Messages

1

Virtual private networks / Zerotier & NAT

« on: December 18, 2023, 05:49:09 pm »

Hello!,

I have OPNSense + Zerotier working with dual WAN.

WAN1: public IPv4 assigned to the FW (ISP1 doesn't care about IPv6)
WAN2: private IPv4 assigned to the FW, with NAT in the ONT + IPv6 assigned but no working (ISP2 doesn't know how to properly delegate IPv6). There's a 1:1 NAT to the firewall (that is as good as it gets with that ISP)

The issue I have is that I see several blocked connection attempts incoming on WAN2. It's super annoying because it fills-up the disk with filter log entries.

The only difference between WAN1 & WAN2 is that WAN2 is behind NAT. Is there any recommended configuration in that scenario?

2

General Discussion / Link local only

« on: December 15, 2023, 05:29:09 pm »

Hello!, what would be the correct procedure to setup a "link-local only" IPv6 interfaces?. If I choose Enabled+"static ip", I cannot save the configuration.

The usecase would be BGP peering with another network element.

3

High availability / Re: Unbound DNS registration not working for failover DHCP configuration

« on: December 06, 2023, 11:00:38 pm »

Hello!, did anybody test this further?. I have the same situation, we're some hostnames can be resolved (whatever was served by firewall A, but any lease served by firewall B fails to resolve).

I understand static mapping would "solve" this, but it not always desired (highly dynamic environments)

4

General Discussion / DHCP & DNS updates

« on: October 25, 2023, 03:19:34 pm »

hello, for DHCP-v4, can you confirm "OPTION 12" is the one clients must send to properly update Unbound A/PTR updates?.

What would be the case for DHCP-v6 AAAA/PTR?.

also, I wonder if OPTION 81 is supported, per https://datatracker.ietf.org/doc/html/rfc4702#section-3.1

5

Hardware and Performance / Repeated reboot

« on: July 10, 2023, 09:50:58 pm »

Hello!,

I'm running OPNsense on a Lanner NCA-1010B. It keeps rebooting each 15min aprox, anybody can recommend how to pinpoint where is the issue?.

In the system logs, I can only see the fresh boot. Could it be power issues?, triggered by software?

From the logs:

tap9993: changing name to 'zta1ivkmolav2t3'
zta1ivkmolav2t3: link state changed to UP
arp: 10.1.1.105 moved from ac:07:5f:76:56:44 to 00:9e:c8:95:87:c4 on igb0_vlan100
---<<BOOT>>---
Copyright (c) 1992-2021 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.

6

High availability / Re: Cluster & IPv6 Router advertisement

« on: June 26, 2023, 07:15:38 pm »

You use CARP and a link-local address as the CARP address.

Should I use a different link-local address per VLAN/Interface, or can I get away with using the same one (can't recall if there's a recommendation for that)

7

High availability / Cluster & IPv6 Router advertisement

« on: June 15, 2023, 06:01:42 am »

Hello!,

I found this topic https://forum.opnsense.org/index.php?topic=25158.15

which seems to imply that there's already a recipe, but I fail to find the expected configuration. Do we use CARP with for IPv6 subnets + cluster?, or CARP is not needed and everything should work automagically?

8

High availability / MultiWAN & User experience

« on: June 08, 2023, 06:01:28 pm »

Hello!,

I've setup loadsharing Multiwan following the documentation, and I see that the user experience is really bad.

Two examples:

1- Connection stalls from time to time, and there are slow page loads.
2- Also, a web banking goes bonkers and resets the session every couple of minutes (it seems that different requests to different components from a single client goes through different interfaces: main site, vs CDN, etc)

The only decent experience is achieved with Active/standby WAN setup.

Is there any trick to load balance the outgoing connections per client and not per request?

9

Virtual private networks / Re: Routing to Internet fails after reboot until Zerotier disabled

« on: June 07, 2023, 09:50:04 pm »

Saw that in my tests today. It created a gateway even though I marked " This interface does not require an intermediate system to act as a gateway". After the reboot, that gateway is marked as "active" and I get no Internet traffic to the LAN.

Fix for me was to disable the gateways associated with the ZT interfaces.

10

Hardware and Performance / Re: Serial installation - no keyboard

« on: June 01, 2023, 04:27:35 am »

I was expecting to setup the node with serial console. In the end I had to do some dancing:

1. Work.from console, you actually interact and choose options during boot.
2. After boot was complete, lost access either through keyboard or serial. Setup port assignment
3. Visit the web portal, verified console reverted to VGA. Changed that to serial again.
4. Going back to serial console and verify it works.

