSO has been setup correctly but won't assign the given IP address.
Network is: 192.168.80.0/24
CSO  IPv4 Tunnel Network is 192.168.80.5/24
IP address given is 192.168.80.2
Works on my "old" FW.

5

24.1 Legacy Series / [SOLVED] Cannot get OpenVPN fixed client IP addresses to work

« on: July 18, 2024, 09:14:32 pm »

Last year I ran into a similar problem https://forum.opnsense.org/index.php?topic=35447.msg172767 but that was solved somehow. During the OPNsense upgrades hereafter OpenVPN wouldn't upgrade anymore and got stuck at version 2.6.10. I did not bother too much as clients were still able to log into OpenVPN.
Now I'm setting up a new server and using the new Instance option for OpenVPN. Everything was rapidly up and running but I could not get assigning a fixed client IP address to work, no matter what option I tried after a whole afternoon Googling for a solution. None of the suggestions found solved the problem.

At last I decided to copy the settings of a working Legacy Server and Client from my "old" working FW but with that I stumbled into other problems. With the exact copy of Legacy settings from my old FW I all the time get a TLS Error: TLS handshake failed and the only difference is the newer OpenVPN version 2.6.11.

Does anyone know a proper guide on how to setup an Instance with fixed client addresses?

6

24.1 Legacy Series / WebGui not accessible via OpenVPN

« on: June 27, 2024, 11:46:53 am »

I'm setting up a new server which is connected to a new fiber provider to replace an existing old server still operational connected to a different fiber provider.
Instead of using a backup from the old machine I want to set-up the new machine from scratch.
I have configured the LAN port of the new machine with a fixed IP address in the same subnet as the LAN of the "old" machine in order to have both WebGui's in sight while copying settings and rules from the "old" to the "new" machine. This works flawless from my workplace in the office being connected to another subnet on the "old" machine.
Once connecting to the "old" machine via OpenVPN there is no response from the WebGui of the "new" machine so traffic is somewhere blocked but while looking at the life logs on both machines it is clear that the request is passing through bot firewalls. The only possible related error I found in the general log of the new machine saying "Error   lighttpd   (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.76/src/mod_openssl.c.3510) SSL: 1 error:0A00009C:SSL routines::http request (10.67.6.102)" .
So obviously this is the webserver not accepting the request.
Does anyone understands this lighttpd error and what can be done to overcome?

Another question is the following:
My new connection is 1Gbit opposed to 50Mbit of the old one so I'd like to use the available speed of this new connection through the "old" server while setting up this new firewall. What would be the best solution to route web traffic through this high speed connection.

7

24.1 Legacy Series / Re: Webgui unaccessible when port has a DHCP given address

« on: June 25, 2024, 06:07:14 pm »

Well actually I didn't changed it but I left it as was which is "All" by default. I appreciate your response though.

8

24.1 Legacy Series / Re: Webgui unaccessible when port has a DHCP given address

« on: June 25, 2024, 05:35:43 pm »

I left the listen interface at "All " so your answer is not a solution.

9

24.1 Legacy Series / Re: Webgui unaccessible when port has a DHCP given address

« on: June 25, 2024, 04:07:33 pm »

Obviously I did, otherwise it also wouldn't work with a fixed IP address...

10

24.1 Legacy Series / Webgui unaccessible when port has a DHCP given address

« on: June 25, 2024, 03:48:17 pm »

Hi,
Today I ran into an unexpected problem while setting up a new server to replace old hardware.
After the initial install I was able to login while pointing to the LAN port with default given IP address as per default.
I created an 3rd port OPT1 and initially configured this port with DHCP. What ever rule I made for this OPT1 port I couldn't get access to the web interface. After some hair pulling hours the only difference I could find was that on my "old" OPNSense box the OPT1 port had a fixed IP address instead of DHCP. So I changed on my new box OPT1 to a fixed available IP address and voila, the https connection was established. Now I changed the fixed IP address to the same one given by DHCP and no connection is possible. Firewall log shows that the request may pass so ends up in the firewall itself with no response.
What is the explanation for this behavior? Is this a hidden feature?

11

23.7 Legacy Series / Webgui unaccessible when port has a DHCP given address

« on: June 25, 2024, 02:58:46 pm »

I've move this one to OPNsense Forum »English Forums »24.1 Production Series »

12

23.7 Legacy Series / Re: LDAP set up problems

« on: December 08, 2023, 11:19:25 am »

It is unclear from where you have tested the ldapsearch but since this seems to be an external ldap server it might be caused by the firewall itself. Take a look at the firewall's Live View Logfiles and set a filter to dst_prt is 636 to see whether the request is blocked. If so define a rule to pass the ldap request and try again. Also look if value of the Port Setting under  System: Access: Servers in this case is 636.

13

23.7 Legacy Series / Re: OpenVPN CSO what happened to custom_options

« on: October 23, 2023, 06:42:06 pm »

If "Common Name" is identical to username than there should be no need to enable "Force CSO Login Matching"
At least I have not enabled it in my working config as my Username is the same as common name
I have no experience with using a different username than the common name.
Does your client logs in using the common name or its username?

14

23.7 Legacy Series / Re: OpenVPN CSO what happened to custom_options

« on: October 23, 2023, 04:13:12 pm »

How did you define IPv4 Tunnel Network?
You wrote

despite I use common name in CSO configuration

but Common name has nothing to do with your problem.
You may send me your config off-line to better understand what may be wrong...

15

23.7 Legacy Series / Re: OpenVPN CSO what happened to custom_options

« on: October 21, 2023, 03:56:54 pm »

In my case "Topology" was disabled after the update but I only discovered that after redefining the CSO's which disappeared as well.
I noticed that although the CSO's were gone in the GUI they luckily still did exist in the config.xml file. I used that to reconstruct the CSO's but it still didn't work until I found out that "Topology" in the server setting was disabled as well. So after enabling the "Topology" setting it worked as before. What I didn't try out anymore is what would have happened if I would have checked the "Topology" setting prior to redefining the CSO's but it wouldn't surprise me if that would have been the case because I don't understand otherwise why these entrees were still present in the config.xml.
In your case in the example you gave the IP address in the CSO should be defined as 192.168.20.8/24 as the network is defined as 192.168.20.0/24.
So if in your case "Topology" in the server setting has been enabled and your CSO's are correctly defined it should work.