Messages

Searched for that as well. The only hint I found [1] is the following:

"Layer 2 visibility covers physical connections: switch ports, VLANs, MAC addresses, and access point associations. Layer 3 visibility covers logical connections: IP addresses, routing paths, subnets, and gateway relationships. A tool that only provides Layer 3 maps cannot tell you which physical switch port a specific device is connected to. A tool that only provides Layer 2 maps cannot help you trace a routing problem."

[1]  https://blog.domotz.com/all/network-visualization-tools/  -  (search page for "Layer 3 Visibility")

Ich denke, Du hast Recht!!!!!

Du kannst der Opnsense eine weitere IP-Adresse geben, und diese für DNS-Anfragen verwenden. ;)

In Unbound (Port 53530) wurde eine Weiterleitung definiert für Telematik auf die Adresse des HSK Konnektors (nicht TunnelIP!!).

Bin nicht sicher ob das dein Problem ist, aber der Konnektor beantwortet grundsätzlich keine (DNS-) Anfragen seines Standard-Gateways.

Hi franco,

thank you for your explanation and I understand the reason for that decision.

One of the problems with disabled integrated authentication is that it downgrades password strength through SSH and for the console.  Console is less risk because you need "physical" access, but the game changes in SSH password authentication which should be avoided.

SSH is limited to ssh-keys, password login is not permitted.

For physical systems in server racks I enable auto console log in so I don't have to deal with this at all. The rack or the server room should provide enough protection.  ;)

My boxes are physical systems but located at customers place, so auto login is obviously no option.

Enforce 2FA for all administrators except root, which keeps password authentication, set an e.g. 40 character password and keep it somewhere safe for emergency access. Like failing time synchronisation.

That would be a nice solution (and root does not need direct remote access gui/ssh).

Additional use case:

Loading a customers configuration in a box without internet connection (no ntp server reachable).

Kind regards,
proctor

Hi,

what is the idea behind removing this feature?

I used the feature to force Web-GUI login via 2fa, SSH via keys, but allow console login and su for root without 2fa (sudo disabled). So root can't login (directly) at Web-GUI or SSH (no 2fa and no key). After update to 25.x i am not able to "su root".

Thanks for some explanation and ideas to get a similar setup again

Hallo derbert,

bin auch über das Problem - und dabei über deinen Beitrag - gestolpert. Zumindest in meinem Fall konnte ich feststellen, warum die automatischen Regeln allein nicht reichen. Diese umfassen nur ausgewählte ICMPv6-Typen. In meinem Fall war zusätzlich eine Regel notwendig, welche ICMPv6 Typ 130 (Multicast listener query) mit Ziel ff02::1 beinhaltet. Wozu das Paket benötigt wird, würde mich auch interessieren (DS-Lite?)...

Beste Grüße

Auja! Wir verlinken hier die schönsten Kommentare vom Heise-Forum! Dafür sollten wir ein eigens Board einrichten! :-D

Heise-Forum?

https://www.heise.de/news/APNIC-Chefwissenschaftler-IPv6-Einfuehrung-wohl-obsolet-9995140.html

https://www.heise.de/meinung/Kommentar-IPv6-obsolet-Ich-glaub-ich-steh-im-Wald-9999396.html

Thanks Patrick, my fault.
I was searching for (permanently) changes to the ssh keys to generate when i stumbled upon this question, so i had a "key-bias" in mind...

Hi Scenic3050,

you can configure all you need with the webgui.

Keys:
System \ Access \ Users \ [ Username ] \ Authorized keys

No password:
System \ Settings \ Administration \ Secure Shell \ Authentication Method

Nevertheless, "sshd_config" is located at "/usr/local/etc/ssh/"

Cheers

OPNsense 23.7.12_5

When I use the search field in "Firewall : Log Files : Plain View" it seems I only get events displayed if they fill up a hole page (at least 20).

To reproduce I choose a known target - e. g. "142.250.185.195" (www.google.de) - to search for and get a lot of events.

Code Select Expand


2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,49516,0,none,1,icmp,80,192.168.3.2,142.250.185.195,datalength=60
2024-05-30T15:21:05 Informational filterlog 1,,,0,igb1,match,nat,out,4,0x0,,64,49516,0,none,1,icmp,80,192.168.3.2,142.250.185.195,datalength=60
2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,60424,443,0,S,1344628171,,65228,,mss;nop;wscale;sackOK;TS
...


After the resuts are displayed, I extend the seach string about the displayed source port number digit by digit "142.250.185.195,6"

Code Select Expand


2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,60424,443,0,S,1344628171,,65228,,mss;nop;wscale;sackOK;TS
2024-05-30T14:23:18 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,6304,443,0,S,820402105,,65228,,mss;nop;wscale;sackOK;TS
2024-05-29T17:17:46 Informational filterlog 1,,,0,igb1,match,nat,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,62739,443,0,S,3333951251,,65228,,mss;nop;wscale;sackOK;TS
...


And "142.250.185.195,60" - I know, there is at least one event, but I only get:

Code Select Expand


Loading...


