Messages

No, it's not "fixed" yet. Just updated to 24.7 and things were fine but trying to upgrade from 24.7.1 to 24.7.6 breaks AGH. In the process of upgrade, I noticed it states it needs to reinstall AGH. Curious if there will be a fix without need for manual yaml modification like you are.

[Setup]

Hoping someone brighter than I can crack this nut...I have internet and can ping other hosts/gateway. But I run into trouble trying to update OPNSense. Seems to be DNS related.  Clicking the button to update would lead to a very slow process without the popup at the end showing no updates were found. As the spinning wheel keeps spinning, I cannot see / manage plugins either. The output for the update included "Fetch: transfer timed out" and "changelog.txz appears to be truncated 0/111324bytes"

Setup: OPNSense VM on HyperV in Win11.  DNS is Mimugmail's AdGuardHome + Unbound.

This started about a week ago. Thinking I had tinkered with something, I tried starting a new VM from scratch. Got everything working vanilla with box checked to prefer IPv4 over IPv6. Things still failed once I changed Unbound's port and set up AdGuard Home. How to figure this out?

Code Select Expand

***GOT REQUEST TO CHECK FOR UPDATES***
Currently running OPNsense 23.7.3 at Sun Sep  3 16:13:31 PDT 2023
Fetching changelog information, please wait... fetch: transfer timed out
fetch: /usr/local/opnsense/changelog/changelog.txz appears to be truncated: 0/111324 bytes
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 852 packages processed.
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: ........ done
Processing entries: .......... done
mimugmail repository update completed. 190 packages processed.
All repositories are up to date.
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking for upgrades (99 candidates): .......... done
Processing candidates (99 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***


Running Audit - Connectivity:

Code Select Expand

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 23.7.3 at Sun Sep  3 16:04:23 PDT 2023
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes
1508 bytes from 89.149.222.99: icmp_seq=0 ttl=39 time=173.346 ms
1508 bytes from 89.149.222.99: icmp_seq=1 ttl=39 time=173.278 ms
1508 bytes from 89.149.222.99: icmp_seq=2 ttl=39 time=167.787 ms
1508 bytes from 89.149.222.99: icmp_seq=3 ttl=39 time=167.959 ms

--- 89.149.222.99 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 167.787/170.592/173.346/2.720 ms
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 852 packages processed.
Updating mimugmail repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: ........ done
Processing entries: .......... done
mimugmail repository update completed. 190 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
PING6(1548=40+8+1500 bytes) 2001:558:6025:23:41bf:3112:7fd:1176 --> 2001:1af8:5300:a010:1::1
1508 bytes from 2001:1af8:5300:a010:1::1, icmp_seq=0 hlim=40 time=164.397 ms
1508 bytes from 2001:1af8:5300:a010:1::1, icmp_seq=1 hlim=40 time=163.611 ms
1508 bytes from 2001:1af8:5300:a010:1::1, icmp_seq=2 hlim=40 time=170.041 ms
1508 bytes from 2001:1af8:5300:a010:1::1, icmp_seq=3 hlim=40 time=165.012 ms

--- 2001:1af8:5300:a010:1::1 ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 163.611/165.765/170.041/2.518 ms
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:13:amd64/23.7
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching packagesite.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 852 packages processed.
Updating mimugmail repository catalogue...
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/meta.txz: Unknown resolver error
repository mimugmail has no meta file, using default settings
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.pkg: Unknown resolver error
pkg: https://opn-repo.routerperformance.net/repo/FreeBSD:13:amd64/packagesite.txz: Unknown resolver error
Unable to update repository mimugmail
Error updating repositories!
***DONE***


FIXED. Go to SYSTEM: SETTINGS: GENERAL. Check the box "Do not use the local DNS service as a nameserver for this system".

I (think I) now understand that checking this box will make OPNSense itself respect your DNS settings. Whatever you enter as the DNS servers above this is what it will now use to resolve DNS.

[Rule 1:]

Thanks for posting this guide! In case anyone runs into problems with their Chromecast with Google TV after following these instructions and gets the error saying no internet is available, it might have to do with the optional but recommended port forward step.

Instead of including all sources for the port forward, you can select the devices you want to exclude from the port forward and tick the checkbox to invert the selection. This resolved my Chromecast with Google TV error. I have several so I made an alias. In the end, when I was done it looked like Source: !Google_devices.

