Messages

I'm not sure whether this qualifies as a tip or a question, since I couldn't find a way to do this through the web interface.

While debugging an issue with the new firewall logs, I noticed that reverse lookups of my local IPv6 addresses were taking between 800 and 1500 ms each. The reason is that, because my clients use privacy extensions, each lookup (almost never cached) causes Unbound to query my ISP — which owns the address space and hosts the corresponding PTR records.

To address this, I created a file named 1-custom.conf in /usr/local/etc/unbound.opnsense.d with the following content:

Code Select Expand

server:
    # Authoritative reverse zone for my /56
    local-zone: "d.c.b.a.8.b.d.0.1.0.0.2.ip6.arpa." static
This tells Unbound that this prefix is part of my local network, preventing it from trying to resolve those reverse lookups externally.

I couldn't find a way to configure this via the web interface, but it seems like a useful feature to have. My ISP assigns a /56, and it has been stable; however, if your ISP frequently changes your prefix, you could apply the same approach to their /48 or even /32 aggregate. In most cases, you won't get meaningful reverse lookups from your ISP for those addresses anyway.

This does seem useful, I would encourage you to open a feature request on github as this would then be tracked and possibly implemented.

Thanks. So I am the one a bit out of touch and old fashioned. It's been a while since I did systems integration for really large enterprises. More than 10 years. Back then all of them were heavily invested into AD.

Kind regards,
Patrick

Eh I wouldnt say you can become out of touch. Its just different now than it was before but same first principles basically apply. Kind of like the questions I am asking about ipv6 vs v4. Sure ok now we dont really use dhcp. Ok fine. So everyone is more private I guess and we just instead vlan off different 'kinds' of groups and they get their router advertisements and can either apply them or not its up to them. Sure it sounds different but its also kind of the same with just different ways of doing it. Also I would say SME is small medium not really large. I guess in another 10 years we will be back to how things were 10 years ago because seems like as soon as we start doing it this new way people want to go back how it was before to become 'more agile'. Sure whatever you want :) - as long as someone pays me I will build it whichever way you like basically. I still think using sharepoint to store files is weird but thats how they like it now. Sure in 10 years they will hate it again.

How large and probably more relevant how OLD is that company?

Well we used to deploy DC's but they just stoped being useful over time and there are other options like sharepoint or Azure files now. I work for an msp so its the SME market of 10-200 or so users per company. Companies really look to save money so if its not needed, its killed off and removed from what I see in the work we do.

In an enterprise setup you will in most cases have a Windows domain and Active Directory so all clients running Windows can do authenticated and trustworthy dynamic DNS updates.

You can still run OPNsense as your frontmost recursive DNS, just create forwarding entries for the internal zones pointing to your domain controllers.

Interesting, we just use azure ad now and intune, so domain controllers are not deployed and clients dont join a domain, they just are intuned via the "join work or school account" under settings. Phones just use MAM policies to secure work apps.

That's not possible, by design. When enabling SLAAC, most clients use privacy extensions, meaning they randomise their interface identifier (lower 64 bits of the IPv6 address) for outbound connections.

If you really need to identify individual clients, you have to disable SLAAC and use stateful DHCPv6 (which is not supported by all clients).

You could look into identifying clients by their MAC address, but many randomise that, too.

If you need certain rules for certain groups of clients, it makes more sense to assign them to separate (V)LANs.

This is an interesting problem, because as you say, some clients like android only do SLAAC. So this seems kind of unintuitive in terms of an enterprise setup to just abandon knowing anything about clients that connect through your firewall. I can imagine this causing abuse problems if I was that way inclined to steal from the rich and democratize the poor. A most interesting development.

A /56 would be abcd:efgh:ijkl:mn00::/56. Are you sure you actually get a /56? Check Interfaces / Overview / WAN / Details / Dynamic IPv6 prefix received.

