1
German - Deutsch / Re: github wird von FireHOL L3 geblock - ich checks nicht?
« on: September 30, 2024, 05:36:55 pm »
Ich habe nun beides mit drin, geht aber auch nicht.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
German - Deutsch / Re: github wird von FireHOL L3 geblock - ich checks nicht?
« on: September 30, 2024, 11:19:24 am »
Ich bin gerade über das gleiche Problem gestolpert.
Leider zeigt ein zusätzliches !github.com keinen Effekt.
OPNsense 24.7.5
Hat da jemand eine Idee dazu?
Leider zeigt ein zusätzliches !github.com keinen Effekt.
OPNsense 24.7.5
Hat da jemand eine Idee dazu?
3
High availability / Re: ACME client certs, HA Proxy and OPNsense Master/Slave
« on: June 25, 2024, 08:49:33 am »
Yes, but pressing a button is not the solution.
Maybe you don't have to change anything. A working and running configuration.
The master refreshes the certs.
The old ones are outdated.
Now it happens. CARP is switching over and all HA with offloading results in a cert error.
There should be a 'schedule' in System, where you can include a sync job with restarting services.
(in my opinion)
Or an addition to the ACME job:
Sync the certs and restart all jobs which can be affected by the certs when one of the certs is renewed.
Maybe you don't have to change anything. A working and running configuration.
The master refreshes the certs.
The old ones are outdated.
Now it happens. CARP is switching over and all HA with offloading results in a cert error.
There should be a 'schedule' in System, where you can include a sync job with restarting services.
(in my opinion)
Or an addition to the ACME job:
Sync the certs and restart all jobs which can be affected by the certs when one of the certs is renewed.
4
High availability / ACME client certs, HA Proxy and OPNsense Master/Slave
« on: June 24, 2024, 09:11:14 am »
Hi,
today I did an update of our 2 OPNsense firewalls.
Update 'slave' no problem.
'Master' entering Persistent CARP Maintenance Mode -> colleagues noted that some webpages tells:
outdateded cert.
The certs are synchronized and the latest version were available on the 'slave'.
But the HA-Proxy on the 'slave' did never a restart to activate the new certs.
I had to restart the HA-Proxy on the 'slave' manually to activate the latest synchronized certs.
Is there a way to avoid this problem?
I only update the ACME certs on the 'master'.
Best regards,
Bernd
today I did an update of our 2 OPNsense firewalls.
Update 'slave' no problem.
'Master' entering Persistent CARP Maintenance Mode -> colleagues noted that some webpages tells:
outdateded cert.
The certs are synchronized and the latest version were available on the 'slave'.
But the HA-Proxy on the 'slave' did never a restart to activate the new certs.
I had to restart the HA-Proxy on the 'slave' manually to activate the latest synchronized certs.
Is there a way to avoid this problem?
I only update the ACME certs on the 'master'.
Best regards,
Bernd
5
General Discussion / How to get an e-mail if the WAN address changed?
« on: April 18, 2024, 03:40:41 pm »
Hi,
I tried this with monit, but this is not possible.
I need to know when the address of the WAN interface changed.
Monit does only check in intervals and so it is not possible to detect the change.
Here in the forum were several same questions, but no solution.
Any hint?
Best regards.
I tried this with monit, but this is not possible.
I need to know when the address of the WAN interface changed.
Monit does only check in intervals and so it is not possible to detect the change.
Here in the forum were several same questions, but no solution.
Any hint?
Best regards.
6
22.7 Legacy Series / Re: 22.7.4 High Availabilty
« on: November 18, 2022, 06:38:39 pm »
You saved my day!
I had to add the PFSYNC interface, which is used for the High Availability, to the allowed interfaces for the Web-
GUI.
But we used the HA sync since ages with no problems in the same configuration.
Anyway,
thank you for this hint.
I had to add the PFSYNC interface, which is used for the High Availability, to the allowed interfaces for the Web-
GUI.
But we used the HA sync since ages with no problems in the same configuration.
Anyway,
thank you for this hint.
7
22.7 Legacy Series / [Solved] 22.7.4 High Availabilty
« on: November 18, 2022, 02:18:17 pm »
I wanted to update our Master/Slave combination from 22.7.4 to 22.7.8 and, as always, I tried a
synchronisation from master to slave.
But ...
No idea what's wrong.
I can ping the slave on the PFSYNC interface and I see also traffic with tcpdump on the slave.
But I see no listener on the slave network interface.
