Messages

1

General Discussion / Re: Forum login timeout very aggressive?

« on: Today at 12:03:55 pm »

The default is one hour. If you click on the "Login" button without supplying username and password, you are redirected to the extended login mask.

There you can either pick a longer timeout or activate "stay logged in" - see screen shot.

HTH,
Patrick

2

24.7 Production Series / Re: Double NAT, IPV6 Issue

« on: Today at 09:08:34 am »

The Asus router must delegate a prefix to OPNsense. You need to check with the vendor documentation if it can do that and how to configure.

3

General Discussion / Re: <SOLVED> install stops at Mountroot> and never gets to Login page

« on: November 20, 2024, 08:49:58 pm »

Login as user "installer" with password "opnsense" to install to the hard disk.

You should not have written directly to that, anyway. It's like a windows installation - boot from external media and install the OS.

Pick ZFS, it's far superior to UFS.

4

German - Deutsch / Re: QuickStart Tipps benötigt

« on: November 20, 2024, 08:47:31 pm »

Langsam vorgehen und nicht alles auf einmal einbauen wollen.

Die Default-Konfiguration ist "sicher" und funktional. Ausgehend alles erlaubt, eingehend alles verboten, DNS und DHCP funktionieren.

Also erst mal den Uplink von einem einzelnen PC aus einrichten. Wenn der geht, dann ggf. das Netz vom LAN ändern, und dann erstmal durchatmen und angucken 

5

German - Deutsch / Re: QuickStart Tipps benötigt

« on: November 20, 2024, 07:33:44 pm »

Wenn du DHCP und DNS weiter mit Ubiquiti machen willst, und der Traffic auch weiterhin durch das Gerät hindurch laufen soll, welchen Sinn hat dann die OPNsense davor? Die sieht dann nur die eine externe IP-Adresse von dem Ubiquiti-Teil ...

6

General Discussion / Re: High inblock packet count on passive LAN interfaces

« on: November 20, 2024, 07:08:25 pm »

Mega is M, milli is m.

7

24.7 Production Series / Re: 24.7.9 - Can't login WebGUI with 2FA

« on: November 20, 2024, 06:09:34 pm »

Did you perchance set the "always reboot" option in the UI?

System > Firmware > Settings > Advanced

8

General Discussion / Re: MacOS hijacks the DNS settings?!

« on: November 20, 2024, 05:02:06 pm »

Go to System Settings, click on your name at the top in the left menu bar, click on iCloud, look for "Privacy Relay", disable.

9

General Discussion / Re: High inblock packet count on passive LAN interfaces

« on: November 20, 2024, 04:52:32 pm »

Thats 200 millipackets per second or a fifth of a packet or one packet every five seconds.

That's just some multicast, neighbour discovery, keepalive, whatever ... stuff from the switch or any other device on that untagged network.

10

General Discussion / Re: MacOS hijacks the DNS settings?!

« on: November 20, 2024, 03:43:51 pm »

ah, so I just select no interface for this rule?

Yes - that implies global application of the rule.

The strange behaviour from MacOS now is that the request from my MacOS to the facebook.com is shown as blocked within adguard, but I can still reach it within Mac

I tested the rule and it works, but as it seems, not for MacOS

Cache?

Also the "outside DNS block" only works if you also activate the DoH block list in AGH - see my first post.

11

General Discussion / Re: MacOS hijacks the DNS settings?!

« on: November 20, 2024, 03:33:12 pm »

Floating means exactly for all interfaces - that's the point. You *can* limit the interfaces in the rule, but then why not just place the rules directly on the interfaces instead of using a floating one?

Why would you permit any device to query outside DNS servers? If I need to debug things I can SSH directly to my OPNsense and use "drill" there.

12

General Discussion / Re: MacOS hijacks the DNS settings?!

« on: November 20, 2024, 03:11:41 pm »

"Private browsing" at work.

What I do to (mostly) prevent any mechanism like this - Apple is not alone - is this:

- deploy AdGuard Home - check
- give client devices AGH as their resolver via DHCP - check
- now block all outbound DNS and DoT requests that are not directed at AGH on my OPNsense [1]
- and last add HaGeZi's Encrypted DNS/VPN/TOR/Proxy Bypass list to AGH - that mostly blocks DoH

[1]

Floating rule:

Action: block
Protocol: TCP/UDP
Source: any
Destination: ! This Firewall
Destination port: 53 and 853 (create an alias for that so it fits in one rule)

Done.

You will find lots of blocked requests for e.g.

- mask.icloud.com
- mask-h2.icloud.com
- ...

in your AGH dashboard afterwards.

HTH,
Patrick

13

24.7 Production Series / Re: Double NAT, IPV6 Issue

« on: November 20, 2024, 09:23:53 am »

Enable prefix delegation on the Asus router if

- it is capable to do that
- the ISP provides a prefix large enough so there is room for a sub-delegation

HTH,
Patrick

14

German - Deutsch / Re: LAN-Client Konnektivitätsprobleme nach einem neustart

« on: November 20, 2024, 09:22:13 am »

Hast du irgendeine Art von IDS/IPS oder Crowdsec aktiv?

15

General Discussion / Re: /29 or /32 on VIP Static Block

« on: November 20, 2024, 09:20:35 am »

/29 for the first address, /32 for all additional aliases.