Messages

1

24.7 Production Series / Re: choose an existing certificate for user in opnsense 24.7.X

« on: November 21, 2024, 06:12:14 pm »

Sorry for expressing myself not clear enough. And I'm also not sure if I understand your question about "client export vs. simple OpenVPN client side".
I tested a little further and for me it seems to work by:
1. creating a user without adding/assigning any certificate
2. client export within OpenVPN, with the certificate I used to attach to my VPN users.
So there might actually not be a (technical) problem for me right now. And I might just have been confused ("usability problem") by not being able to add the cert to the user anymore and not seeing any users linked anymore to the cert in OpenVPN > Client export. Sry for the noise.

2

24.7 Production Series / Re: choose an existing certificate for user in opnsense 24.7.X

« on: November 21, 2024, 05:53:25 pm »

My current situation here is, that I'm assigning one existing cert to multiple users (not matching CN) for VPN access (like, as a MFA next to a password). (Please let's not discuss if this is a sensible setup, I inherited it and need a working setup now to buy time to design and introduce a better concept for my users, e.g., using individual certs per user.)
@franco if I understood you correctly, this should still be doable. I fail so in the Web UI. Can you please elaborate how I can assign an existing non matching cert to a user?

Thanks for your support!
Simon

3

23.1 Legacy Series / Re: Unable to access web interface. Fatal error:

« on: May 27, 2023, 01:57:21 pm »

I have not touched the OPNsense configuration since the upgrade. SSH is disabled on the router so the web interface is the only way to manage it.

Can you try a locale console (if you have physical access and can connect monitor + keyboard)?

No idea about the root cause of the error message. If the web GUI has worked after the update, maybe there's a chance that it is a temporary error. In that case, maybe forcing a reboot (e.g. cutting of power) could help?

Good luck!

4

23.1 Legacy Series / Re: multi wan with same upstream gateway IP supported?

« on: May 25, 2023, 02:27:33 pm »

Don't worry. I'm interested in finding a good/correct solution myself.
I only fear my knowledge might be too limited to help. In case a view at our installation would help, just let me know via PM and we can figure that out.
Simon

5

23.1 Legacy Series / Re: multi wan with same upstream gateway IP supported?

« on: May 25, 2023, 01:48:20 pm »

Thanks for your confirmation. I opened a ticket.
Simon

6

23.1 Legacy Series / Re: irregular slow http(s) connections -- how to find root cause?

« on: May 25, 2023, 10:43:37 am »

Thanks for the replies!

Just an idea, because I saw symptoms like these: Did you try lowering your MTU or do MSS clamping?

If you use VLANs, PPPoE or anything else that limits ord reduces your real MTU, you will experience packet loss with sites that cannot do correct PMTU discovery along the way to some sites. Such sites will then be much slower, because eventually, the dropped packets are being corrected.

Gateways are indeed PPPoE and internally all interfaces use VLANs. The assigned/default MTU is 1492. I once lowered the MTU and MRU in the settings to 1450, which led to a connection breakdown (but reasons for the breakage might be elsewhere as well).
In the meantime we noticed, that suricata was running in IDS and IPS mode, which is apparently neither supported for VLANs nor for PPPoE. One hypothesis was, that suricata might have messed up with the packages as well (leading to MTU issues). We deactivated suricata and will observe it for a couple of weeks to see if the problem persists.

I have had the same problem for some time, and also the same temporary solution. I thought it had something to with cache, memory, logs etc. But i think I solved it by turning on PowerD. All settings are set to HiAdaptive. It was turned off by default.

It has been running for 2 weeks now without any issues, no reboots. Something which wasn't possible before. I hope this helps.

It is turned off over here as well. I would not have thought of it as a reason but by now I will not rule out anything... I'll keep it in the back of my mind. If disabling suricata will not be the solution and another attempt of lowering the MTU will also not help, I'll for sure try it out.

In any case, I'll report back here. Thx! Simon

7

23.1 Legacy Series / multi wan with same upstream gateway IP supported?

« on: May 25, 2023, 10:28:27 am »

Following set up: two PPPoE gateways (two separate contracts) from the same ISP: one smaller uplink for VoIP and one bigger uplink for all the other traffic (mainly surfing the web). Firewall/NAT rules to choose the correct gateway. IP addresses of the gateway are assigned by DHCP from the ISP. The ISP differentiates them by the PPPoE credentials and assigns us the respective WAN IP address. As both gateways come from the same ISP and are only two different sized contracts, both gateways receive the same upstream gateway IP address by the ISP.

As we do have a mixture of different connection problems and I cannot really find the solution, I was researching on the net and stumbled upon a github issue. If I understand the comments by fichtner correct, this set up might not be supported at all.

