"
@Franco,
Is Strongswan 6 going to be in 25.1?
Is Strongswan 6 going to be in 25.1?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
24.7, 24.10 Production Series / Re: MTU size for IPsec connection?
December 19, 2024, 02:49:09 PM
I do this via MSS and have for years, no issues or concerns using MSS instead of setting MTU on the interface.
#3
24.7, 24.10 Production Series / Re: FreeRadius Error - require_message_authenticator
October 18, 2024, 09:28:30 PM
updated with your code Patrick and then enabled the option in the client section for my AP's, no more error/warning and devices can still connect correctly.
Thx for the fix/update.
Hopefully @Franco can merge it in the next release
Thx for the fix/update.
Hopefully @Franco can merge it in the next release
Quote from: Patrick M. Hausen on October 17, 2024, 08:53:55 AM
Sorry, I don't know that one with the plugin repo for sure. The repo is used to build the plugins, I doubt you can live patch a running installation with opnsense-patch directly from it.
With "manual" I meant download the diffs and apply them locally. But to make this easier:Code Select
cp /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf.bak
fetch -o /usr/local/opnsense/service/templates/OPNsense/Freeradius/clients.conf https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/clients.conf
cp /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml.bak
fetch -o /usr/local/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Client.xml
cp /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml.bak
fetch -o /usr/local/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml https://raw.githubusercontent.com/punktDeForks/opnsense-plugins/56cc9312f184a60e8b0916cffc1e204f3dd225f3/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/dialogEditFreeRADIUSClient.xml
@franco could you help, please? Can one apply this set of patches with opnsense-patch? If yes, how exactly?
https://github.com/punktDeForks/opnsense-plugins/commit/56cc9312f184a60e8b0916cffc1e204f3dd225f3
#4
24.7, 24.10 Production Series / Re: Quick Question about Monit
September 12, 2024, 07:41:37 PM
you need to auth as the mailbox you want to send the message from, see attached pic
Quote from: EvilAchmed on September 12, 2024, 07:26:50 PM
Trying to setup Monit to work with sending an email to Outlook.com. Have everything working but I am getting an error because Outlook does not allow the sending email to be something different then the email address of the account that I am using. As of right now Monit is saying that the sender's email is coming from monit@routername.domain. I need to get this changed to address@outlook.com. Does anyone know if this is possible. I looked in the configuration but could not find any setting like this.
Thanks
#5
24.7, 24.10 Production Series / Re: 24.7.1: Traffic Graph Widget show only on the left-side data
September 12, 2024, 05:00:27 PM
mine just started working on chrome and FF with 24.7.4
#6
24.7, 24.10 Production Series / Re: Aliases broken
August 28, 2024, 09:55:22 PM
Firewall > Settings > Advanced > Firewall Maximum Table Entries, Sure you have enough set here? I always have to update this field larger than default when using the maxmind GEOIP data with aliases.
#7
24.7, 24.10 Production Series / Re: IPsec issues with 24.7.2
August 26, 2024, 11:35:35 PM
I dont see "magic" rules except for the Tunnel Settings (legacy) site to sites, for the Connections (non legacy) i dont see the same "magic" in Automatically generated rules (end of ruleset).
I dont mind the "magic" as it saves me from having to create a rule for each Site to Site I have, granted I could prob make 1 ruleset and apply to an alias and add all the site to site IPs in the alias. Just easier with the magic and im lazy
Plus im in the process of migrating the last few tunnels I have under legacy to the newer connections.
I dont mind the "magic" as it saves me from having to create a rule for each Site to Site I have, granted I could prob make 1 ruleset and apply to an alias and add all the site to site IPs in the alias. Just easier with the magic and im lazy
Plus im in the process of migrating the last few tunnels I have under legacy to the newer connections.
Quote from: doktornotor on August 26, 2024, 11:23:59 PM
There is no need to add the same rules twice. That said, I'd recommend to set up proper firewall rules manually and untick that "magic" checkbox. Avoid all similar disruption in the future.
#8
24.7, 24.10 Production Series / Re: IPsec issues with 24.7.2
August 26, 2024, 11:21:00 PM
@franco,
I see the Automatically generated rules (end of ruleset) after applying both patches and running related commands. Testing now on legacy tunnels.
As for non legacy tunnels we do or do not need to add in WAN rules for inbound IPSEC? I have not added any rules for ESP/ISAKMP/NAT-T and my non-legacy tunnels appear to be working correctly.
I see the Automatically generated rules (end of ruleset) after applying both patches and running related commands. Testing now on legacy tunnels.
As for non legacy tunnels we do or do not need to add in WAN rules for inbound IPSEC? I have not added any rules for ESP/ISAKMP/NAT-T and my non-legacy tunnels appear to be working correctly.
#9
24.7, 24.10 Production Series / Re: IPsec issues with 24.7.2
August 25, 2024, 12:44:25 AM
We are having similar issues
#10
24.7, 24.10 Production Series / Re: APCUPSD won't start after updating to OPNsense 24.7.2
August 21, 2024, 06:29:36 PM
delete /var/spool/lock or the contents and subdirs of said folder, i forget which one it was and restart service, thats what ive done when getting lock errors and it works. I updated to 24.7.2 and my APCUPSD is working normally
#11
24.7, 24.10 Production Series / FreeRadius Error - require_message_authenticator
August 09, 2024, 05:02:08 PM
My radius is still working with this AP, i dont see where to set this option in opnsense. Any ideas?
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: Please set "require_message_authenticator = true" for client AP1
Error: It looks like the client has been updated to protect from the BlastRADIUS attack.
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: Setting "require_message_authenticator = true" for client AP1
Error: BlastRADIUS check: Received packet with Message-Authenticator.
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: Please set "require_message_authenticator = true" for client AP1
Error: It looks like the client has been updated to protect from the BlastRADIUS attack.
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Error: Setting "require_message_authenticator = true" for client AP1
Error: BlastRADIUS check: Received packet with Message-Authenticator.
Error: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#12
24.7, 24.10 Production Series / Re: 24.7.1: Traffic Graph Widget show only on the left-side data
August 08, 2024, 10:49:37 PM
Chrome ver 127.0.6533.100 and latest FF version are strange with the traffic graph for me, on my iphone safari it works fine.
See attached animated gif, its been like this since 24.7 update
See attached animated gif, its been like this since 24.7 update
#13
24.7, 24.10 Production Series / Re: OpenVPN DNS Suffix not pushing
July 30, 2024, 09:35:56 PM
ive seen this on windows with openvpn client, there are 2 clients, the OpenVPN Connect is where i had these issues with users, had them use the Community Client https://openvpn.net/community-downloads/ and suffix search was working for me.
#14
24.7, 24.10 Production Series / Update from RC2 to Release
July 24, 2024, 06:07:44 PM
@franco
Updated from RC2 and dev kernel to 24.7 Release with no issues/crashes
Updated from RC2 and dev kernel to 24.7 Release with no issues/crashes
#15
24.7, 24.10 Production Series / Re: Kernel panics after upgrade to R1
July 22, 2024, 02:37:21 PM
@franco
updated kernel and rebooted, did the same steps previously done to cause a crash and no crash this time. I'll keep running this kernel for the day unless you want us to try the 24.7.r2_3 kernel.
updated kernel and rebooted, did the same steps previously done to cause a crash and no crash this time. I'll keep running this kernel for the day unless you want us to try the 24.7.r2_3 kernel.
Quote from: franco on July 22, 2024, 09:11:53 AM
@danderson @csutcliff and anybody else who would like to help:
# opnsense-update -zkr 24.7.r2_2
Cheers,
Franco
