"Quote from: RES217AIII on November 15, 2025, 03:31:40 PMIch denke, Du hast Recht!!!!!Du kannst der Opnsense eine weitere IP-Adresse geben, und diese für DNS-Anfragen verwenden. ;)
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
German - Deutsch / Re: Konfiguration der Rebind Schutznetzwerke in unbound für TI HSK Gateway (KIM+).
November 17, 2025, 03:33:44 PM #2
German - Deutsch / Re: Konfiguration der Rebind Schutznetzwerke in unbound für TI HSK Gateway (KIM+).
November 14, 2025, 12:11:59 PMQuote from: RES217AIII on November 13, 2025, 05:57:42 PMIn Unbound (Port 53530) wurde eine Weiterleitung definiert für Telematik auf die Adresse des HSK Konnektors (nicht TunnelIP!!).Bin nicht sicher ob das dein Problem ist, aber der Konnektor beantwortet grundsätzlich keine (DNS-) Anfragen seines Standard-Gateways.
#3
25.1, 25.4 Series / Re: removed “disable integrated authentication” feature
July 18, 2025, 11:22:41 AM
Hi franco,
thank you for your explanation and I understand the reason for that decision.
SSH is limited to ssh-keys, password login is not permitted.
My boxes are physical systems but located at customers place, so auto login is obviously no option.
That would be a nice solution (and root does not need direct remote access gui/ssh).
Additional use case:
Loading a customers configuration in a box without internet connection (no ntp server reachable).
Kind regards,
proctor
thank you for your explanation and I understand the reason for that decision.
Quote from: franco on July 18, 2025, 10:38:19 AMOne of the problems with disabled integrated authentication is that it downgrades password strength through SSH and for the console. Console is less risk because you need "physical" access, but the game changes in SSH password authentication which should be avoided.
SSH is limited to ssh-keys, password login is not permitted.
QuoteFor physical systems in server racks I enable auto console log in so I don't have to deal with this at all. The rack or the server room should provide enough protection. ;)
My boxes are physical systems but located at customers place, so auto login is obviously no option.
Quote from: Patrick M. Hausen on July 18, 2025, 10:44:18 AMEnforce 2FA for all administrators except root, which keeps password authentication, set an e.g. 40 character password and keep it somewhere safe for emergency access. Like failing time synchronisation.
That would be a nice solution (and root does not need direct remote access gui/ssh).
Additional use case:
Loading a customers configuration in a box without internet connection (no ntp server reachable).
Kind regards,
proctor
#4
25.1, 25.4 Series / removed “disable integrated authentication” feature
July 18, 2025, 10:04:50 AM
Hi,
what is the idea behind removing this feature?
I used the feature to force Web-GUI login via 2fa, SSH via keys, but allow console login and su for root without 2fa (sudo disabled). So root can't login (directly) at Web-GUI or SSH (no 2fa and no key). After update to 25.x i am not able to "su root".
Thanks for some explanation and ideas to get a similar setup again
what is the idea behind removing this feature?
I used the feature to force Web-GUI login via 2fa, SSH via keys, but allow console login and su for root without 2fa (sudo disabled). So root can't login (directly) at Web-GUI or SSH (no 2fa and no key). After update to 25.x i am not able to "su root".
Thanks for some explanation and ideas to get a similar setup again
#5
German - Deutsch / Re: IPv6 connectivity mit 5G modem passthrough
January 28, 2025, 04:36:28 PMHallo derbert,
bin auch über das Problem - und dabei über deinen Beitrag - gestolpert. Zumindest in meinem Fall konnte ich feststellen, warum die automatischen Regeln allein nicht reichen. Diese umfassen nur ausgewählte ICMPv6-Typen. In meinem Fall war zusätzlich eine Regel notwendig, welche ICMPv6 Typ 130 (Multicast listener query) mit Ziel ff02::1 beinhaltet. Wozu das Paket benötigt wird, würde mich auch interessieren (DS-Lite?)...
Beste Grüße
#6
General Discussion / Re: Champagne anybody?
October 31, 2024, 10:02:21 AMQuote from: chemlud on October 31, 2024, 09:01:57 AM
Auja! Wir verlinken hier die schönsten Kommentare vom Heise-Forum! Dafür sollten wir ein eigens Board einrichten! :-D
Heise-Forum?
#7
General Discussion / Re: Champagne anybody?
October 31, 2024, 08:48:01 AM #8
General Discussion / Re: Edit ssh configs (to allow certificate signed ssh access)
October 23, 2024, 11:54:06 AM
Thanks Patrick, my fault.
I was searching for (permanently) changes to the ssh keys to generate when i stumbled upon this question, so i had a "key-bias" in mind...
I was searching for (permanently) changes to the ssh keys to generate when i stumbled upon this question, so i had a "key-bias" in mind...
#9
General Discussion / Re: Edit ssh configs (to allow certificate signed ssh access)
October 23, 2024, 10:04:03 AM
Hi Scenic3050,
you can configure all you need with the webgui.