If you get a /56, setting the prefix ID to 0 or 1 (no leading zero) should result in abcd:efgh:ijkl:mn00::/64 / abcd:efgh:ijkl:mn01::/64.

Thank you, you ae actually correct. I must have become confused when I tested this because it does exactly as you say when I try this now. This is new to me so apologies for this.

Can I ask another question? Regards using SLAAC, this works well and as the OP post states via router advertisements fully functional for clients.

However before when I used DHCP I could easily see what client was what ip address. This allowed me to identify a client easily in the firewall log as I know for example "peters iphone" might be 192.168.2.66 or something.

In ipv6 how do I see or create a database of what client is what address? Like for example knowing abcd:efgh:ijkl:mn12:289a:845e:7103:1690 is in the firewall log does not actually tell me what device that is. Is this no longer possible in ipv6?

Hello,

I have a question about setting the prefix in opnsense.
I have a range in the format abcd:efgh:ijkl:XX::/56

In opnsense I tried to set " Optional prefix ID" on lan and wan to be 00 and 01. When trying this opnsense interprets this as a random character and then 0 or 1 respectively so could be :
abcd:efgh:ijkl:f0 or abcd:efgh:ijkl:31 for example.

When I changed this to 10 and 11 I get what I expect eg:
abcd:efgh:ijkl:10 or abcd:efgh:ijkl:11

How can I use the first 10 subnet prefixes in opnsense? eg 00-09 ?

Have a look here: https://forum.opnsense.org/index.php?topic=45801.0. No clear characterization or solution yet. My guess is some oddity related to disabling the default rule logging.

Interesting, I would agree, thank you.

Can anyone help me understand why in the logs often I see blocked packets to allow rules such as this example?

I dont see why an allow rule would show as blocked in the logs when its also got logging disabled on the rule:

Thanks. I agree and have removed that package. (I agree root cause is ZA breaks opnsense upgrade due to manually installing packages).

ZA turned out to be pretty disappointing software anyway and not remotely useful in production. Pity.

Thank you for your idea cookiemonster. I actually have resolved the issue.

I put a screen on it and logged into the console locally, then ran \:

opnsense-update -ur 25.1 -A 25.1

This reinstalled 25.1 and took an absolute age to complete. After it rebooted twice automatically the system seems to be back to normal. The health check now completes successfully with no errors.

Many thanks.
P

Also tried updating from cli with option 12 but no difference, still just shows update is available:

  5) Power off system                  12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12     

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

A major firmware upgrade is available for this installation: 25.1

Make sure you have read the release notes and migration guide before
attempting this upgrade.  Approx. 1000MB will need to be downloaded and
require 2000MB of free space to unpack.  Continue with this major upgrade
by typing the major upgrade version number displayed above.

Minor updates may be available, answer 'y' to run them instead.

Proceed with this action? [25.1/y/N]: 25.1

Hi there,

For an entire decade now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates as well as clear and stable 2-Clause BSD
licensing.

25.1, nicknamed "Ultimate Unicorn", features numerous MVC/API conversions,
improved security zones support and documentation, ZFS snapshot support,
a new UI look with a light and dark theme, PHP 8.3, FreeBSD 14.2 plus much
more.

Download links, an installation guide[1] and the checksums for the images
can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/25.1/
o US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/25.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/25.1/
o South America: http://mirror.ueb.edu.ec/opnsense/releases/25.1/
o East Asia: https://mirror.ntct.edu.tw/opnsense/releases/25.1/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against version 24.7.12:

o system: migrate user, group and privilege management to MVC/API
o system: remove the "disable integrated authentication" feature
o system: add "Default groups" option to add standard groups when a LDAP/RADIUS user logs in
o system: remove the old manual LDAP importer
o system: migrate HA status page to MVC/API
o system: allow custom additions to sshd_config (contributed by Neil Greatorex)
o system: increase max-request-field-size for web GUI
o system: set tunable default for checksum offloading of the vtnet(4) driver to disabled (contributed by Patrick M. Hausen)
o system: add support for RFC 5549 routes and refactor static route creation code
o system: improve notification support to also allow persistent notifications and static banners
o system: add notifications for low disk space and OpenSSH file override use
o system: migrate tunables page to MVC/API
o system: switch to temperature sensor caching
o system: add certificate widget to track expiration dates and allow quick renewal

