Messages

1

General Discussion / Re: Homeassistant automation on defined filters in OPNsense

« on: November 23, 2024, 05:29:53 am »

You don't need that if you use this HA integration: https://github.com/travisghansen/hass-opnsense

You can automate many things, Filter Rules included, they will be available as binary switches in HA.

2

24.7 Production Series / MultiWAN: PPPoE on FTTH + FWA (same ISP)

« on: November 05, 2024, 12:27:05 pm »

Hi,

I have an FTTH primary connection and a backup FWA line. Both via PPPoE, with the same ISP.
When I set MultiWAN, the upstream gw is the same for both, and I noticed some weird issues with routing.

I've already setup MultiWAN in the past, never had issues, but I was never in a condition like this with the same upstream gw for both connections.

I spoke with the ISP support, they told me that I should switch to an active/passive configuration, that means that the FWA interface should come online and negotiate PPPoE session only when the FTTH is down.

Right now the default multiwan configuration is active/active. Can I configure it like support is asking? So OPNsense should bring up the FWA interface only when FTTH is down.

Thanks for any help on this.

Alex

3

24.7 Production Series / Annoying error in the logs

« on: August 21, 2024, 08:29:17 pm »

I have this error that is filling the log:

Code: [Select]

2024-08-21T20:20:30 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:19:59 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:19:26 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:18:54 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:18:22 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:17:50 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:17:18 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:16:46 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:16:14 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:15:42 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute
2024-08-21T20:15:10 Error opnsense /usr/local/sbin/pluginctl: The command `/usr/local/sbin/ifinfo 'wg1'' failed to execute

I guess it's related to the WireGuard interface, but I don't use WG and have it disabled. I tried enabling it (without any configuration) but the error in the log is still present.

Any suggestion is appreciated.

Thanks.

4

Development and Code Review / Re: HackApi for OPNsense - php API client

« on: January 31, 2024, 04:52:18 pm »

This is really interesting. I'm collaborating on this project to integrate OPNsense in Home Assistant: https://github.com/travisghansen/hass-opnsense/

It uses both REST API and XMLrpc because the API doesn't offer everything needed. I wonder if using your library we could cover everything.

I'll tell Travis, the dev, about this so he can take a look and see if it fits well.

Thanks a lot.

5

24.1 Legacy Series / Upgrade to 24.1: only 2 minor issues

« on: January 30, 2024, 09:02:33 pm »

Upgrade went fine. The only two minor issues were

- the os-firewall and os-wireguard plugins missing message, solved by resetting local conflict
- this message regarding libevent/openssl when checking for updates:

Code: [Select]

All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (3 candidates): ... done
Processing candidates (3 candidates): .
pkg: libevent has a missing dependency: openssl111
Processing candidates (3 candidates)... done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***
I think I can safely ignore it, but I thought to report it, just in case.

Thanks for this release.

6

24.1 Legacy Series / Re: 24.1 Bug report

« on: January 30, 2024, 08:31:14 pm »

Reset all local conflicts. Check screenshot attached.

7

Development and Code Review / Re: Wanted: Plugin developer

« on: September 21, 2023, 06:01:33 pm »

This is great news:

We're already talking to @DentonGentry at the moment about how to approach this structurally.

Cheers,
Franco

it seems like OPNsense team will develop an official plugin, is that confirmed @franco? If so, what kind of priority will it be assigned?

Thanks.

8

23.7 Legacy Series / Re: Port Forward issue (port 443) is getting me crazy

« on: September 05, 2023, 03:40:29 pm »

Thanks for the status update.

Regarding port 80 (HTTP) vs port 443 (HTTPS) you should(*) see some traffic on port 80 going in and out. Usually a HTTP redirection is sent back to the client that points to HTTPS.

(*) Not every browser starts with HTTP but with HTTPS immediately. Hence, you might need to enforce http:// in order to test this.

I use https://httpstatus.io to test, and when testing port 80 I obviously specified http:// while testing 443 I used https://.

As I wrote in OP, I could see traffic in live log for port 80, but not for port 443. That should've let me point immediately to ISP first, but I started doubting OPNsense config, and I spent many hours for 2 days without results.

9

23.7 Legacy Series / Re: Port Forward issue (port 443) is getting me crazy

« on: September 05, 2023, 03:24:08 pm »

I finally received a reply from the ISP: they filtered port 443 three days ago because of an attack on their network, and they didn't send any email. I complained about the lack of notification obviously.

Sorry to have bothered anyone, I shouldn't doubt OPNsense reliability anymore. It was really strange that a rule config working for 2y all of the sudden stopped working. Should've checked the ISP first, and I wouldn't have lost all this time debugging the issue.

Thanks to the people that tried to help, it's highly appreciated.

10

23.7 Legacy Series / Re: Port Forward issue (port 443) is getting me crazy

« on: September 05, 2023, 03:04:08 pm »

did you restart OPNsense, too?

If nothing arrives at your WAN IF you could be blocked by your ISP. Can you safely rule out this scenario? Hence a packet capture on WAN would be very interesting.

Regarding port 80 it is working fine on the whole path to your internal traefik install?

Hi, and thanks for answering my post. I appreciate any help.

1. ISP: yes, I sent an email to my ISP yesterday, because I thought that if I don't see anything coming in on the WAN_FTTH (it's a PPPoE connection with an SFP) then it means something before OPNsense is filtering it.

2. I can't fully test port 80 because Traefik upgrades HTTP to HTTPS, and if 443 doesn't work, that fails.

11

23.7 Legacy Series / Re: Port Forward issue (port 443) is getting me crazy

« on: September 05, 2023, 03:02:09 pm »

What happens when you run a packet capture on WAN?  Do you see anything coming in on 443/tcp?