Is my understanding correct, that it is not supported to have two gateways with public IP addresses A and B which both have the same gateway with IP address C?
I'm asking, because I do not see any error message in the Web GUI and I would have assumed that I do get an error message in the Web GUI if it is not supported. If someone can confirm my understanding, I'm happy to open a ticket.
Simon

8

23.1 Legacy Series / Re: irregular slow http(s) connections -- how to find root cause?

« on: May 22, 2023, 11:22:09 am »

*push* anyone having an idea? 

9

23.1 Legacy Series / Re: Gateway down (dpinger) but DHCP works

« on: May 18, 2023, 12:38:04 pm »

Not sure if it is helpful or stating the obvious:
I've made good experience with using smokeping with different targets and probes to analyze network connection issues. You could add a smokeping instance targeting your ISP, google, ... to double check if something changes before the issue occurs and which target is still reachable.
Simon

10

23.1 Legacy Series / Re: How to add mx record for Dnsmasq-DNS?

« on: May 18, 2023, 12:28:14 pm »

Thx for the offer! To be honest, as it currently seems to work with the IP address specified in postfix the urgent need has declined (I'm rather wondering if there is a bug in the postfix plugin (DNS vs. IP), but that might also be my limited understanding of the whole matter).
I once heard the rumor, that dnsmasq would not be recommended anymore and unbound is the way to go. Thus, I'd understand if dnsmasq is out of focus. On the other hand, if it helps, I'm more than happy to create a new ticket.

Personally, I'm more urgent in need to find a solution for the https connection issues 

Cheers
Simon

11

23.1 Legacy Series / irregular slow http(s) connections -- how to find root cause?

« on: May 18, 2023, 11:57:43 am »

We are currently experiencing every couple of days a slow down in the internet speed. Users report about websites (e.g. linkedin, paypall, atlasian/jira, word press uploads, MS365 webmail, ...) not loading or loading only very slowly. It seems, that not all websites/connections(/users?) are affected.
I do have an smokeping instance running, where I can see an increase from ~200ms to ~4.5sec for a curl call of google.de. At the same time a ping with fping to google stays at ~5ms (see attachments).

During the the affected times, I can see lots of following messages in the squid cache log:

Code: [Select]

2023-05-18T11:37:03 squid kid1| conn690249 local=162.125.21.3:443 remote=10.63.12.82:53169 FD 323 flags=33: read/write failure: (60) Operation timed out
2023-05-18T11:34:01 squid kid1| conn681351 local=13.88.181.35:443 remote=10.63.13.68:59116 FD 300 flags=33: read/write failure: (60) Operation timed out
2023-05-18T11:33:41 squid kid1| conn467660 local=40.113.103.199:443 remote=10.63.13.68:49576 FD 618 flags=33: read/write failure: (60) Operation timed out
2023-05-18T11:29:37 squid kid1| conn678654 local=35.174.127.31:443 remote=10.63.12.145:58955 FD 785 flags=33: read/write failure: (60) Operation timed out
2023-05-18T11:21:10 squid kid1| conn366702 local=40.115.3.253:443 remote=10.63.19.98:58979 FD 97 flags=33: read/write failure: (60) Operation timed out
2023-05-18T11:04:35 squid kid1| conn637485 local=157.240.253.13:443 remote=10.63.14.104:62702 FD 863 flags=33: read/write failure: (60) Operation timed out
2023-05-18T11:04:05 squid kid1| conn637480 local=157.240.253.13:443 remote=10.63.14.104:62701 FD 829 flags=33: read/write failure: (60) Operation timed out
2023-05-18T11:01:06 squid kid1| conn550254 local=40.115.3.253:443 remote=10.63.10.18:60849 FD 113 flags=33: read/write failure: (60) Operation timed out
2023-05-18T10:52:20 squid kid1| conn578770 local=40.113.110.67:443 remote=10.63.19.18:65516 FD 495 flags=33: read/write failure: (60) Operation timed out
2023-05-18T10:45:37 squid kid1| conn610397 local=40.113.110.67:443 remote=10.63.75.20:51635 FD 633 flags=33: read/write failure: (60) Operation timed out
2023-05-18T10:43:31 squid kid1| conn610286 local=162.125.21.3:443 remote=10.63.75.20:51616 FD 978 flags=33: read/write failure: (60) Operation timed out
2023-05-18T10:43:26 squid kid1| conn610347 local=162.125.21.3:443 remote=10.63.19.133:49822 FD 1061 flags=33: read/write failure: (60) Operation timed out
2023-05-18T10:42:59 squid kid1| conn598172 local=172.217.18.10:443 remote=10.63.19.133:49264 FD 820 flags=33: read/write failure: (60) Operation timed outas well as some