Fetching packages-25.1-amd64.tar: ............................................ done
Extracting packages-25.1-amd64.tar... done
Please reboot.
>>> Invoking upgrade script 'sanity.sh'
Passed all upgrade tests.
>>> Invoking upgrade script 'cleanup.sh'

*** OPNsense.workgroup.local: OPNsense 24.7.12_4 (amd64) ***

LAN (em1)      -> v4: 192.168.2.2/24
PPPoEWAN (pppoe0) -> v4/PPPoE: 142.117.117.156/32
Vlan5Unrestrict (em2_vlan5) -> v4: 192.168.5.1/24
Vlan5and7Phys (em2) ->
Vlan7Tenant (em2_vlan7) -> v4: 192.168.7.1/24
WGVirtInt (wg0) -> v4: 192.168.200.1/24

HTTPS: sha256 0B B2 9D 19 A6 91 16 20 9F 17 1A 2A 88 F0 A6 B4
              C6 E6 22 FF 7B 4B C0 7C 12 3C E9 40 4D 60 7F 59
SSH:  SHA256 +TCInaFfPrusQDICPlskgMLcaUHchw4buvXKb2Qgnr4 (ECDSA)
SSH:  SHA256 3Jr9aref9DTtMkehm1bXGLSTbA1pWIZKRCpVWC5xNiE (ED25519)
SSH:  SHA256 NNRmrSW9x+C/5kwJ6EFeYg5VQAfwlQnQ0QwvuFSvtXk (RSA)

  0) Logout                              7) Ping host
  1) Assign interfaces                  8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                  12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:


GUI:

I tried doing a pkg install php82-session but it wanted to downgrade a bunch of packages so I dont think that is the right thing to do (I cancelled it).

onflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 46 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
   php83: 8.3.15
   php83-ctype: 8.3.15
   php83-curl: 8.3.15
   php83-dom: 8.3.15
   php83-filter: 8.3.15
   php83-gettext: 8.3.15
   php83-google-api-php-client: 2.4.0
   php83-ldap: 8.3.15
   php83-mbstring: 8.3.15
   php83-pcntl: 8.3.15
   php83-pdo: 8.3.15
   php83-pear: 1.10.13
   php83-pear-Crypt_CHAP: 1.5.0_1
   php83-pecl-mcrypt: 1.0.7
   php83-pecl-radius: 1.4.0b1_2
   php83-phalcon: 5.8.0
   php83-phpseclib: 3.0.42
   php83-session: 8.3.15
   php83-simplexml: 8.3.15
   php83-sockets: 8.3.15
   php83-sqlite3: 8.3.15
   php83-xml: 8.3.15
   php83-zlib: 8.3.15

New packages to be INSTALLED:
   php82: 8.2.27
   php82-ctype: 8.2.27
   php82-curl: 8.2.27
   php82-dom: 8.2.27
   php82-filter: 8.2.27
   php82-gettext: 8.2.27
   php82-google-api-php-client: 2.4.0
   php82-ldap: 8.2.27
   php82-mbstring: 8.2.27
   php82-pcntl: 8.2.27
   php82-pdo: 8.2.27
   php82-pear: 1.10.13
   php82-pear-Crypt_CHAP: 1.5.0_1
   php82-pecl-mcrypt: 1.0.7
   php82-pecl-radius: 1.4.0b1_2
   php82-phalcon: 5.8.0
   php82-phpseclib: 3.0.42
   php82-session: 8.2.27
   php82-simplexml: 8.2.27
   php82-sockets: 8.2.27
   php82-sqlite3: 8.2.27
   php82-xml: 8.2.27
   php82-zlib: 8.2.27

So guessing I need to try something else.

