Messages

I'm using port 443 on the WAN Interface for my wireguard VPN.
So I can use it in public wifi (most have port 443 in tcp/udp not blocked).

How do I have to configure HAProxy, so it only uses this Port local?
I only use SSL + Reverse Proxy internal and over the VPN.

@franco

1. your renew script is working  :)
2. I think I found the issue, why it resolves sometimes an old ip

I looked in the unbound stats and discovered that the url from the wireguard endpoint addess gets resolved with the unbound cache.
when this entry is old you get the old ip adress, even when the external dns server has the new ip.

Wouldn't it be better to always resolve the endpoint address of wireguard with the external dns server, that are setup @System/Settings/Gerneral ?
So no additional settings are necessary, to have the reresolve cronjob running.

Sorry for the late reply!

Yes and no. It's the same idea but a different script to avoid bash. It should already work without a cron job on a dynamic connection like PPPoE or DHCP.

You mean the opnsense box will reresolve the dyndns address, when it self gets a new IP?

But to get the new IP of the peer (when changed) I need to run "Renew DNS for Wireguard in stale Connections" with cron. Am I right?

I now have set the cron to run every minute, so I can see today (the peers DSL is not very stable) or at least tomorrow (after the 24h reconnect) if it has worked  ;)

Kann ich nachvollziehen.  ;)

Aha, da spricht jemand deutsch :)

But for other users here, I keep writing in english, even when I'm really bad at it  :D

What does the new cron "Renew DNS for Wireguard in stale Connections" do?
Is it starting the script "reresolve-dns.sh" from the wireguard-tools provided by wireguard itself?
Then it should work!

@franco
The situation here is, that in germany for example many ISPs have dynamic IPs with forced reconnection once every 24 hours.
So we have to use a dyndns service for wireguard Connections!

Danke 👍

EDIT 19.08.22:
Jetzt geht es wieder, die TXT Records werden erstellt!

Ok, hab mir schon gedacht, das die Anzeige stimmt.
Kommt ja das passende raus, wenn man nachrechnet.

Ich weiß nicht wie es bei der 22.x jetzt ist, aber soweit ich weiß musste früher das Management untagged sein.
Muss mir das mal in Ruhe anschauen.

Moin,

ich habe folgendes Setup:
1x Netzwerkport als Vlantrunk, also auf dem Port läuft das Management Interface + die Vlans zu einem Switch.
Dieser verteilt dann die Vlans auf ihre entsprechenden Ports.

Was mich jetzt stutzig macht ist, das der Traffic wohl auf dem Management Interface mitgezählt wird.
Ist das ein neues Verhalten von der 22.x?

Ich habe mal ein paar Screenshots als Angang drangehägt.

Moin,

kann es sein, das hosting.de seine API geändert/angepasst hat?

Ich kann keine DNS Challenge mit der in ACME vorhandenen hosting.de API mehr durchführen,
da der TXT Recordn nicht erstellt werden kann.

Hier ein Auszug aus dem Log, entsprechende Daten geschwärzt:

Code Select Expand

Error add txt for domain:_acme-challenge.domain.de
Calling: _hostingde_addRecord() '_acme-challenge.domain.de' 'xXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx'
Adding txt value: xXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXxXx for domain: _acme-challenge.domain.de
Found domain api file: /usr/local/share/examples/acme.sh/dnsapi/dns_hostingde.sh


Nutzt jemand hosting.de für seine Domains und kann das mal gegenprüfen?

hosting.de API: https://www.hosting.de/api/

Yes, but in OpnSense 21.7 I didn't have that issue with the same Realtek NICs.

So yes, Intel NICs are better in this regard  :)

[I get full gigabit now!]

Now, finally I got my new device with Intel NICs from china.
It has the exact same CPU and RAM config.

Now I cloned the System 1:1 to the new device and assigned the NICs.

I get full gigabit now!

@franco
So I think it is an issue with the new realtek driver.

I have a simlple setup. Only with vlans and some Firewall rules.
It is also running ddns and wireguard.

Yesterday the firewall crashed completely.


I have ordered a new device with Intel Nics to compare with the realtek nics.
But I think that gets delivered in 2 to 3 weeks to europe, because of chinese holidays.

I will further investigate and get updates to you.

Thanks.

Thank you for the link!

I have attached the pictures that all interfaces are assigned.
The parent interface "Management" is also assigned.

All Hardware Offload Settings are off.

Do I have missed something?
I didn't find any other offload settings.

I read the release notes, I don't know which issued you mean.
Can you please say which issue you mean?

As written in my first post, I have installed this Plugin. Without the plugin the nic doesn't get recognized.

I tested the connection with iperf3.
The speed between opnsense 22.1 and my computer over the virtio nic is fine.

I think it could be 2 things:
the realtek driver
or
routing speed issue in 22.1