Messages

1

General Discussion / Re: Can't traverse to Internet

« on: June 19, 2024, 08:07:07 pm »

Please "close" the issue.

The ISP had configured the modem incorrectly! The 3rd person finally listened exactly what I needed and the connection was established.

Sorry for posting in haste yet again.

Regards.

2

General Discussion / Can't traverse to Internet

« on: June 19, 2024, 07:24:20 pm »

Hello!

Need help, please. What are the recommended steps to troubleshoot LAN desktop access to the Internet?

The Lobby Dashboard shows the WAN Gateway as online.
The Firewall LAN rules, per default, allow LAN to any.
The Firewall WAN rules have no outbound block.
dig _gateway from desktop client responds correctly with the Open sense IP address.
The desktop client has a DHCP lease with correct gateway assignment.
Dig www.google.com or any Internet IP address fails with communication error (timed out) 127.0.0.53#53
ISP installed new modem and this error started.
Pihole logs show that Google Home Mini Speaker is calling "home"
Pihole is syncing with NTP Pool servers.

Where have I messed up?

Thanks.

OPNsense 24.1.8-amd64 on ProtectLi fw4b
Desktop client is Ubuntu 24.04

3

Web Proxy Filtering and Caching / Web Proxy Stops Outbound Traffic at First Attempt

« on: October 20, 2023, 10:41:07 pm »

Hello,

I didn't find anyone else reporting a beginner issue on running Web Proxy for the first time so I need your help to determine my basic configuration error.

I setup Caching Proxy https://docs.opnsense.org/manual/how-tos/cachingproxy.html with the instructions in the official documentation using the Yoyo Ads Blacklist example. I setup Firewall Rule No Proxy Bypass (screenshot attached) - again using the official document. I did not encounter any issue in making these changes.

I enabled proxy use in Mozilla exactly as illustrated in the official documentation but with the specific address for OPNsense in my farm.

Unfortunately, I cannot go out to the Internet using the browser when the Web Proxy is enabled. Presumably, there is configuration issue at my end because if I unblock the two rules (HTTP/HTTPS) the browser can go out again. I am unsure about the rules changes that I have entered but obviously these rules when activated are disabling Internet access.

How can I fix this basic issue to become productive with Web Proxy? Thanks.

Regards.

4

General Discussion / Re: HOWTO: Update from 22.7

« on: September 21, 2023, 06:59:53 pm »

Thanks, franco and newsense!

I read franco's reply to another person a few minutes ago (sent several months back) and performed the same two steps to remove freeradius and reinstall. That got me to 22.7.11_1 and then I was able to upgrade 23.1. Obviously just using the search string "update" was insufficient to retrieve the applicable thread(s).

I am glad that franco reconfirmed the steps here.

Cannot thank you both enough for helping me to avoid a fresh re-install. Please consider the issue fully resolved thanks to your assistance.

Regards.

5

General Discussion / Re: HOWTO: Update from 22.7

« on: September 21, 2023, 04:07:06 pm »

Thanks for your continuing support. Here is the output (with the credentials removed):

Code: [Select]

Last login: Thu Sep 21 08:37:59 2023 from
----------------------------------------------
|      Hello, this is OPNsense 22.7          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website: https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook: https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums: https://forum.opnsense.org/  |         @@@///   \\\@@@
| Code: https://github.com/opnsense  |        @@@@         @@@@
| Twitter: https://twitter.com/opnsense |         @@@@@@@@@@@@@@@
----------------------------------------------

*** OPNsense.parkcircus.org: OPNsense 22.7 (amd64/OpenSSL) ***

 LAN (igb1)      -> v4:
 WAN (igb0)      -> v4:

 HTTPS:
 SSH:   SHA256
 SSH:   SHA256
 SSH:   SHA256

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y

Hello there,

This will be the end of life release for the 22.7 series with only a small
number of reliability updates.  Upgrades to 23.1-RC1 are possible from the
development version of this release.  We do expect an online update for RC2
next week.

The final 23.1 release will be on January 26.  As always the upgrade path
from the community version will be added as a hotfix shortly after the final
release announcement is published.  However, this time around LibreSSL will
no longer update and must be switched to the OpenSSL flavour prior to the
upgrade.