Do you think I can just install each of these missing packages manually and see what happens?

Ran the update but after it came back up something has gone wrong and it has half installed.

If I go to firmware - changelog it still thinks 24.7.12 is installed.
When I go to check for updated it finds "packages" and wants to upgrade from 24.7 to 25.1 but if I choose update, it installs then offers the exact same update again.

If I run an audit it says:
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 24.7.12_4 (amd64) at Wed Jan 29 17:03:40 EST 2025
>>> Root file system: /dev/ufs/OPNsense
>>> Check installed kernel version
Version 25.1 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.1 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
os-cpu-microcode-intel 1.1
os-ddclient 1.26
os-dmidecode 1.1_1
os-hw-probe 1.0_1
os-smart 2.3
os-theme-cicada 1.38
os-theme-rebellion 1.9.2
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
opnsense has a missing dependency: php82-session
opnsense has a missing dependency: php82-phalcon
opnsense has a missing dependency: php82-xml
opnsense has a missing dependency: php82-simplexml
opnsense has a missing dependency: php82-dom
opnsense has a missing dependency: php82-ctype
opnsense has a missing dependency: php82-filter
opnsense has a missing dependency: php82-pear-Crypt_CHAP
opnsense has a missing dependency: php82-phpseclib
opnsense has a missing dependency: php82-google-api-php-client
opnsense has a missing dependency: php82-sockets
opnsense has a missing dependency: php82-ldap
opnsense has a missing dependency: php82-pecl-radius
opnsense has a missing dependency: php82-curl
opnsense has a missing dependency: php82-pcntl
opnsense has a missing dependency: php82-gettext
opnsense has a missing dependency: php82-sqlite3
opnsense has a missing dependency: php82-pdo
opnsense has a missing dependency: php82-zlib
php82-pecl-mongodb has a missing dependency: php82
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 24.7.12_4 has 69 dependencies to check.
Checking packages: ..................
lighttpd-1.4.77 version mismatch, expected 1.4.76_1
Checking packages: .......
opnsense-installer-25.1 version mismatch, expected 24.7
Checking packages: .
opnsense-lang-25.1 version mismatch, expected 24.7.8
Checking packages: .
opnsense-update-25.1 version mismatch, expected 24.7.12
Checking packages: ...
Package not installed: php82-ctype
Checking packages: .
Package not installed: php82-curl
Checking packages: .
Package not installed: php82-dom
Checking packages: .
Package not installed: php82-filter
Checking packages: .
Package not installed: php82-gettext
Checking packages: .
Package not installed: php82-google-api-php-client
Checking packages: .
Package not installed: php82-ldap
Checking packages: .
Package not installed: php82-pcntl
Checking packages: .
Package not installed: php82-pdo
Checking packages: .
Package not installed: php82-pear-Crypt_CHAP
Checking packages: .
Package not installed: php82-pecl-radius
Checking packages: .
Package not installed: php82-phalcon
Checking packages: .
Package not installed: php82-phpseclib
Checking packages: .
Package not installed: php82-session
Checking packages: .
Package not installed: php82-simplexml
Checking packages: .
Package not installed: php82-sockets
Checking packages: .
Package not installed: php82-sqlite3
Checking packages: .
Package not installed: php82-xml
Checking packages: .
Package not installed: php82-zlib
Checking packages: .............
radvd-2.20 version mismatch, expected 2.19_4
Checking packages: ......... done
***DONE***

So it seems like it has half installed.

I tried reinstalling kernel and rebooting with this command: opnsense-update -fkbr 25.1

Is there some way to fix this?

Everything is currently working but clearly some issue.

Unclear what command to enter to reinstall the parts that did not work.

Kind regards
P