"
If you can, add your logs so the devs realize the issue is live. The issue is older, so I want to bump the activity.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
22.7 Legacy Series / Re: ACME client not updating certs into OPNsense trust storage
January 06, 2023, 05:09:45 PM #2
22.7 Legacy Series / Re: ACME client not updating certs into OPNsense trust storage
January 05, 2023, 03:52:47 PM #3
22.7 Legacy Series / ACME client not updating certs into OPNsense trust storage
January 05, 2023, 02:28:33 PM
As of 1 Jan 2023, ACME client is renewing LetsEncrypt cert daily. Further investigation indicates it is not registering the new certs in OPNsense `System > Trust > Certificates`.
Navigating to `Services > ACME client > Log Files` reports it thinks the cert needs to be renewed: "AcmeClient: certificate must be issued/renewed: opnsense.example.com". Logs show successful renewal.
In the `Services > ACME client > Certificates` shows the cert has been renewed.
However, `System > Trust > Certificates` shows the old cert, and checking the cert with my browser shows the old cert. So somehow the ACME client is not writing the cert to OPNsense's trust storage.
I have tried to reimport the cert, but nothing changes. Rebooting also does not resolve the issue.
Further info:
I had previously run into an issue where the webUI wasn't registering the new cert, and I resolved that by adding an automation to restart the webUI. However in that case (IIRC), the cert did not keep on renewing, it was simply that the browser would show warnings about the expired cert.
Running
OPNsense 22.7.10_2-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022
Navigating to `Services > ACME client > Log Files` reports it thinks the cert needs to be renewed: "AcmeClient: certificate must be issued/renewed: opnsense.example.com". Logs show successful renewal.
In the `Services > ACME client > Certificates` shows the cert has been renewed.
However, `System > Trust > Certificates` shows the old cert, and checking the cert with my browser shows the old cert. So somehow the ACME client is not writing the cert to OPNsense's trust storage.
I have tried to reimport the cert, but nothing changes. Rebooting also does not resolve the issue.
Further info:
I had previously run into an issue where the webUI wasn't registering the new cert, and I resolved that by adding an automation to restart the webUI. However in that case (IIRC), the cert did not keep on renewing, it was simply that the browser would show warnings about the expired cert.
Running
OPNsense 22.7.10_2-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022
#4
Documentation and Translation / Re: AdGuard Home setup guide
February 07, 2022, 03:16:13 AM
For the record, part of my problem was that my port forward rules were for TCP only... and DNS is UDP. So fixing that helped.
The other part of my problem was an overly complex and janky vpn setup between OPNsense and my switch.
Everything is working cleanly now.
The other part of my problem was an overly complex and janky vpn setup between OPNsense and my switch.
Everything is working cleanly now.
#5
Documentation and Translation / Re: AdGuard Home setup guide
February 03, 2022, 03:05:39 AM
@ChrisChros, @Fawkesguy -- thanks much for taking the time to share screenshots of your setup! I think I have a pretty good idea of what should work. Unfortunately, I'm still not getting an appropriate response (i.e., for some reason my IoT network (10.3.0.0/24) thinks it's getting a response from the LAN interface (10.0.0.1).
... which suggests to me that I probably have issues either elsewhere in my firewall rules or a bit of a hinky opnsense install.
I'll probably spend the weekend wiping and resetting everything...
... which suggests to me that I probably have issues either elsewhere in my firewall rules or a bit of a hinky opnsense install.
I'll probably spend the weekend wiping and resetting everything...
#6
Documentation and Translation / Re: AdGuard Home setup guide
February 02, 2022, 01:04:42 AM
Thanks for the resources. If I can't resolve it tonight, I guess I'll try rebuilding from scratch and try to follow these instructions.
I don't see how an intervlan deny rule would allow me to access across VLANs (IoT -> LAN) but not allow IoT -> IoT address (although it's entirely possible I've messed up somewhere)... Additionally, I have the automatic NAT rule created which should allow access to interface_address:53
When you set up outgoing NAT, did you set it up per interface?
I've tried outgoing NAT, and it doesn't make a difference. I wasn't sure I was doing it right, so I tried various permutations of LAN/IOT for interface, source, and destination. Still receiving the same error.
I don't see how an intervlan deny rule would allow me to access across VLANs (IoT -> LAN) but not allow IoT -> IoT address (although it's entirely possible I've messed up somewhere)... Additionally, I have the automatic NAT rule created which should allow access to interface_address:53
When you set up outgoing NAT, did you set it up per interface?
I've tried outgoing NAT, and it doesn't make a difference. I wasn't sure I was doing it right, so I tried various permutations of LAN/IOT for interface, source, and destination. Still receiving the same error.
#7
Documentation and Translation / Re: AdGuard Home setup guide
February 01, 2022, 03:29:24 AM
I'm trying to set AdGuardHome to work as the DNS for 4 vlans:
LAN:10.0.0.0
HOME: 10.1.0.0
LAB: 10.2.0.0
IOT: 10.3.0.0
On each interface, I have set the interface IP as the DNS server.
All VLANS have been set with a port forward rule to capture the dns requests and pass to 127.0.0.1:53.
Adguard works fine on LAN and HOME, but not on LAB and IOT I get no resolution and if I dig, I receive an error: "reply from unexpected source: 10.0.0.1#45443, expected 10.3.0.1#53"
If I set LAB or IOT DNS server to 10.0.0.1 (LAN address), it works.
I do not understand -- HOME works just fine with the DNS server set as HOME address, but LAB and IOT fail with DNS server set as their interface addresses.
Any suggestions as to why this is the case?
LAN:10.0.0.0
HOME: 10.1.0.0
LAB: 10.2.0.0
IOT: 10.3.0.0
On each interface, I have set the interface IP as the DNS server.
All VLANS have been set with a port forward rule to capture the dns requests and pass to 127.0.0.1:53.
Adguard works fine on LAN and HOME, but not on LAB and IOT I get no resolution and if I dig, I receive an error: "reply from unexpected source: 10.0.0.1#45443, expected 10.3.0.1#53"
If I set LAB or IOT DNS server to 10.0.0.1 (LAN address), it works.
I do not understand -- HOME works just fine with the DNS server set as HOME address, but LAB and IOT fail with DNS server set as their interface addresses.
Any suggestions as to why this is the case?
#8
Development and Code Review / Re: UDP Broadcast Relay beta package
July 02, 2020, 01:59:32 AM
Thanks for providing this package!
I have followed the instructions to install and set up, but I cannot find my Sonos speakers over Airplay across VLANs. I actually believe this to be an issue with my switch (TP-Link T1700G-28TQ). Are there L2 and/or L3 settings I should consider while trying to configure the switch?
My network is a router-on-a-stick topology, with OPNsense trunked to the T1700 with Home and IoT VLANs. The T1700 switch is trunked to another switch with equivalent native vlan and vlan setup to which the WAP is connected.
I have followed the instructions to install and set up, but I cannot find my Sonos speakers over Airplay across VLANs. I actually believe this to be an issue with my switch (TP-Link T1700G-28TQ). Are there L2 and/or L3 settings I should consider while trying to configure the switch?
My network is a router-on-a-stick topology, with OPNsense trunked to the T1700 with Home and IoT VLANs. The T1700 switch is trunked to another switch with equivalent native vlan and vlan setup to which the WAP is connected.
Pages1