Here are the full patch notes:

o system: fix a few minor Coverity Scan reports in Python code[1]
o firewall: show automated "port 0" rule as actual port "0" on PHP 8
o reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics
o unbound: safeguard retrieval of blocklist shortcode
o mvc: fix IntegerField minimum value (contributed by xbb)
o plugins: os-acme-client 3.15[2]
o plugins: os-stunnel fixes missing include in certificate script
o ports: curl 7.87.0[3]
o ports: nss 3.87[4]
o ports: pcre 10.42[5]
o ports: phalcon 5.1.4[6]
o ports: php 8.0.27[7]
o ports: sqlite 3.40.1[8]
o ports: strongswan 5.9.9[9]
o ports: unbound 1.17.1[10]

A hotfix release was issued as 22.7.11_1:

o firmware: enable upgrade path to 23.1 (OpenSSL only)


Stay safe,
Your OPNsense team

--
[1] https://scan.coverity.com/projects/opnsense-core
[2] https://github.com/opnsense/plugins/blob/stable/22.7/security/acme-client/pkg-descr
[3] https://curl.se/changes.html#7_87_0
[4] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html
[5] https://www.pcre.org/changelog.txt
[6] https://github.com/phalcon/cphalcon/releases/tag/v5.1.4
[7] https://www.php.net/ChangeLog-8.php#8.0.27
[8] https://sqlite.org/releaselog/3_40_1.html
[9] https://github.com/strongswan/strongswan/releases/tag/5.9.9
[10] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1

Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (34 candidates): .......... done
Processing candidates (34 candidates): .......... done
Checking integrity... done (0 conflicting)
The following 34 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
bind916: 9.16.30 -> 9.16.36
c-icap-modules: 0.5.5 -> 0.5.5_1
freeradius3: 3.0.25 -> 3.2.1_1
hw-probe: 1.6.4 -> 1.6.5
iperf3: 3.11 -> 3.12
isc-dhcp44-relay: 4.4.2P1 -> 4.4.3P1
mpd5: 5.9_9 -> 5.9_13
msktutil: 1.2 -> 1.2.1
opnsense: 22.7 -> 22.7.11_1
opnsense-installer: 22.1 -> 23.1.d
opnsense-lang: 22.7 -> 22.7.3
os-acme-client: 3.11 -> 3.15
os-bind: 1.23 -> 1.24_1
os-c-icap: 1.7_2 -> 1.7_3
os-clamav: 1.7_1 -> 1.8
os-freeradius: 1.9.19_1 -> 1.9.21_2
os-maltrail: 1.8 -> 1.10
os-net-snmp: 1.5_1 -> 1.5_2
os-nrpe: 1.0_2 -> 1.0_3
os-redis: 1.1_1 -> 1.1_2
os-rspamd: 1.12 -> 1.12_1
pftop: 0.8 -> 0.8_2
php80-dom: 8.0.20 -> 8.0.27
php80-filter: 8.0.20 -> 8.0.27
php80-phpseclib: 2.0.37 -> 3.0.18
php80-sockets: 8.0.20 -> 8.0.27
php80-sqlite3: 8.0.20 -> 8.0.27
php80-xml: 8.0.20 -> 8.0.27
redis: 7.0.4 -> 7.0.8
ruby: 2.7.6_2,1 -> 2.7.7,1
squid: 4.15 -> 5.7
strongswan: 5.9.6_2 -> 5.9.9_1
sudo: 1.9.11p3 -> 1.9.12p1
suricata: 6.0.6 -> 6.0.9_1

Number of packages to be upgraded: 34

The process will require 2 MiB more space.
[1/34] Upgrading freeradius3 from 3.0.25 to 3.2.1_1...
===> Creating groups.
Using existing group 'freeradius'.
===> Creating users
Using existing user 'freeradius'.
===> Setting user and group in radiusd.conf
[1/34] Extracting freeradius3-3.2.1_1: .......... done
You should remove /usr/local/etc/raddb if you don't need it any more.
freeradius3-3.0.25: missing file /usr/local/lib/freeradius-3.0.25/libfreeradius-dhcp.a
...
freeradius3-3.0.25: missing file /usr/local/share/examples/freeradius/raddb/mods-available/otp
freeradius3-3.0.25: missing file /usr/local/share/examples/freeradius/raddb/mods-config/sql/main/sqlite/process-radacct-refresh.sh
freeradius3-3.0.25: missing file /usr/local/share/examples/freeradius/raddb/mods-enabled/cache_eap
freeradius3-3.0.25: missing file /usr/local/share/licenses/freeradius3-3.0.25/GPLv2
freeradius3-3.0.25: missing file /usr/local/share/licenses/freeradius3-3.0.25/LICENSE
freeradius3-3.0.25: missing file /usr/local/share/licenses/freeradius3-3.0.25/catalog.mk
pkg-static: Fail to set time on /var/run/radiusd:No such file or directory
Starting web GUI...done.
Generating RRD graphs...done.
Installation out of date. The update to opnsense-22.7.11_1 is required.

