Messages

1

Virtual private networks / Re: OpenVPN when accessing proxy server in LAN it sees the remote intenet IP

« on: September 24, 2024, 03:10:37 pm »

From the lack of information you provided here I could guess that you're using public DNS to connect to your proxy which resolves to the WAN IP and results in 403 due to NAT on the client's side. When you use the local IP of nginx you're routed through the tunnel and due to missing NAT everything works.

But again, I might be wrong as you do neither describe IP ranges, possible DNS resolutions nor IP protocols involved.

2

Intrusion Detection and Prevention / Re: Disable hardware checksum offload via Shell

« on: September 21, 2024, 03:12:43 pm »

Another solution is to use

Code: [Select]

ifconfig [-]rxcsum,[-]txcsum
etc.

check its manpage for more options. Or the source code of the web ui for its usage.

https://github.com/opnsense/core/blob/3cbc7927db174f51eec007739b4fcf4247a18948/src/etc/inc/interfaces.lib.inc#L548

3

24.7 Production Series / Re: NTOP problem & REDIS

« on: September 16, 2024, 06:21:13 pm »

First of all:
ntopng default credentials are admin and the password of root from opnsense.

Second:
redis sucks a lot in combination with ntopng. Restart redis. On my machine it crashes from time to time. Probably a memory issue. But due to no need for ntopng any more, I removed both.

4

General Discussion / Re: Trouble in Unbound with Blocking Persistence

« on: September 16, 2024, 03:45:28 pm »

There's no need to flush the state table of the firewall as the firewall remains unaffected by unbound's black listing.

What unbound does is to return NXdomain (if selected) or 0.0.0.0 (default, if not another ip is entered). In both cases, your client's local dns resolver will cache that result for the TTL (time to live). So, when you update the behaviour of unbound due to white or black lists you might want to restart unbound and flush the DNS cache on all affected clients. Or wait for the TTL to expire.

E.g. on windows you can do

Code: [Select]

ipconfig /flushdns if I remember correctly.

5

24.7 Production Series / Re: IPv4 traffic stops when IPv6 is configured

« on: September 03, 2024, 06:40:08 pm »

Interesting scenario.

However, if you want full IPv6 deployment you need to delegate IPv6 address spaces. Enabling IPv6 just for LAN just gives you IPv6 connectivity for the switch.

Hence:
- Get an /48 from HE if not already there
- Configure DHCPv6 on OPNsense to delegate a (let's say) /56 (taken by the switch)
- On the switch make sure it can deal with a delegated prefix
- Check that your OPNsense local networks (LAN, DMZ, WAN) do NOT have the same prefix as the delegated one.

Did you do any of that and if yes, with which outcome?

6

General Discussion / Re: Return Traffic of port forward goes through the wrong wan interface / gateway

« on: September 02, 2024, 05:00:21 pm »

> Will add screenshots of nat, wan and portforward rules below since max 4 attachments

Would be really helpful.

7

24.7 Production Series / Re: 24.7.3 update experience: back online again on android

« on: August 30, 2024, 03:29:53 pm »

In 24.7.2 I found ICMPv6 134 Destination Unreachable before the messages like these, my comments in ():
fe80::xxx (Android device)   -> 2a00:1450:4005:801::200a (google as)   ICMPv6   134   Destination Unreachable (no route to destination)

A neighbor advertisement for the device's gua is not shown until after that destination unreachable. I wonder if that was the issue.

Nevertheless, 24.7.3. works and I will now update the unifi ap's back to the most recent fw.

8

24.7 Production Series / 24.7.3 update experience: back online again on android

« on: August 30, 2024, 11:28:15 am »

Hi,

some of the major glitches w.r.t. IPv6 seemed to have broken android connectivity via wifi. Seems to work with 24.7.3 again.

Was investigating since 24.7.2 because some androids in my network were dropping wifi every now and then. The wifi is provided by unifi UAPs (no gateway). Windows and Linux PCs had no issue. Androids via wired LAN were also fine. I suspect a possible issue with IPv6 that caused the androids to think that wifi has no internet connection and drop it. Unifi firmware downgrades would not have any beneficial effect and could be ruled out.