Another thing to check is verify that it's actually a firewall issue and not an SSL problem.  Do a client side packet capture when trying to hit 443/tcp and see if you get any response back.

Hi, and thanks for answering.

1. I did WAN_FTTH traffic capture, no signs of packets on 443.
2. I thought about a failing SSL handshake, but in that case, I should still see packets coming in the WAN_FTTH interface, or am I wrong about this?

12

23.7 Legacy Series / Re: Port 80 Being Blocked

« on: September 04, 2023, 11:58:27 pm »

I have almost the same problem (wrote a post here https://forum.opnsense.org/index.php?topic=35786.0): one port forward rule for internal Traefik (ports 80 and 443), worked for 2y, all of the sudden it stopped working, but only for port 443.

Difference respect to your issue is that I can't see any entries in live view for port 443, only for port 80.

Spent 2 days on this without solving anything. Driving me mad.

13

23.7 Legacy Series / Port Forward issue (port 443) is getting me crazy

« on: September 04, 2023, 04:56:15 pm »

I'm using a Port Forward rule for ports 80/443 that redirects traffic to my homelab's internal Traefik instance.

This has worked perfectly for last 2y. All of the sudden, 2 days ago I was receiving alerts from my cloud uptime-kuma instance that port TCP/443 was not reachable from the internet anymore.

I started debugging, and with the live log viewer I can see traffic coming in on port 80, but when I test port 443 from the internet, I see no log entries of traffic coming in.

I thought it could be the SFP or something "before" OPNsense that is blocking the traffic (it's a PPPoE FTTH connection), but after rebooting the ONT/SFP I still see no traffic coming in port TCP/443 on OPNsense.

Since I was getting crazy, I even rebooted the core LAN switch, to no effect.

I hope someone can point me to a way to debug this, I'm not sure it's OPNsense, because if it was I should at least see traffic in the logs. I can't understand why I see it on all ports except for 443.

I have many port fowarding rules for various services and they're working fine, and I can see traffic in live log for those, but nothing for port TCP/443. One thing to note: port UDP/443 works, I can see traffic coming in there.

Thanks for any help on this...it's driving me crazy.

14

General Discussion / Re: LAGG troubleshooting/question

« on: February 01, 2023, 05:21:31 pm »

Luckily I found your post @pmhausen, I was getting crazy because in the INTERFACES: OVERVIEW of my lagg0 and lagg1 interfaces I hade flaps:2 and flaps:3, even though everything seems to be working fine.

I tried ifconfig -v, but results are not in sync with the UI, hope it's just a matter of waiting for the UI to refresh data:

Code: [Select]

root@OPNsense:~ # ifconfig -v lagg0
lagg0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: LAN (lan)
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
ether 02:d4:32:81:89:00
inet 10.1.10.1 netmask 0xfffffe00 broadcast 10.1.11.255
laggproto lacp lagghash l2,l3,l4
lagg options:
flags=94<USE_NUMA,LACP_STRICT,LACP_FAST_TIMO>
flowid_shift: 16
lagg statistics:
active ports: 2
flapping: 0
lag id: [(8000,02-D4-32-81-89-00,016B,0000,0000),
(8000,60-32-B1-41-3D-0A,07CA,0000,0000)]
laggport: igb0 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> state=3f<ACTIVITY,TIMEOUT,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
[(8000,02-D4-32-81-89-00,016B,8000,0001),
(8000,60-32-B1-41-3D-0A,07CA,8000,0001)]
laggport: igb1 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> state=3f<ACTIVITY,TIMEOUT,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
[(8000,02-D4-32-81-89-00,016B,8000,0002),
(8000,60-32-B1-41-3D-0A,07CA,8000,0002)]
groups: lagg
media: Ethernet autoselect
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
root@OPNsense:~ # ifconfig -v lagg1
lagg1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: ONT_LAN (opt2)
options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
ether 40:62:31:0c:0e:e5
inet 192.168.1.222 netmask 0xffffff00 broadcast 192.168.1.255
laggproto lacp lagghash l2,l3,l4
lagg options:
flags=94<USE_NUMA,LACP_STRICT,LACP_FAST_TIMO>
flowid_shift: 16
lagg statistics:
active ports: 3
flapping: 0
lag id: [(8000,40-62-31-0C-0E-E5,018B,0000,0000),
(8000,60-32-B1-41-3D-0A,0E2E,0000,0000)]
laggport: igb3 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> state=3f<ACTIVITY,TIMEOUT,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
[(8000,40-62-31-0C-0E-E5,018B,8000,0004),
(8000,60-32-B1-41-3D-0A,0E2E,8000,0017)]
laggport: igb4 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> state=3f<ACTIVITY,TIMEOUT,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
[(8000,40-62-31-0C-0E-E5,018B,8000,0005),
(8000,60-32-B1-41-3D-0A,0E2E,8000,0016)]
laggport: igb5 flags=1c<ACTIVE,COLLECTING,DISTRIBUTING> state=3f<ACTIVITY,TIMEOUT,AGGREGATION,SYNC,COLLECTING,DISTRIBUTING>
[(8000,40-62-31-0C-0E-E5,018B,8000,0006),
(8000,60-32-B1-41-3D-0A,0E2E,8000,0018)]
groups: lagg
media: Ethernet autoselect
status: active
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

15

23.1 Legacy Series / Re: Upgraded to 23.1.r2: no LAN ip after reboot

« on: January 27, 2023, 02:54:59 pm »

Sorry, I totally missed your post and the trash can.

Thanks a lot.