Messages

1

24.7 Production Series / Re: [SOLVED] IGMP proxy not releasing streams after upgrading to 24.7

« on: July 30, 2024, 05:12:42 pm »

In my case, traffic is dropping back pretty much instant (well, maybe a second) on both interfaces. I think something else is causing this in your case, not sure what though. Have you tried connecting the STB directly to the router instead of behind (non-IGMP snooping enabled?) switches to see if that changes anything?

After another reboot I now see that everything works according to specs  .
Anyway ... thanks for pointing out what to expect. Made me go and question myself and my setup  .

Best regards.

2

24.7 Production Series / Re: [SOLVED] IGMP proxy not releasing streams after upgrading to 24.7

« on: July 29, 2024, 05:37:27 pm »

Good work!

Last question though ... on both LAN- and WAN-side I see that while one stream is about 14Mbps, when I switch channels the consumed bandwidth on the WAN-side doubles for about 3 minutes (to about 28Mbps) , while on the LAN-side it takes about half a minute before everything is back to normal. Is that expected behaviour? Never looked at it in this detail before, so I hope you don't mind me asking 

Best regards.

3

24.7 Production Series / Re: IGMP proxy not releasing streams after upgrading to 24.7

« on: July 28, 2024, 08:23:11 pm »

I think this issue will be fixed as well if the streams are correctly released after the unsubscribe request. I will be available to test stuff next week; I’m more than happy to test potential fixes.

I seem to have the same problems. Restarting IGMP proxy is the workaround I use for now. Happy to help with testing/sharing my config when needed.

Best regards.

4

General Discussion / Re: Passive FTP ports

« on: October 04, 2022, 08:51:33 pm »

If I may I would recommend some light reading. Perhaps the following article can get you on the right track?

https://www.jscape.com/blog/setting-up-an-ftps-server-behind-a-firewall-or-nat-for-pasv-mode-data-transfers

Best regards.

5

22.7 Legacy Series / Re: Subject alternative names on certs broken?

« on: October 02, 2022, 01:24:29 pm »

Some background on SAN, for those who are interested.

The most straight forward type of certificate will have only 1 fqdn and even there you will find that the besides the subject you will also find a SAN entry of type DNS with the same fqdn.

The following code snippets extract the certificate from a website and show the subject name and SAN DNS names.

Code: [Select]

echo | openssl s_client -servername forum.opnsense.org -connect forum.opnsense.org:443 2>&- | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ { print $0 }' | openssl x509 -in - -noout -text | grep "Subject:\|DNS:" | sed 's/^[[:space:]]*//'
Subject: CN = forum.opnsense.org
DNS:forum.opnsense.org


Certificates can have more than one fqdn and this will always result in exactly one fqdn ending up being the subject whereas all fqdn's will be added to the SAN-section of the certificate, even the fqdn that is used as the subject.
I've even seen certificates with a subject not used in the SAN-section at all, but while that also works (as long as you don't use the subject name), I would not recommend that for normal use.

Code: [Select]

echo | openssl s_client -servername letsencrypt.com -connect letsencrypt.com:443 2>&- | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ { print $0 }' | openssl x509 -in - -noout -text | grep "Subject:\|DNS:" | sed 's/^[[:space:]]*//'
Subject: CN = lencr.org
DNS:lencr.org, DNS:letsencrypt.com, DNS:letsencrypt.org, DNS:www.lencr.org, DNS:www.letsencrypt.com, DNS:www.letsencrypt.org


For those who are interested in reading some more about the "Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates", here's a link to the latest information: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf.

6

22.7 Legacy Series / Re: NAT Portforwarding with TPC/UDP and IPv4+6

« on: September 25, 2022, 08:53:13 pm »

To illustrate, the following would have to be done for access to a LAN-host using IPv4 and IPv6 on port 8080.