With my specific setup, it only bothers me:
- Directional keys don't work via serial for BIOS
- bootloader menu now looks messed up (it wasn't like that on first boot)

Keyboard is fine once fully booted.

11

Hardware and Performance / Serial installation - no keyboard

« on: May 31, 2023, 04:15:03 am »

Hello!, I'm trying to install OPNSense 22.7 on a Citrix SD-WAN 210 appliance. I can succesfully boot the serial installer, but as soon as the boot process finishes,I lose keyboard access:

Last messages:

---
Root file system: /dev/ufs/OPNsense_Install
Tue May 30 14:57:39 UTC 2023

*** OPNsense.localdomain: OPNsense 22.7 (amd64/OpenSSL) ***

 LAN (igb0)      -> v4: 192.168.1.1/24
 WAN (igb1)      ->

 HTTPS: SHA256 4B 3C 50 66 3C C4 80 31 F7 21 77 04 2A EE 62 9D
               E1 69 D7 33 0C AA 0D 51 B1 B8 8C 2B 93 A3 F1 2A
 SSH:   SHA256 qgZPLT2pCAWKzn/VScVQy4ruph8+IBwyWC1OU94BTBI (ECDSA)
 SSH:   SHA256 MgGCfkKgrg2L5r3hfTtLLPXzb068ZY/gKuofiLa1ni4 (ED25519)
 SSH:   SHA256 EXxxww7RA1VtqViOhl3WovKY98N4LxYAklpnGHDlo40 (RSA)
pw: no such user `installer'

Welcome!  OPNsense is running in live mode from install media.  Please
login as 'root' to continue in live mode, or as 'installer' to start the
installation.  Use the default or previously-imported root password for
both accounts.  Remote login via SSH is also enabled.

---

System is not frozen, I can see kernel messages when unplugging & replugging the USB keyboard.

Working  with GNU screen,and also with USB keyboard installed (device doesn't have a video output port).

Any tips?

12

Hardware and Performance / Raid1 with different device types

« on: May 29, 2023, 06:43:16 am »

Hello, I would like to install OPNsense in a Citrix SD-WAN 210 appliance. It supports both mSATA & SATADOM drives.

Currently it has installed a 60GB mSATA SSD disk and a 16GB SATADOM drive, I'll replace the SATADOM drive with a 64GB one

Do you see any cons running a mirror with those devices?

Original devices:

root@:/ # dmesg|grep ada
ada0 at ahcich0 bus 0 scbus0 target 0 lun 0
ada0: <SATADOM-SH 3ME3 V2 S17411> ATA8-ACS SATA 3.x device
ada0: Serial Number BCA11807060531128
ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)
ada0: Command Queueing enabled
ada0: 15272MB (31277232 512 byte sectors)
ses0: pass0,ada0 in 'Slot 00', SATA Slot: scbus0 target 0
ada1 at ahcich7 bus 0 scbus1 target 0 lun 0
ada1: <mSATA mini 3ME4 L17606> ACS-3 ATA SATA 3.x device
ada1: Serial Number YCA11807260091067
ada1: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 512bytes)
ada1: Command Queueing enabled
ada1: 61057MB (125045424 512 byte sectors)
ses0: pass1,ada1 in 'Slot 07', SATA Slot: scbus1 target 0

13

Hardware and Performance / Freedom E28Q-L server/switch

« on: May 19, 2023, 06:29:55 am »

Hello, I'm wondering if OPNsense can make use of embedded switching chipset.

Freedom E28Q-L looks like a server with 40GbE embedded switch, originally run Illumus/Solaris and later was ported to Linux from what I heard.

Would be a monster firewall with OPNsense

Ref: https://www.pluribusnetworks.com/assets/PluribusFreedomE28Q-LSwitchDatasheet8-17-1.pdf

14

Hardware and Performance / Re: Support for Intel Wireless-AC 9560

« on: April 19, 2023, 12:31:38 am »

Tested with current release, only works as client, not AP mode.

15

Hardware and Performance / Citrix SD-WAN appliances

« on: April 16, 2023, 05:25:07 am »

Hello, has anybody successfully installed OPNSense on a Citrix SD-WAN 210 appliance?, if that's the case, can you share your experience?