I don't expect this as an intended behavior, how can I find single or seldom events?

Thanks for any hint!

I struggled with that yesterday and it turned out, that my VDSL provider doesn't use VLAN.
So be sure you really need it.

That solved the problem with console login and su for me.

Thanks a lot!

I just did another test. I reset the device to factory defaults. Logon at the console works as expected.
Then I only activated the option "Disable integrated authentication" and I no longer able to login at the console.

Is this an intended behavior?

If I have enabled 2FA, local database and deactivated "Disable integrated authentication" I can login at the console with the user with and without OTP and also with root and the password.

Code Select Expand

FreeBSD/amd64 (OPNsense.occami.infra) (ttyu0)

login: root
Password:
Last login: Fri Oct 20 16:29:16 on ttyu0
----------------------------------------------
|      Hello, this is OPNsense 23.1          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website:      https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook:     https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums:       https://forum.opnsense.org/  |         @@@///   \\\@@@
| Code:         https://github.com/opnsense  |        @@@@         @@@@
| Twitter:      https://twitter.com/opnsense |         @@@@@@@@@@@@@@@
----------------------------------------------

*** OPNsense.occami.infra: OPNsense 23.1.11_2 ***

CFG_Admin_Local (igb0) -> v4: 192.168.1.1/24
LAN_Infra_Local (ix0) ->
LAN_Infra_Radio (vlan01) ->
LAN_Infra_WLAN (vlan02) -> v4: 10.0.1.129/25
LAN_Public_Backup (vlan03) ->
WAN_Public_Access (igb1) -> v4/DHCP4: 192.168.178.25/24

HTTPS: SHA256 5E 99 57 74 85 72 52 90 D3 DF 6B 0C E9 3D F8 B5
               6F 3A 8F 7C F6 A7 D0 9A 77 98 B8 99 64 A9 93 E7
SSH:   SHA256 8yafIRgFQ21iCl4AJF56oEODquLTyKdEbPBXbtS30gM (ECDSA)
SSH:   SHA256 SrrUo+UJhaXi/cZyTFu+cekJLH4OVV+D350hVsuYrXU (ED25519)
SSH:   SHA256 JJiT0rGWy4RZ/+rnBIM4oltpRXEBzxBmZ78u4s3nEq4 (RSA)

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:



Connecting to the device per ssh/pubkey with the user works and I can su to the root:

Code Select Expand


~]$ ssh admin@192.168.1.1 -p 7016
Last login: Fri Oct 20 12:33:38 2023 from 192.168.1.100
----------------------------------------------
|      Hello, this is OPNsense 23.1          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website: https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook: https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums: https://forum.opnsense.org/  |         @@@///   \\\@@@
| Code: https://github.com/opnsense  |        @@@@         @@@@
| Twitter: https://twitter.com/opnsense |         @@@@@@@@@@@@@@@
----------------------------------------------
admin@OPNsense:~ $ su
Password:

*** OPNsense.occami.infra: OPNsense 23.1.11_2 ***

CFG_Admin_Local (igb0) -> v4: 192.168.1.1/24
LAN_Infra_Local (ix0) ->
LAN_Infra_Radio (vlan01) ->
LAN_Infra_WLAN (vlan02) -> v4: 10.0.1.129/25
LAN_Public_Backup (vlan03) ->
WAN_Public_Access (igb1) -> v4/DHCP4: 192.168.178.25/24

HTTPS: SHA256 5E 99 57 74 85 72 52 90 D3 DF 6B 0C E9 3D F8 B5
               6F 3A 8F 7C F6 A7 D0 9A 77 98 B8 99 64 A9 93 E7
SSH:   SHA256 8yafIRgFQ21iCl4AJF56oEODquLTyKdEbPBXbtS30gM (ECDSA)
SSH:   SHA256 SrrUo+UJhaXi/cZyTFu+cekJLH4OVV+D350hVsuYrXU (ED25519)
SSH:   SHA256 JJiT0rGWy4RZ/+rnBIM4oltpRXEBzxBmZ78u4s3nEq4 (RSA)

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:


Then I activate "Disable integrated authentication", nothing else is changed. After that I can't login at the console with any account with or without OTP.

Code Select Expand


FreeBSD/amd64 (OPNsense.occami.infra) (ttyu0)

login: root
Password:
Login incorrect



I still can login per ssh/pubkey, but I can't su to the root.

Code Select Expand

~]$ ssh admin@192.168.1.1 -p 7016
Last login: Fri Oct 20 16:10:53 2023 from 192.168.1.100
----------------------------------------------
|      Hello, this is OPNsense 23.1          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website: https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook: https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums: https://forum.opnsense.org/  |         @@@///   \\\@@@
| Code: https://github.com/opnsense  |        @@@@         @@@@
| Twitter: https://twitter.com/opnsense |         @@@@@@@@@@@@@@@
----------------------------------------------
admin@OPNsense:~ $ su
Password:
su: Sorry


::)