Then I updated the slave to 22.7.8, but still the same.
How can I check or start the service on the slave side?
synchronisation from master to slave.
But ...
Quote
The backup firewall is not accessible or not configured.
No idea what's wrong.
I can ping the slave on the PFSYNC interface and I see also traffic with tcpdump on the slave.
But I see no listener on the slave network interface.
Then I updated the slave to 22.7.8, but still the same.
How can I check or start the service on the slave side?
8
22.1 Legacy Series / Re: Rule to block bogons is not working
« on: April 11, 2022, 02:39:55 pm »
Ok, found it:
an alias called 'Private_Networks'
an alias called 'Private_Networks'
9
22.1 Legacy Series / Re: Rule to block bogons is not working
« on: April 11, 2022, 02:32:23 pm »
Ok , found something in /usr/local/opnsense/scripts/filter/update_bogons.sh:
But what is the separate GUI option ?
Code: [Select]
# private and pseudo-private networks will be excluded
# as they are being operated by a separate GUI option
egrep -v "^100.64.0.0/10|^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" ${WORKDIR}/fullbogons-ipv4.txt > ${DESTDIR}/bogons
So they are explicit excluded from the bogon file.But what is the separate GUI option ?
10
22.1 Legacy Series / Re: Rule to block bogons is not working
« on: April 11, 2022, 02:19:16 pm »
But in the file
/tmp/bogons/fullbogons-ipv4.txt
192.168.0.0/16
10.0.0.0/8
is included.
So which file is used for the bogons alias in OPNsense?
According to
https://en.wikipedia.org/wiki/Bogon_filtering
The private networks are bogons.
And as noted above they are listed in the /tmp/bogons/fullbogons-ipv4.txt file which is named *bogons*.
/tmp/bogons/fullbogons-ipv4.txt
192.168.0.0/16
10.0.0.0/8
is included.
So which file is used for the bogons alias in OPNsense?
According to
https://en.wikipedia.org/wiki/Bogon_filtering
The private networks are bogons.
And as noted above they are listed in the /tmp/bogons/fullbogons-ipv4.txt file which is named *bogons*.
11
22.1 Legacy Series / Rule to block bogons is not working
« on: April 11, 2022, 12:17:43 pm »
Hi,
we are using 22.1.3 and tried to create a blocking rule for bogon networks on one of our interfaces.
It is not working.
We tried to ping from the etwork on this interface to one of our other local interfaces with
ping 192.168.21.12
it still worked.
To check the blocking rule, we removed bogons as destination and used 192.168.0.0/16
This blocked the trafic. But since we have also VPNs and other networks with local addresses we want the bogons destination. So I searched again:
In the file /usr/local/etc/bogons, which I thought it is the 'main' file,
192.168.0.0/16
10.0.0.0/8
is not included.
I also tried to add the 192.168.0.0/16 via the GUI in Firewall Advanced Settings, but without success.
Still not blocked.
Where is my fault?
It is for a guest access which should not have access to our local networks.
we are using 22.1.3 and tried to create a blocking rule for bogon networks on one of our interfaces.
It is not working.
We tried to ping from the etwork on this interface to one of our other local interfaces with
ping 192.168.21.12
it still worked.
To check the blocking rule, we removed bogons as destination and used 192.168.0.0/16
This blocked the trafic. But since we have also VPNs and other networks with local addresses we want the bogons destination. So I searched again:
Code: [Select]
find / | grep bogo
/usr/local/opnsense/scripts/filter/update_bogons.sh
/usr/local/etc/bogonsv6
/usr/local/etc/bogons.sample
/usr/local/etc/bogonsv6.sample
/usr/local/etc/bogons
/tmp/bogons
/tmp/bogons/bogons.txz.sig
/tmp/bogons/bogons.txz
/tmp/bogons/fullbogons-ipv4.txt
/tmp/bogons/fullbogons-ipv6.txt
Now the strange thing:In the file /usr/local/etc/bogons, which I thought it is the 'main' file,
192.168.0.0/16
10.0.0.0/8
is not included.
I also tried to add the 192.168.0.0/16 via the GUI in Firewall Advanced Settings, but without success.
Still not blocked.
Where is my fault?
It is for a guest access which should not have access to our local networks.
12
22.1 Legacy Series / Re: Very slow internet after upgrade to 22.1
« on: February 21, 2022, 03:38:20 pm »
As I told you, I read what is written below the changelog and we don't use spoofing and we don't use GRE.