Keys:
System \ Access \ Users \ [ Username ] \ Authorized keys
No password:
System \ Settings \ Administration \ Secure Shell \ Authentication Method
Nevertheless, "sshd_config" is located at "/usr/local/etc/ssh/"
Cheers
you can configure all you need with the webgui.
Keys:
System \ Access \ Users \ [ Username ] \ Authorized keys
No password:
System \ Settings \ Administration \ Secure Shell \ Authentication Method
Nevertheless, "sshd_config" is located at "/usr/local/etc/ssh/"
Cheers
#10
23.7 Legacy Series / Limitation of "Firewall : Log Files : Plain View"
May 30, 2024, 05:15:23 PM
OPNsense 23.7.12_5
When I use the search field in "Firewall : Log Files : Plain View" it seems I only get events displayed if they fill up a hole page (at least 20).
To reproduce I choose a known target - e. g. "142.250.185.195" (www.google.de) - to search for and get a lot of events.
After the resuts are displayed, I extend the seach string about the displayed source port number digit by digit "142.250.185.195,6"
And "142.250.185.195,60" - I know, there is at least one event, but I only get:
I don't expect this as an intended behavior, how can I find single or seldom events?
Thanks for any hint!
When I use the search field in "Firewall : Log Files : Plain View" it seems I only get events displayed if they fill up a hole page (at least 20).
To reproduce I choose a known target - e. g. "142.250.185.195" (www.google.de) - to search for and get a lot of events.
Code Select
2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,49516,0,none,1,icmp,80,192.168.3.2,142.250.185.195,datalength=60
2024-05-30T15:21:05 Informational filterlog 1,,,0,igb1,match,nat,out,4,0x0,,64,49516,0,none,1,icmp,80,192.168.3.2,142.250.185.195,datalength=60
2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,60424,443,0,S,1344628171,,65228,,mss;nop;wscale;sackOK;TS
...
After the resuts are displayed, I extend the seach string about the displayed source port number digit by digit "142.250.185.195,6"
Code Select
2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,60424,443,0,S,1344628171,,65228,,mss;nop;wscale;sackOK;TS
2024-05-30T14:23:18 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,6304,443,0,S,820402105,,65228,,mss;nop;wscale;sackOK;TS
2024-05-29T17:17:46 Informational filterlog 1,,,0,igb1,match,nat,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,62739,443,0,S,3333951251,,65228,,mss;nop;wscale;sackOK;TS
...
And "142.250.185.195,60" - I know, there is at least one event, but I only get:
Code Select
Loading...
I don't expect this as an intended behavior, how can I find single or seldom events?
Thanks for any hint!
#11
23.1 Legacy Series / Re: Can't get PPPoE with tagged VLAN to work
October 23, 2023, 12:21:56 PM
I struggled with that yesterday and it turned out, that my VDSL provider doesn't use VLAN.
So be sure you really need it.
So be sure you really need it.
#12
23.1 Legacy Series / Re: 2FA fallback - "Disable integrated authentication" doesn't work as expected
October 23, 2023, 11:59:41 AM
That solved the problem with console login and su for me.
Thanks a lot!
Thanks a lot!
#13
23.1 Legacy Series / Re: 2FA fallback - "Disable integrated authentication" doesn't work as expected
October 23, 2023, 10:15:44 AM
I just did another test. I reset the device to factory defaults. Logon at the console works as expected.
Then I only activated the option "Disable integrated authentication" and I no longer able to login at the console.
Is this an intended behavior?
Then I only activated the option "Disable integrated authentication" and I no longer able to login at the console.
Is this an intended behavior?
#14
23.1 Legacy Series / Re: 2FA fallback - "Disable integrated authentication" doesn't work as expected
October 20, 2023, 04:32:20 PM
If I have enabled 2FA, local database and deactivated "Disable integrated authentication" I can login at the console with the user with and without OTP and also with root and the password.
Connecting to the device per ssh/pubkey with the user works and I can su to the root:
Then I activate "Disable integrated authentication", nothing else is changed. After that I can't login at the console with any account with or without OTP.
I still can login per ssh/pubkey, but I can't su to the root.