Code: [Select]

2023-05-18T11:29:32 squid kid1| conn682058 local=147.160.187.240:443 remote=10.63.14.104:64056 FD 776 flags=33: read/write failure: (32) Broken pipe
2023-05-18T10:37:14 squid kid1| conn604023 local=52.222.214.43:443 remote=10.63.16.66:51656 FD 633 flags=33: read/write failure: (32) Broken pipe
2023-05-18T09:52:11 squid kid1| conn550127 local=139.177.229.129:443 remote=10.63.15.99:34151 FD 440 flags=33: read/write failure: (32) Broken pipe
2023-05-18T07:19:34 squid kid1| conn440033 local=142.250.186.46:443 remote=10.63.11.30:34628 FD 94 flags=33: read/write failure: (32) Broken pipe
2023-05-18T04:21:08 squid kid1| conn358437 local=139.177.229.129:443 remote=10.63.15.117:62679 FD 64 flags=33: read/write failure: (32) Broken pipe
2023-05-18T00:43:12 squid kid1| conn239322 local=146.75.118.248:443 remote=10.63.12.147:63957 FD 316 flags=33: read/write failure: (32) Broken pipe
It seems to start out of the blue and ends perceived randomly. Once rebooting the OPNsense machine helped, another time rebooting it twice did not help but later another restart seemed to have brought it back to normal.

OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023
with following services:
acme
cicap
clamd
configd
cron
dhcpd
dnsmasq
flowd_aggregate
freshclam
ipfw
login
monit
nginx
ntpd
openssh
openvpn
pf
postfix
redis
routing
rspamd
samplicate
squid
suricata
sysctl
syslog-ng
webgui

edit: squid SSL interception only with SNI (no MITM).

Any idea how to debug the issue? Thx! Simon

12

23.1 Legacy Series / Re: How to add mx record for Dnsmasq-DNS?

« on: May 18, 2023, 11:29:52 am »

Thx for your reply! Dnsmasq was mentioned by fichtner in the linked github issue, but I also understood the PR as it the Web-GUI option was only added to Unbound.
Simon

13

23.1 Legacy Series / Re: How to add mx record for Dnsmasq-DNS?

« on: May 13, 2023, 08:43:29 pm »

Note to myself: after changing the postfix plugin configuration to not include a domain name as target, but an IP address, the email gets delivered. This doesn't answer my initial question, but makes it (for the moment) irrelevant.

14

23.1 Legacy Series / How to add mx record for Dnsmasq-DNS?

« on: May 11, 2023, 01:10:22 pm »

Quick question, what is the preferred way to add an MX record for an Dnsmasq-DNS host entry? It seems no GUI option is available. I did find an old github issue, which left me wondering if I should manually add it to the config file via ssh/cli, or call the dnsmasq command with the parameter "--mx" to creae a new entry, or if I might have overlooked an GUI option.

Background of the question: We are running a split DNS setup with nginx on the opnsense as reverse proxy and the postfix opnsense plugin for smtp forwarding. I cannot deliver email from outside, despite having entered the domain under postfix and I assume that the problem is related to the DNS A record of the internal domain, pointing to the reverse proxy.

Thanks for any help!

15

22.1 Legacy Series / Re: Support for "Speed Dragon Multimedia Limited" NICs dropped?

« on: May 18, 2022, 11:31:07 pm »

As already suspected, I can now confirm, that the Speed Dragon NIC used in our OPNsense actually identifies as a realtek card via dmesg:

Code: [Select]

re0: <RealTek 8168/8111 B/C/CP/D/DP/E/F/G PCIe Gigabit Ethernet> port 0xc000-0xc0ff mem 0xf7800000-0xf7800fff,0xf0500000-0xf0503fff irq 19 at device 0.0 on pci3Thanks again for your support and hints to find the root cause!

BTW, sorry for the late reply, dmesg gets flooded by ACPI error messages shown below, thus the NIC information got lost. I did a BIOS update, as this was supposed to help, but unfortunately the state didn't change.

Code: [Select]

Firmware Error (ACPI): Could not resolve symbol [\134_SB.PCI0.LPCB.HEC.ECAV], AE_NOT_FOUND (20201113/psargs-503)
ACPI Error: Aborting method \134_TZ.TZ01._TMP due to previous error (AE_NOT_FOUND) (20201113/psparse-689)

edit: relevant links regarding acpi error message
https://bugzilla.kernel.org/show_bug.cgi?id=202585
https://www.bsdforen.de/threads/var-log-messages-firmware-error-acpi-could-not-resolve-symbol.36394/ (German)