I added now the parent of the VLAN interfaces as a dummy and enabled it.
It works now.
Thank you very much.
But this was not 'readable' for me.
I thought
It should clearly stated as an extra point:
This would make it much clearer.
Best regards,
Bernd
I added now the parent of the VLAN interfaces as a dummy and enabled it.
It works now.
Thank you very much.
But this was not 'readable' for me.
I thought
Quote
Media and hardware offload settings are no longer shown for non-parent interfaces and need to be set individually on the parent interface to take effect. This can introduce unwanted configuration due to previous side effects in the code. If the parent interface was not previously assigned please assign it to reapply the required settings.does not affect me, since I don't used any 'special' media and hardware offload settings.
It should clearly stated as an extra point:
- Asign the parent interface of VLAN interfaces and enable it if not already done, even it is not used.
This would make it much clearer.
Best regards,
Bernd
13
22.1 Legacy Series / Re: Very slow internet after upgrade to 22.1
« on: February 21, 2022, 03:03:13 pm »
Hi Franco,
I only read the stuff below the changes and since we don't use mac spoofing I ignored the text behind.
Or do you mean something else with 'migration notes'.
Where can I read them after the installation?
I only read the stuff below the changes and since we don't use mac spoofing I ignored the text behind.
Or do you mean something else with 'migration notes'.
Where can I read them after the installation?
14
22.1 Legacy Series / Re: Very slow internet after upgrade to 22.1
« on: February 21, 2022, 02:08:03 pm »
Btw. it is not the WAN connection.
I just used curl on the console to download a 50MB file and it was done in 2 seconds.
What exactly do you need?
I can not publish the config here in the forum.
loaded drivers:
One 1GB NIC is used for management
igb0: <Intel(R) I340 82580 (Copper)>
One 1GB NIC is used for sync
igb1: <Intel(R) I340 82580 (Copper)>
All other interfaces uses one 10GB NIC with VLANs
bxe0: <QLogic NetXtreme II BCM57810 10GbE (B0) BXE v:1.78.91>
All interfaces are in CARP mode to be redundant.
I just used curl on the console to download a 50MB file and it was done in 2 seconds.
What exactly do you need?
I can not publish the config here in the forum.
loaded drivers:
Code: [Select]
kldstat
Id Refs Address Size Name
1 52 0xffffffff80200000 2159b38 kernel
2 3 0xffffffff8235a000 73db0 pf.ko
3 1 0xffffffff823cf000 e4f0 if_bridge.ko
4 2 0xffffffff823de000 7870 bridgestp.ko
5 1 0xffffffff823e6000 e318 pfsync.ko
6 1 0xffffffff823f5000 4b58 if_enc.ko
7 1 0xffffffff823fa000 5b7420 zfs.ko
8 1 0xffffffff829b2000 ab48 opensolaris.ko
9 1 0xffffffff829bd000 3b18 pflog.ko
10 1 0xffffffff829c1000 ba48 if_gre.ko
11 1 0xffffffff829cd000 f460 carp.ko
12 1 0xffffffff829dd000 181d0 if_lagg.ko
13 2 0xffffffff829f6000 3538 if_infiniband.ko
14 1 0xffffffff82d21000 8da8 ioat.ko
15 1 0xffffffff82d2a000 2340 uhid.ko
16 1 0xffffffff82d2d000 4350 ums.ko
17 1 0xffffffff82d32000 3380 usbhid.ko
18 1 0xffffffff82d36000 31f8 hidbus.koOne 1GB NIC is used for management
igb0: <Intel(R) I340 82580 (Copper)>
One 1GB NIC is used for sync
igb1: <Intel(R) I340 82580 (Copper)>
All other interfaces uses one 10GB NIC with VLANs
bxe0: <QLogic NetXtreme II BCM57810 10GbE (B0) BXE v:1.78.91>
All interfaces are in CARP mode to be redundant.
15
22.1 Legacy Series / Re: Very slow internet after upgrade to 22.1
« on: February 21, 2022, 01:31:31 pm »
At the end of the day, if no solution is found, I need to revert this upgrade.
It is mentioned to use
only after advise.
But is it a good idea to only go back to 21.7.8 with
What would be the right order to go back?
It is mentioned to use
Code: [Select]
opnsense-update -kr 21.7.8
opnsense-shell rebootonly after advise.
But is it a good idea to only go back to 21.7.8 with
Code: [Select]
opnsense-revert -r 21.7.8 opnsenseWhat would be the right order to go back?