Messages

Yes that was it, thank you!

you're totally right, that was my messup. I fixed it but the problem remains the same. I see the ICMPv6 packets STILL going out the WAN (PPPoE) interface.

I come from linux and used policy based routing (rules + dedicated tables). Now I read it
s done differently here.
I have a fiber PPPoE uplink and there is a wireguard connection to a datacenter location. Both I'd like to use as possible gateway, depending on what downstream net someone is in.

The gateways for PPPoE are there automatically and then I added two for the wireguard tunnel, one for v4 the other one for v6.

Then I setup manual NAT (see Screenshot). TK_ROOT_V4 are all the local nets that should use PPPoE DMZPI is the one I want not to be natted.
Lastly there is the the outbound rules for DMZPI. (Screenshot).

The problem now is that when I route IPv4 it all goes well through the wireguard for DMZPI clients but for IPv6 I see that the packets for the internet host are leaving on the PPPoE interface instead of the wireguard interface.

I double checked my config maybe triple. Help me Obi Wan Kenobi, you're my only hope :-)

Hi,
I need to reinstall OPNsense on my DEC740. For that I downloaded:
OPNsense-23.1-OpenSSL-serial-amd64.img
Flashing it onto USB and then booting from it. So far no problem.
Then it seems to be bringing up the NICs and that's when the Installer gets stuck.

Every minute or so the interface goes Down and Up again, but the installer won't continue. I tried several flash drives -> No change.
I reset the UEFI settings to default -> No change.

Does someone have an idea what's happening here? Should I try an older version of OPNsense?

junicast

I just installed ntopng and sadly it's only listening on tcp4:

Code Select Expand

root@myhost:~ # sockstat -l | grep 3000
ntopng   ntopng     2666  61 tcp4   *:3000                *:*


There doesn't seem to be a way to change this, is it?
I have no route to my box for the legacy protocol.

Hi,

I run an OPNsense device virtualized on proxmox and I try to connect to it via IPv6 address. When I do it shows the following message.

Code Select Expand

Warning: array_pop() expects parameter 1 to be array, null given in /usr/local/etc/inc/authgui.inc on line 74

A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname. You can disable this check if needed under System: Settings: Administration.

As I'm accessing the device by IP I wonder what this is about.

I hope there will be a new image out soon, because I explicitly don't want to upgrade but reinstall, because I want my systems to be on ZFS.

Please move the topic if I accidentally put it in the wrong section?
Anybody got an idea what's going wrong here?

Hi,

I'm running a virtualized (proxmox) OPNsense 21.1.4-amd64 and my filter.log is being flooded with forwarding packets coming from some Internet host to my public NTP server in the DMZ zone (vtnet3). As you might have guessed there there are PLENTY of log entries, because every connection results in one log record.
Example:

Code Select Expand

Apr 10 14:17:25 fwrx1 filterlog[76179]: 96,,,0,vtnet3,match,pass,out,4,0x0,,53,0,0,DF,17,udp,76,100.8.111.177,5.111.222.89,36028,123,56
The filter rule allowing packets from WAN to my NTP host does not have logging enabled. Since I have public IPs for IPv4 as well as IPv6 I don't have to make use of NAT.

I walked over every single filter rule allowing traffc, making sure logging is disabled.
When I look into the WebGUI's Live View, every of those records has the label "let out anything from firewall host itself".
I click on the little "i" sign a more detailed view opens up where I can try to resolve the rule (rid).
When I hit the link it doesn't work and just gets me back to the details page I'm currently on.

On the console I try via

Code Select Expand

pfctl -v -s rules
I search for the label ID and what I get is this line:

Code Select Expand

pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
  [ Evaluations: 2080083   Packets: 4026693   Bytes: 311644102   States: 32599 ]
  [ Inserted: uid 0 pid 85607 State Creations: 986670]

It looks like this is a rule for every communication that originates from the firewall but clearly this communication does NOT originate from the firewall but from a host on the internet to my ntp host.

Am I overllooking something but I can't find the clue to this problem.

Did someone open up an issue for this on github? It would belong here, right?
https://github.com/opnsense/core/issues

Thank you. I agree. My radvd also dies. I restart it and boom, my clients again get autoconf addresses.
What a nasty bug.

Hi,

sometimes I need to restart DHCPv6 service. A client sends a dhcp6 solicitation but there will be no answer whatsoever from opnsense. When I just restart the service everything is going back to normal again.
Someone else whitnessed that behaviour?

I'm on 20.7.1 AMD64 on a PCEngline APU4. Very nice device though.

Thx

Hi,

this topic might sound a bit obvious but I think opnsense would be able to handle such scenarios a litte bit better:

There's a opnsense firewall, let's say with plenty of interfaces and you need to change the subnet of a specific interface. This interface uses the DHCP service as well as most of the other ones.

If you now forget to adjust the DHCP server range it will take some time when the following happens: Every single subnet will stop working DHCP wise. One might say: of course, you should have changed the dhcp service range for the modified interface.

In my opinion the system should be a little bit more error tolerant. opnsense could for example automatically deactivate the dhcp service for a modified interface if it detects that the dhcp service IP range isn't within the new given subnet.

What do you think?
impish