Additionally, in the IRC, someone mentioned this port forward setup might lead to some abnormal behavior ie a device asks for 8.8.8.8 DNS but gets confused that Adguard Home responds. It may be better for reliability to set this up via a firewall rule to instead block all outbound DNS requests instead of forwarding the requests. Most devices will then use the local DNS as a back-up. I decided to make the change but still had to except the chromecast devices.

I made the following two rules and disabled the port forward.  These rules are under Firewall -> LAN and are the top rules in the set.

Rule 1:
ALLOW
Source: [Google_devices] -- this is an alias set up with all IP for my google devices
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)

Rule 2:
REJECT
Source: *
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)

Thanks Thomas. Does that look better?

[Rule 1:]

OK this is fixed. I had followed instructions to port-forward traffic to port 53 on opnsense to run mimugmail's adguard home. My instructions follow to help anyone else out of a similar jam. I disabled the port forward and instead put on two firewall rule for LAN as follows:

Rule 1:
ALLOW
Source: [Google_devices] -- this is an alias set up with all IP for my google devices
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)

Rule 2:
REJECT
Source: *
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)

[Rule 1:]

Chromecast with Google TV (GCTV) is acting up. It says connected to wifi but no internet available. Netflix says there is no internet. Yet, all other apps can stream. And the Smart TV's Netflix app can stream. Things were working just fine last week. I have three GCTV and they all have the same issue. If I connect it to a mobile hotspot the errors go away.

Network is setup as DHCP on GCTV. On OPNSense, static reservations are set for each GCTV and DNS is specified for them as 8.8.8.8 and 8.8.4.4.

Any idea how to troubleshoot this? Google support says I need to enable UPNP but that did not help.

I am running Ubiquiti Unifi Access Points. WiFi Optimization is off and Multicast Enhancement is on (IGMPv3) and Multicast/broadcast filtering is OFF.

**EDIT SOLVED**
OK this is fixed. I had followed instructions to port-forward traffic to port 53 on opnsense to run mimugmail's adguard home. My instructions follow to help anyone else out of a similar jam. I disabled the port forward and instead put on two firewall rule for LAN as follows:

Rule 1:
ALLOW
Source: [Google_devices] -- this is an alias set up with all IP for my google devices
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)

Rule 2:
REJECT
Source: *
Source Port: *
Destination: !Lan address
Destination Port: 53 (DNS)

[If you want to later increase bandwidth or provide resiliency to this LAN connection, you can aggregate multiple ports together (Link Aggregation) LAG or in OPNsense LAGG. I'd be interested in learning more oabout this.]

Yes, you are correct and thank you for your patience. That was a revelation. So stupid--I hadn't considered that my host machine can sip off the outgoing LAN port. I now have an unshared (with host PC) WAN coming in and a shared (with host PC) LAN going out to my network.  I tried this before but I did not reset the host machine after setting it up this way (just had reset the VM and done ipconfig/release and renew). I removed all the extraneous adapters and set it up as you mentioned and reset the PC and voila: both machines are online. Thank you very very much!

If you want to later increase bandwidth or provide resiliency to this LAN connection, you can aggregate multiple ports together (Link Aggregation) LAG or in OPNsense LAGG. I'd be interested in learning more oabout this. Any where I should read up on this at?

I'm going to try a workaround. Kind of 'cave man' but I could try removing one of the RJ45 ports (like hn5) from the virtual machine altogether. I could then get rid of 'internal' and set up LAN to be hn2 and cable out from HN2 to a switch that has one cable to rest of network, one cable that goes back to hn5.

WAN --> OPNSENSE (on PC) --LAN = hn2 --> SWITCH --> internet
                           Host PC  <-------hn5 ---------|

[internal virtual switch]

Sorry if this is basic stuff I am asking here...

So you have a PC that is always on and is running Hyper-v
You have a guest that is OPNsense and is your perimeter firewall/router

I'm not sure why you are needing to use a bridge?
Are you trying to use your 4 port NIC as a LAN switch?
Is OPNsense providing DHCP for the 192.168.0.0/24 LAN network?

If you are not using VLAN's then you would have two physical ports used on your PC that attach to two virtual switches in Hyper-v.
One is WAN and goes to your internet, and one is LAN that connects to your LAN switch
Your OPNsense guest then has two interfaces, one WAN and one LAN that connect to your respective Hyper-v switches.
If you want multiple ports connecting to your LAN switch, have you considered a LAGG?
You would usually break out separate networks to separate interfaces on your firewall for network segmentation and separation.