Firewall: NAT: Port Forward

Code: [Select]

Source Destination NAT
Interface Proto Address Ports Address Ports IP Ports Description

WAN_INTERNET TCP * * WAN_INTERNET address 8080 192.168.1.234 8080 Access from internet to LAN-host
WAN_INTERNET UDP * * WAN_INTERNET address 8080 192.168.1.234 8080 Access from internet to LAN-host

Firewall: Rules: WAN_INTERNET

Code: [Select]

Protocol Source Port Destination Port Gateway Schedule Description

IPv6 UDP * * 2001:0db8:1234::234/64 8080 * * Access from internet to LAN-host
IPv6 TCP * * 2001:0db8:1234::234/64 8080 * * Access from internet to LAN-host

7

22.7 Legacy Series / Re: NAT Portforwarding with TPC/UDP and IPv4+6

« on: September 25, 2022, 08:34:31 pm »

Eh ... When trying to get IPv4 and IPv6 connectivity from the internet to a specific host on the LAN-side, I would make a NAT port forward rule for IPv4 and a normal allow rule for IPv6 on the WAN-interface. No need to NAT IPv6, right?

Best regards.

8

Dutch - Nederlands / Re: Hoe kan ik devices van WAN naar VLANs krijgen

« on: September 12, 2022, 07:58:58 pm »

Hoe bedoel je precies de Ziggo box er tussen uit?

https://www.ziggo.nl/klantenservice/internet-wifi/bridge-modus

9

Dutch - Nederlands / Re: Hoe kan ik devices van WAN naar VLANs krijgen

« on: September 09, 2022, 03:56:24 pm »

Topic Starter

Dank u! 

10

Dutch - Nederlands / Re: Hoe kan ik devices van WAN naar VLANs krijgen

« on: September 08, 2022, 07:52:50 pm »

No worries. Was in een bijdehante bui  .

Nu heb je mij weer een beetje ... wat is (een) TS?

11

Dutch - Nederlands / Re: Hoe kan ik devices van WAN naar VLANs krijgen

« on: September 07, 2022, 09:20:39 am »

En voor het geld hoe je het niet te laten. Ik gebruik een GS108Ev3 van 30 tientjes ofzo.

300 euro, Daar kan ik er ongeveer 10 van kopen 
(https://tweakers.net/pricewatch/424304/netgear-prosafe-gigabit-plus-gs108ev3.html)

12

22.7 Legacy Series / Re: OpenSSL not honouring cipher selection?

« on: September 02, 2022, 05:16:59 pm »

@RZR, I think you got things mixed up.

Not talking TLSv1.3 specifics right now, but ...

With RSA-certificates you can achieve PFS. PFS only depends on the key exchange method.

With RSA key exchange a symmetric key is exchanged "over the line" so when someone obtains the private key, traffic can be decrypted when listening in on (or replaying recorded) traffic. When using Diffie-Hellman a symmetric key is "calculated" and never sent "over the line", so it can't be found by listening in on (or replaying recorded) traffic.

Hope that makes sense? 

13

22.7 Legacy Series / Re: Opnsense 22.7.3 missing

« on: September 01, 2022, 05:57:45 pm »

https://forum.opnsense.org/index.php?topic=30145.msg145541#msg145541

The update is pulled for now.

14

22.7 Legacy Series / Re: Error after upgrade to 22.7.3

« on: September 01, 2022, 05:35:40 pm »

Pulled update for now, patch likely going to be https://github.com/opnsense/core/commit/3b39e2d1f6 but this is fishy library handling as the certificate in question seemed to work. It's imported, but no complaints before, especially not pre-phpseclib when we had "native" CLR patching in PHP 7.

Did this cause:

Code: [Select]

Checking packages: ........................
opnsense-22.7.3 version mismatch, expected 22.7.2
Checking packages: ..
opnsense-lang-22.7.3 version mismatch, expected 22.7.1
Checking packages: .
opnsense-update-22.7.3 version mismatch, expected 22.7.2
Checking packages: .............
php80-phpseclib-3.0.14 version mismatch, expected 2.0.37
Checking packages: ......................... done
***DONE***
Apart from that I experienced no issues after the upgrade.

15

22.7 Legacy Series / Re: OpenSSL not honouring cipher selection?

« on: September 01, 2022, 11:33:50 am »

@RZR.

Copy that. When using that cipherselection it will exclude the TLSv1.2 RSA-ciphers automatically when using ECDSA certificates. When assembling a cipher selection string the way I did, and not specifically naming each cipher, you can end up with extra ciphers.

But if you insist, by adding !aRSA you can also exclude the RSA-based (and I quote from the openssl manual page: "cipher suites using RSA authentication, i.e. the certificates carry RSA keys") ciphers 

Code: [Select]

ciphers -V -ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ECDHE+AESGCM:\!AES128:ECDHE+CHACHA20:\!aRSA