*** OPNsense.parkcircus.org: OPNsense 22.7 (amd64/OpenSSL) ***

 LAN (igb1)      -> v4:
 WAN (igb0)      -> v4:

 HTTPS: SHA256
 SSH:   SHA256
 SSH:   SHA256
 SSH:   SHA256

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:

6

General Discussion / Re: HOWTO: Update from 22.7

« on: September 21, 2023, 04:25:39 am »

Before replying to your first suggestion on using option 12 from the console terminal (logged in via SSH), I performed the operation several times (including using q to quit the update notice). Unfortunately, the cycle just repeats and the main menu for the terminal session is presented.

After reading your last suggestion, I repeated the exercise to select option 12 and entered q at the first chance when the scrolling list of updates paused. I repeated these steps 3 times but there was no change in the responses from the server.

The server is pointing to the mirror at https://pkg.opnsense.org/FreeBSD:13:amd64/22.7.

Is there an alternate approach that you recommend? Thanks.

Regards.

7

General Discussion / Re: HOWTO: Update from 22.7

« on: September 21, 2023, 01:09:23 am »

Thanks for fielding this request for assistance.

I did SSH in (first time to the OPNsense server after the initial install several years ago) and then I chose option 12 in accordance with your suggestion. After receiving the update information, the upgrade failed presumably owing to the following partial text from the server:

Code: [Select]

Installation out of date. The update to opnsense-22.7.11_1 is required.

*** OPNsense.parkcircus.org: OPNsense 22.7 (amd64/OpenSSL) ***
Is there some way to specify the intermediate update to 22.7.11_1? Thanks.

Regards.

P.S.
Some additional information regarding my SSH session:

Code: [Select]

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y

After the patch notes, there is no sub-option to specify a release number or identifier. I can use option 8 to shell out but I don't know the manual command(s) to complete the update/upgrade.

My settings are:

Code: [Select]

Mirror default
Flavor default
Type Community
Subscription <blank>

The web documentation at https://docs.opnsense.org/manual/updates.html#update-settings states that:

If you choose option 12 on the console menu on latest release, you are asked if you want to upgrade to the newest version or to the next major release. Type in the major release number (for example “19.1”) and press enter. OPNsense will download all release files for an offline upgrade (kernel, packages etc.) and will reboot afterwards.

After a reboot, it will install all updates and when it is done, it will reboot again, then you should be on the desired release.

but I don't see that prompt in my environment.

8

General Discussion / HOWTO: Update from 22.7

« on: September 19, 2023, 10:10:19 pm »

Hello,

The Update button is no longer visible. I'm currently at 22.7 (yes, my fault for neglecting timely upgrades). The System: Firmware Updates reports:

Code: [Select]

***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.7 (amd64/OpenSSL) at Sat Sep 16 09:01:16 CDT 2023
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (34 candidates): .......... done
Processing candidates (34 candidates): .......... done
Checking integrity... done (0 conflicting)
The following 34 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
bind916: 9.16.30 -> 9.16.36
...
suricata: 6.0.6 -> 6.0.9_1

Number of packages to be upgraded: 34

The process will require 2 MiB more space.
[1/34] Upgrading freeradius3 from 3.0.25 to 3.2.1_1...
===> Creating groups.
Using existing group 'freeradius'.
===> Creating users
Using existing user 'freeradius'.
===> Setting user and group in radiusd.conf
[1/34] Extracting freeradius3-3.2.1_1: .......... done
You should remove /usr/local/etc/raddb if you don't need it any more.
freeradius3-3.0.25: missing file /usr/local/lib/freeradius-3.0.25/libfreeradius-dhcp.a
...
pkg-static: Fail to set time on /var/run/radiusd:No such file or directory
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***
In the past, I would simply click on the Update button to complete the upgrade but since it is not present currently, I don't know how to proceed. I've checked online docs and archived forum threads (there was one on 17.x upgrade) but there is no explanation on the next steps if the Update button is missing.

