Messages

I'm not going to run two DNS services just to be able to resolve internal host names. This whole deprecation of ISC has been a mess. ISC+Unbound is exceedingly simple and functional, Kea and dnsmasq are both half-baked.

The devs are caught in the middle with the ISC deprecation. Running EOL software is not an option in certain environments and Kea does not offer the same options. This gives users two paths with supported options depending on what their priority is. ISC is still there if EOL is fine. These additional choices bring extra support complexity so I think the devs would prefer not adding dnsmasq. Personally, I would prefer not running 2 DNS servers as well but hostname registration is important to me.

Still no support for registering DHCP leases from anything other than ISC DHCP?

Dnsmasq can handle hostname registration. Unbound is the primary resolver and forwards internal zone requests to Dnsmasq. This is covered in the documentation and walks you through the setup. I recommend someone create a sticky with a link to this doc since there are a lot of questions and discussions right now.

I am also having trouble with my captive portal under 25.1. I use "Enforce Local Group" to lock down access to a specific group, but the portal denies the logins; I've double-checked my credentials. What group privileges should I enable to allow access? I tried "All pages" as a test but it did not work.

As for the captive portal pop up, I ran tcpdump against my iOS connection. It got the HTTP 302 and connected to the portal with TLS1.2. I then see:

Code Select Expand

Alert (Level: Fatal, Description: Protocol Version)
This is the server response after Client Hello. It seems lighttpd no longer accepts TLS1.2 and requires TLS1.3 to connect.

Edit: Opened Github Issue 8300 for the TLS version.

I am having trouble with my captive portal. The portal requires a username and password, and I assigned a group under "Enforce Local Group" to restrict the users allowed. But this doesn't seem to work under 25.1. I get an error message saying "DENY user (x.x.x.x)" in portalauth/latest.log. Group privileges are set to "Nothing selected" after the upgrade. As a test, I tried setting privileges to "All pages" but authentication still fails.

Is there a specific privilege that allows captive portal logins?

Is there a common alias type whose data is missing? Are manually entered Host(s) and Port(s) aliases empty as well?

Logs for URL Table alias fetches are in Firewall > Log Files > General.

Finally reaching out for some help after following this thread and applying both patches Franco released the other day, and I am still struggling with IPSEC tunnels dropping. I am terminating between a Sonicwall 2650 and OPNSense, prior to 24.7.2 no issues, now having issues w/ P2 dropping. Below is the issue I think and I have validated that proposals match:

2024-08-28T10:25:58-05:00   Informational   charon   06[IKE] no acceptable proposal found   
2024-08-28T10:25:58-05:00   Informational   charon   06[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ   
2024-08-28T10:25:58-05:00   Informational   charon   06[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ   
2024-08-28T10:25:58-05:00   Informational   charon   06[ENC] parsed CREATE_CHILD_SA request 31 [ SA No TSi TSr ]

The Sonicwall does not have PFS enabled. This is confirmed by the missing MODP_2048 in received proposals. You should pick "default" for your ESP.

It actually doesn't matter if we test on FreeBSD or OPNsense kernel because we talk about the same code change.

I'm late to the party, but I got the impression that upstream thinks we did this to ourselves by choosing to diverge from their kernel. Would validating it on a vanilla FreeBSD kernel as @Uwe suggested remove that argument? It is a slippery slope.

I'm seriously discouraged from spending time experimenting with all that stuff to find out what else got broken on the way to report it only to be told "that's downstream problem".

Can a quick A-B test with their kernel help here as well? Now, this assumes our kernels are not bifurcated to the extent we lose functionality or significantly affect production. I also do not know how feasible this is, or how much work is involved to do this. It was just a thought after reading @Uwe's comment.

Using the ULA for loopback is a great solution. When I was setting this up, I ended up creating a Dynamic IPv6 Host alias of my WAN SLAAC, and using that as my redirect target. I might switch to using your method instead.

I am not running this hardware, but have you checked out this thread? OP mentioned turning off X2APIC so it might apply here as well.

https://www.reddit.com/r/freebsd/comments/136o9xi/freebsd_on_dell_r730xd_woes/

I can confirm that Bridge Mode must be set to "Disable" if you have static IP addresses assigned. But, /32 is not the correct subnet mask. Check the Static IP Information page for your account. Write down the usable IP range, subnet mask and gateway IP listed there. Then, take that gateway IP and confirm it is setup on your modem. It is listed as "WAN Static IP Address (IPv4)" under the Gateway > Connection > Comcast Network page. If you do not see that entry or if the IP address is different, contact Comcast Business Support. They need to provision that static IP on your modem. Those tend to get lost whenever Support reinitializes the modem. They sometimes think that is a quick fix when you call them for support.

Tried everything, IPv6 still goes off :/

If you have not done it already, I suggest turning on Debug logging under Interfaces > Settings > IPv6 DHCP header.

If you are using a time schedule on that rule, those states are automatically cleared when the time comes. Info is at https://docs.opnsense.org/manual/firewall_settings.html#schedule-states

According to a customer this works even better than the ISC relay. And the nicest thing is you can now (as in "development release") run DHCP server and relay in tandem. ;)

Gentlemen you had my curiosity ... but now you have my attention.

Thanks franco and team!

Try this as root to put the shell back:

Code Select Expand

chsh -s /usr/local/sbin/opnsense-shell root

I got this to work only after copying the entire app-layer: section from suricata.yaml and inserting error-policy: ignore at the first indent - same level as protocols:.

The Suricata 7 documentation states that adding app-layer: in custom.yaml overwrites the one in suricata.yaml. I recommend anyone still having issues to try this if disabling IPS is not an option.

If the same section, say outputs is later redefined after the include statement it will overwrite the included file. Therefore any include statement at the end of the document will overwrite the already configured sections.