I also noticed some reporting by OPNsense that fe80:: wants to talk to 2a00::. I don't know if that's relevant to my issues or just an effect during Android's connection drops.

Nevertheless, androids are now online without frequent drops. 24.7.3 fixed it. Hope that helps others with the same issue.

9

24.7 Production Series / Re: NAT stops working

« on: July 29, 2024, 10:16:04 am »

Did you check the firewall logs if something got blocked and why?

10

General Discussion / Re: Only one VLAN Works

« on: July 11, 2024, 08:59:51 am »

Hi,

there's some information missing:
- What's the VLAN's config in OPNSense (Interfaces -> Other types -> VLAN)?
- What's the DNS setting published by your DHCP server? You allow DNS for IoT address - but I found a lot of installations where the LAN IP is used instead. Hene, I allow "This firewall" instead of "<interface> address"


You could also do some debugging:
Using firewall's live view you could check for DHCP packets going in or out that were blocked and check for firewall misconfiguration
Using packet capturing you could identify if there's even some traffic coming in for DHCP.

That way you could isolate the issue to your switch  (no traffic) or OPNsense (traffic blocked)

11

German - Deutsch / Re: DHCPv6 fix?

« on: July 10, 2024, 03:41:19 pm »

aber wenn ich zb. Wireguard nutze oder Seiten die ipv6 nutzen erreiche ist ja der zweck erfüllt.

Ja, man sollte sich nur darauf einstellen, dass es manchmal ganz schnell gehen kann. Wer heute noch denkt, dass sich IPv6 nicht durchsetzt, dem sei auf die Preiserhöhung bei Google und Amazon in diesem Jahr verwiesen. Es wird nicht die letzte gewesen sein. Wenn ich als Anbieter dafür extra zahlen muss, lege ich es entweder um - oder schalte ab.

Und wäre es dann nicht schön, wenn einem das egal sein könnte?

12

General Discussion / Re: Firewall Rules Coming Through an Vlan Interface.

« on: June 10, 2024, 04:33:14 pm »

Hi,

rules are bound to interfaces have two directions: in and out. Exception: Floating is bound to all interfaces, groups to those in the respective group.

In general you deny all traffic by default and add allow rules for the kind of traffic you like to have. That's usually done as in rule on the respective network segment's interface. Out rules make it hard to maintain your firewall.

As a matter of fact I don't understand your network setup. Do you have another router in LAN that connects to VLAN 20 or is VLAN20 also directly available to OPNsense. If the latter is the case: To allow traffic from VLAN 10 to VLAN 20 add a rule on VLAN 10 interface, direction in. Specifiy source VLAN 10 net and destination VLAN 20 net. Ports as required. You can also restrict the IP ranges much further, depending on your needs.

If you have another router on LAN you should first make sure LAN has no other hosts in there. Two routers are usually connected with a transfer network that has its own (IPv4: small) range. If not, you will eventually end up doing permanent trouble shooting because of assymetric routing.

13

General Discussion / Re: Best Practices for a Static /29 - WAN Configuraton and Allocating to LAN Devices

« on: June 05, 2024, 09:14:49 am »

Things you need:

- Virtual IPs on WAN

What might help (Depends on your usecase):
- 1:1 NAT (One host gets 1 public IP via NAT)
- IP Selection for Outbound NAT (Several hosts go public with different hosts)

Alternatively:
- A proper WAN _network_ with 6 hosts (5 hosts from you + 1 gw from ISP)

14

24.1 Legacy Series / Re: Banking App: "something has gone wrong"

« on: May 31, 2024, 05:54:44 pm »

Hi,

apps are usually very generic in their error messages. This might be a DNS problem, a blocked IP, IPv6 requirements, etc. And as you said: It could also be non-networking related.

I'd check the traffic on OPNsense for unmatched expectations. Which DNS come in? Are there packets blocked when starting the app?

15

General Discussion / Re: TCP Sessions killed across VLANs

« on: May 30, 2024, 08:46:41 am »

Hi,

thanks for sharing. Going with floating rules on LAGG is sth new to me. It would explain the odd behaviour of your observations, though. But again, LAGG has not been my business, yet.

Let's see what FreeBSD 14 brings to us.