How do I upgrade to the latest stable release, please? Thanks.

Regards.

9

General Discussion / Re: How to leverage deny-ip.txt?

« on: November 29, 2021, 12:54:28 pm »

Thx, @benyamin. 

10

General Discussion / Net-SNMP Daemon Doesn't Start

« on: November 12, 2021, 12:01:26 pm »

Hello,

I'm posting this because I noticed another user is having similar difficulty in starting the SNMP service. I want to avoid the perception of "No Repro" syndrome from support members. I've had this issue ever since I embarked on the Protectli FW4B/OPNsense journey in mid-2019. An authoritative person ("...mail", I believe) tried to assist me in the early days but the suggestion to start the service explicitly from the Dashboard screen never worked. I haven't had much luck with Netgear MIBs and therefore this SNMP anomaly is not a handicap for me but if it helps others in reproducible diagnostics, I'll do whatever suggestions that are relayed to me and are practical for me.

During the boot process, I noticed ~4 lines of text stating:

• SNMP service could not be started
• Conf file should be checked

As a newbie with OPNsense (even though I've been operating it for over two years) I am ignorant on how to check for the corresponding SNMP config file. Thanks for your understanding.

Kind regards.[/list]

11

General Discussion / How to leverage deny-ip.txt?

« on: November 10, 2021, 12:37:37 pm »

Hello,

I have accumulated a deny-ip.txt file over the years. Each line in the file is an IPv4 address. What are the ways that I can leverage this in OPNsense?

I have read a few pages on Suricata and other utilities but didn't quite understand how to import these addresses. Are there some links that would step me through the process under OPNsense 21.7.3-amd64? Thanks.

Kind regards.

P.S. OPNsense GeoIP is doing a fantastic job but I have to keep port 25 open and that is causing minor headaches.

12

General Discussion / Re: Firewall Rules WAN Assistance

« on: April 29, 2021, 01:25:06 am »

@rhubarb, thanks!

Kind regards.

13

General Discussion / Firewall Rules WAN Assistance

« on: April 26, 2021, 03:17:21 pm »

Hello!

In early January '21, @marjohn56 helped me with Firewall Rules WAN setup. It worked and I was able to renew a cert for my NAS server for 90 days. With the renewal time now imminent I noticed that the pass through to NAS is no longer working as confirmed by the port forwarding utility at https://www.yougetsignal.com/tools/open-ports/. I need some help in getting back to let traffic through to the NAS server.

Here are my current settings:

Alias:
For MailServer
Enabled: checked
Name: MailServer
Type: Host(s)
Content: IP addresses of MailServer
Statistics: unchecked
Description: MailServer

For ports
Enabled: checked
Name: MailServer_ports
Type: Port(s)
Content: 25, 465, 587, 993, 995
Description: MailServer

Rules
1st active rule
Action: Pass
Disabled: unchecked
Quick: checked
Interface: WAN
Direction: in
TCP/IP Version: IPv4
Protocol: TCP
Source/Invert: unchecked
Source: any
Source port range: from: any to: any
Destination/invert: unchecked
Destination: MailServer
Destination port range: from: MailServer_ports to: MailServer_ports
Log: checked
Category: MailServer
Description: MailServer
Source OS: Any
No XMLRPC Sync: unchecked
Schedule: none
Gateway: default

In short, I have aliases for the NAS server and the ports to be forwarded and I am using these in the Rules definition. Some self-inflicted/inexperience change at my end has led to the loss of specific pass through functionality. What could be preventing the pass through, please? Thanks.

Kind regards.

14

21.1 Legacy Series / Re: Upgrade to 21.1 may take *very* long time (>1h)

« on: January 29, 2021, 04:35:43 pm »

Sorry for appending unexciting feedback. My upgrade to 21.1 (on ProtectLi FW4B - amd64) took around 7 mins + reboot. Forgot to alert Nagios about the downtime and it dutifully alerted me.  Other than that, no issue and my modest farm is chugging along nicely. Thank you to all those folks who continue to contribute towards OPNsense advancements and also to "First Responders" at the forum for newbie questions that come from folks like us.

Kind regards.

15

Tutorials and FAQs / Re: Google Drive Backup

« on: January 28, 2021, 03:28:54 am »

Hello @Greelan,

Cannot thank you enough for your efforts that helped me (a basic newbie) get an extra level backup reassurance.

Kind regards.