No reason to apologize. I am new to all this and take no offense.
1. I have a modem connected directly to RJ45 #1 on a PC that is always on. This PC has an add-in 4-port NIC (intel I-350)
2. This PC is is running OPNSense and RJ45 #1 is being used only by the OPNSense VM.
   a. This PC is also used to browse the web
   b. This PC hosts other VMs in Hyper-V, for instance 'home assistant' which controls other smart-home devices over LAN.
3. As it is, I have my "LAN" configured to be an internal virtual switch. If I understand correctly, that allows it to 'virtually' share the network connection to the host PC and to the other VMs on the machine. That part is working well.
4. In order to build out the LAN to the rest of the network, I need to use another RJ45 port, which is where the I-350 comes in. I am trying to build a bridge so I can both run the "internal virtual switch" and an RJ45 port from the I-350 within the same LAN so they can talk together.  It may be nice to be able to leverage the other ports of the I-350 NIC down the line, but I'd settle for one in conjunction with the internal network right now.

Is OPNsense providing DHCP for the 192.168.0.0/24 LAN network? yes

If you are not using VLAN's then you would have two physical ports used on your PC that attach to two virtual switches in Hyper-v.
One is WAN and goes to your internet, and one is LAN that connects to your LAN switch.
Your OPNsense guest then has two interfaces, one WAN and one LAN that connect to your respective Hyper-v switches. That is my understanding too but doesn't this skip over the 'internal network'?

If you want multiple ports connecting to your LAN switch, have you considered a LAGG?
You would usually break out separate networks to separate interfaces on your firewall for network segmentation and separation. I have no idea what a LAGG is. care to elaborate?

I tried to attach a photo that shows the basics of the setup. Sorry my first stab at drawing this. Internet comes in from 'cloud' to modem to the PC with a physical port that is directed to firewall (OPNSENSE on the PC which is to the bottom right). One virtual switch "Internal" goes to the other VM and to the PC itself. one of the physical ports on the PC would move on to the rest of my network.

Yes-not trying to do anything fancy. This is being run on a PC that is always on. I want to use one of the ports to go to my access points and switches to move on to the other devices on the network. I want them all to be on the same 192.168.0.x network.

I just tried doing it using just the external switches (hn2-5) and it still gives up at the same steps.

I only installed OPNSense, ran the wizard, then updated it. Was I supposed to set up some firewall rules or something?

No worries, great questions:
1. I am using an Internal network virtual switch for LAN so I'm not sure how I would go about unplugging that.
2. It is possible that there is a different IP address but even when I go into the console and 'assign the ip' it doesn't work. Yes I re-connect the cable
3. I tried introducing a switch between the two PCs (PC w/ virtual machine and 2nd pc) in case that was the issue. It is not.

I haven't messed with swapping the interfaces in HyperV. I certainly thought about doing it but figured it would make things worse.

Maybe from the get go, I should select one of the I-350's ports (hn2-5) for LAN instead of hn1 (internal)..

**edit: Nope. starting from hn2-3 and going to hn4-5 or hn1,4,5 didn't work either**

Yep that was one of the guides I followed. Step 3 is basically where I was. When you replace the LAN interface with the bridge. At that point, everything is lights out.
Similar guide here: https://protectli.com/kb/how-to-enable-lan-bridge-in-opnsense/

**OPNsense Bridge Menu
**Under the Interfaces tree select Assignments
**Change the LAN interface to bridge0 and click Save
**Note: At this point access to the web interface will be lost. Plug into either port OPT1 or OPT2 to regain access.

-->lights out.

[WAN]

I cannot get into interface during bridge creation no matter what I do. Please tell me what I'm doing wrong:
WAN: hn0 - "External" virtual switch - plugged into modem
LAN: hn1 - "Internal" virtual switch
LAN1-4 + LANWIFI: hn2-5+hn6 - "External" virtual switches used for the 4 ports of my add-in NIC and WiFi6, respectively

Steps to reproduce problem:
1. All interfaces enabled
2. LAN is set up with static ipv4. All other non-WAN interfaces are set up with "none" for IPv4/IPv6 configuration type.
3. Bridge0 created with Lan1-4+lanwifi
4. Replacing hn1 with bridge0 on LAN interface leads to no access to OPNSense.

Connecting another PC to one of the other RJ45 does not allow me to access the interface, either. I confirmed that replacing hn1 with hn3 and using hn3 to connect to another PC *DOES* work.

tl;dr I cannot get to the point that I can add hn1 into the bridge to finish setup and its driving me nuts. what am I doing wrong?