Messages

1

24.1 Legacy Series / Re: Automatic Firmware Updates

« on: April 08, 2024, 07:17:14 pm »

I do auto patching check and install every Friday evening for my home firewall. As if there are any issues, I will be on Saturday at home.

A firewall remote location at a client home/office is done on Saturday evening.
I'm working on there, to have second opnsense firewall inplace that will have a different patch day.
And i have an edge router, with IPSEC for fallback, if needed.

My Firewalls will be migrated to Proxmox, on what i will create backups/snapshots.

I make auto backups of the configuratie every day, just to be sure.

I think i never had some issues, als this weekend, my DHCP request on my IPTV WAN port did not work. I don't know why yet.

Most issues i had, where with major upgrades without an RCA. Minor updates, i never had any issues with.
 

2

22.7 Legacy Series / Re: Opnsense reverts to an old configuration

« on: November 11, 2022, 05:15:20 pm »

It was a restore of about 1 year ago. Not a factory default reset or something like that.

It as the configuration of about 12 months ago.

I could also not find any logs with "factory" in it.

So this was not happening in this case.

3

22.7 Legacy Series / Re: Opnsense reverts to an old configuration

« on: November 11, 2022, 01:29:05 pm »

I had exactly the same problem. I was not upgraded yet to  22.7.7_1.

I was make some firewall modifications, and noticed a change in rules. I was missing data, that definitely was there before.

I noticed yesterday also that my IPTV did not work anymore, why i did not know yet.

Today i did an upgrade to  22.7.7_1, and my SSL certifictes from Lets Encrypts where changed during the upgrade to a year back. After reboot, all my IPSEC configurtion was also set back to long a go configurtion and my Interfaces had a configuration of a year back, as my ISP has changed this year.

So with the upgrade something really went wrong... Lucky have a daily backup script on my NAS, so i can restore my settings of last week. As i don't trust my configuration anymore.

Something is really wrong, as it looks like multiple users are facing this issue?

4

General Discussion / Re: Postfix/rspamd DKIM signing

« on: July 05, 2021, 09:30:47 pm »

I'm not sure if I find the time for it. Is there already a feature request in github?

Good one, i have no idea i have to say.
I just lifted on this topic.

Where can i do / find this? I will raise one, if there is none yet.

5

General Discussion / Re: Postfix/rspamd DKIM signing

« on: July 05, 2021, 08:50:10 am »

Yes this should be ..

Do you maybe know if this will be part of 21.7 release?

6

General Discussion / Re: Postfix/rspamd DKIM signing

« on: March 26, 2021, 11:24:42 am »

Yes this should be ..

if you want me to test something, just let me know.

7

General Discussion / Re: Postfix/rspamd DKIM signing

« on: March 21, 2021, 05:59:04 pm »

I have done some testing, and got it to work.

Code: [Select]

rspamadm dkim_keygen -b 2048 -s opndkim -k /tmp/opndkim.key | sudo tee -a  /tmp/opndkim.pub
chown -R rspamd: /tmp/opndkim.*
chmod 440 /tmp/opndkim.*

This generate the DKIM keys on my tmp location.

I changed in my configuration file, with a domain selection.

Code: [Select]

/usr/local/etc/rspamd/local.d/dkim_signing.conf

# Please don't modify this file as your changes might be overwritten with
# the next update.
#

  allow_envfrom_empty = true;
  allow_hdrfrom_mismatch = false;
  allow_hdrfrom_multiple = false;
  allow_username_mismatch = false;
  auth_only = true;
  #path = "/var/lib/rspamd/dkim/$domain.$selector.key";
  selector = "dkim";
  sign_local = true;
  symbol = "DKIM_SIGNED";
  try_fallback = false;
  use_domain = "header";
  use_esld = true;
  use_redis = false;
  # Hash for DKIM keys in Redis
  key_prefix = "DKIM_KEYS";
 
  domain {
    # Domain name is used as key
    mydomain.com {
      # Private key path
      path = "/tmp/opndkim.key";
      # Selector
      selector = "opndkim";
      }
  }

I just needed to add mydomain.com with the selector and the key location.

This worked for my, all the configuration was reset after a restart from opnsense rspamd service, and the keys are not saved at a correct location and i did not use the redis database.

Would this be enough information to configure something from the GUI for this?
If needed to can do some more testing/configuring.

8

General Discussion / Re: Postfix/rspamd DKIM signing

« on: March 02, 2021, 06:01:10 pm »

I'm also really interested on this feature. Is there maybe an update on this feature?

My current ISP relay host detects my scanner email as spam, what i can't solve.

I was just looking for a solution, and was ready to setup the relay on OPNSense, as this would perfectly fit my solution. Even better than my ISP setup, as i have everything under my own control.

But... No DKIM, would be a no go.

9

Virtual private networks / Re: locally generated traffic not flowing into IPsec site-to-site tunnel

« on: January 16, 2021, 03:53:02 pm »

You could try to create a routed IPSEC Tunnel. I think this solved the issue.

Other solution is to create a static route for the IP Range and set the gateway to the LAN interface (or an other one).

10

Virtual private networks / IPSEC Lost DNS

« on: November 09, 2020, 10:49:24 am »

I have 3 OPNSense Firewall with IPSEC tunnels between them.

One of my locations has some DNS issues.

Nov  5 21:32:44 OPNsense.DenHaag.xxxx.local charon[23490]: 45[LIB] resolving 'ipsec.xxxx.info' failed: Name does not resolve
Nov  5 21:32:45 OPNsense.DenHaag.xxxx.local charon[23490]: 46[LIB] resolving 'ziggo.xxxx.nl' failed: Name does not resolve

The IPSEC VPN goes after this down, but I can't trace the issue, why this is happingen.
A restart of the IPSEC service solved the issue. The IPSEC VPN tunnels are made within seconds after that restart.
The DNS is working for all the clients, so its not a direct resolve issue.

As it looks like a DNS issue, i have double checked my DNS configuration:
System/Settings/General:
DNS Servers: 8.8.8.8, 8.8.4.4 Use Gateway: none
DNS server options:
Allow DNS server list to be overridden by DHCP/PPP on WAN: Not Selected.
Do not use the local DNS service as a nameserver for this system: Not Selected

Services/Unbound DNS:
General: 
Network Interfaces: LAN
DNS Query Forwarding: Enable Forwarding Mode
Local Zone Type: Transparant


I just did a search on the system.log of that time.


Nov  5 22:38:30 OPNsense.DenHaag.xxxx.local /update_tables.py[85636]: unable to resolve xxx.filemakerconsulting.com for alias Block_FileMakerPro
Nov  5 22:39:00 OPNsense.DenHaag.xxxx.local /update_tables.py[85636]: unable to resolve filemakerconsulting.com for alias Block_FileMakerPro

So it looks like there are more issues with DNS.
I can see in my smokeping that there was a high latency with packat drops on the WAN. So that explains some issues with the DNS resolving.
But then that was done, the system messages where also gone.

But when the DNS worked fine, it looks like the IPSEC did not notice it, and needed a restart of the service. But how could i prevent this?