::)
Code Select
FreeBSD/amd64 (OPNsense.occami.infra) (ttyu0)
login: root
Password:
Last login: Fri Oct 20 16:29:16 on ttyu0
----------------------------------------------
| Hello, this is OPNsense 23.1 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website: https://opnsense.org/ | @@@\\\ ///@@@
| Handbook: https://docs.opnsense.org/ | )))))))) ((((((((
| Forums: https://forum.opnsense.org/ | @@@/// \\\@@@
| Code: https://github.com/opnsense | @@@@ @@@@
| Twitter: https://twitter.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
*** OPNsense.occami.infra: OPNsense 23.1.11_2 ***
CFG_Admin_Local (igb0) -> v4: 192.168.1.1/24
LAN_Infra_Local (ix0) ->
LAN_Infra_Radio (vlan01) ->
LAN_Infra_WLAN (vlan02) -> v4: 10.0.1.129/25
LAN_Public_Backup (vlan03) ->
WAN_Public_Access (igb1) -> v4/DHCP4: 192.168.178.25/24
HTTPS: SHA256 5E 99 57 74 85 72 52 90 D3 DF 6B 0C E9 3D F8 B5
6F 3A 8F 7C F6 A7 D0 9A 77 98 B8 99 64 A9 93 E7
SSH: SHA256 8yafIRgFQ21iCl4AJF56oEODquLTyKdEbPBXbtS30gM (ECDSA)
SSH: SHA256 SrrUo+UJhaXi/cZyTFu+cekJLH4OVV+D350hVsuYrXU (ED25519)
SSH: SHA256 JJiT0rGWy4RZ/+rnBIM4oltpRXEBzxBmZ78u4s3nEq4 (RSA)
0) Logout 7) Ping host
1) Assign interfaces 8) Shell
2) Set interface IP address 9) pfTop
3) Reset the root password 10) Firewall log
4) Reset to factory defaults 11) Reload all services
5) Power off system 12) Update from console
6) Reboot system 13) Restore a backup
Enter an option:
Connecting to the device per ssh/pubkey with the user works and I can su to the root:
Code Select
~]$ ssh admin@192.168.1.1 -p 7016
Last login: Fri Oct 20 12:33:38 2023 from 192.168.1.100
----------------------------------------------
| Hello, this is OPNsense 23.1 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website: https://opnsense.org/ | @@@\\\ ///@@@
| Handbook: https://docs.opnsense.org/ | )))))))) ((((((((
| Forums: https://forum.opnsense.org/ | @@@/// \\\@@@
| Code: https://github.com/opnsense | @@@@ @@@@
| Twitter: https://twitter.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
admin@OPNsense:~ $ su
Password:
*** OPNsense.occami.infra: OPNsense 23.1.11_2 ***
CFG_Admin_Local (igb0) -> v4: 192.168.1.1/24
LAN_Infra_Local (ix0) ->
LAN_Infra_Radio (vlan01) ->
LAN_Infra_WLAN (vlan02) -> v4: 10.0.1.129/25
LAN_Public_Backup (vlan03) ->
WAN_Public_Access (igb1) -> v4/DHCP4: 192.168.178.25/24
HTTPS: SHA256 5E 99 57 74 85 72 52 90 D3 DF 6B 0C E9 3D F8 B5
6F 3A 8F 7C F6 A7 D0 9A 77 98 B8 99 64 A9 93 E7
SSH: SHA256 8yafIRgFQ21iCl4AJF56oEODquLTyKdEbPBXbtS30gM (ECDSA)
SSH: SHA256 SrrUo+UJhaXi/cZyTFu+cekJLH4OVV+D350hVsuYrXU (ED25519)
SSH: SHA256 JJiT0rGWy4RZ/+rnBIM4oltpRXEBzxBmZ78u4s3nEq4 (RSA)
0) Logout 7) Ping host
1) Assign interfaces 8) Shell
2) Set interface IP address 9) pfTop
3) Reset the root password 10) Firewall log
4) Reset to factory defaults 11) Reload all services
5) Power off system 12) Update from console
6) Reboot system 13) Restore a backup
Enter an option:
Then I activate "Disable integrated authentication", nothing else is changed. After that I can't login at the console with any account with or without OTP.
Code Select
FreeBSD/amd64 (OPNsense.occami.infra) (ttyu0)
login: root
Password:
Login incorrect
I still can login per ssh/pubkey, but I can't su to the root.
Code Select
~]$ ssh admin@192.168.1.1 -p 7016
Last login: Fri Oct 20 16:10:53 2023 from 192.168.1.100
----------------------------------------------
| Hello, this is OPNsense 23.1 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website: https://opnsense.org/ | @@@\\\ ///@@@
| Handbook: https://docs.opnsense.org/ | )))))))) ((((((((
| Forums: https://forum.opnsense.org/ | @@@/// \\\@@@
| Code: https://github.com/opnsense | @@@@ @@@@
| Twitter: https://twitter.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
admin@OPNsense:~ $ su
Password:
su: Sorry
::)
#15
23.1 Legacy Series / [SOLVED] "Disable integrated authentication" doesn't work as expected
October 20, 2023, 01:19:52 PM
With the activated option "Disable integrated authentication" it is not possible to login at the console and not possible to do su in ssh.
OPNsense version 23.1.11_2
Context:
I have configured 2FA with TOTP and set up a user (not root) with an OTP seed. This user is a member of the group "admins". Additionally I configured SSH public keys for that user. Login to the webgui with 2FA and SSH-login with public key works well. The user 'root' doesn't have either an OTP seed or a public key.
As fallback in case of problems with 2FA, I wanted to login per SSH with key or console. But as soon as I activate "Disable integrated authentication" I can not login to the console and I can not su to root in SSH.
Thanks for any hint!
OPNsense version 23.1.11_2
Context:
I have configured 2FA with TOTP and set up a user (not root) with an OTP seed. This user is a member of the group "admins". Additionally I configured SSH public keys for that user. Login to the webgui with 2FA and SSH-login with public key works well. The user 'root' doesn't have either an OTP seed or a public key.
As fallback in case of problems with 2FA, I wanted to login per SSH with key or console. But as soon as I activate "Disable integrated authentication" I can not login to the console and I can not su to root in SSH.
Thanks for any hint!
