Messages

Thanks for the quick reply!

"Unfortunately" the error (and I) was way more dumb: The HTTP request did not have the correct Content-Type header because I called the request library with "data=" instead of "json=". Once I changed this, the API calls worked fine.

Sorry for the unnecessary question then, but thanks so much anyway for taking the time to reply!

Hi all,

I have a similar/related problem trying to achieve the same thing.
I use a python script and the "requests" module to update the certificate, and the critical part looks like this:

Code Select Expand

try:
    basic_auth = requests.auth.HTTPBasicAuth(tokenname, token)
   
    cert_uuid = "ed543dbb-6b81-4c92-b831-cd678214a853"
    cert_data = {
        "cert": {
            "action": "import",
            "descr": "MyCertDescription",
            "cert_type": "usr_cert",
            "private_key_location": "firewall",
            "crt_payload": cert, # string content of certificate file
            "prv_payload": key, # string content of privkey file
            "csr_payload": ""
        }
    }

    req_url1 = 'https://' + api_url + '/api/trust/cert/set/' + cert_uuid
    req_url2 = 'https://' + api_url + '/api/trust/cert/add'
    req = requests.post(req_url1, auth=basic_auth, data=cert_data)
    resp = req.json()

This sadly returns the following error:

Code Select Expand

{'errorMessage': 'missing CA key\n error:0480006C:PEM routines::no start line error:0480006C:PEM routines::no start line', 'errorTitle': 'Certificate error'}

And when I just try to upload the certificate as a new item instead of replacing the old one (so using req_url2 instead of req_url1), it returns the following error:

Code Select Expand

{'result': 'failed', 'validations': {'cert.descr': 'A value is required.'}}

Can anybody help me on this one? It feels like I'm quite close, but somewhere there must be a mistake...

I've already tried/checked the following:
* The API access works (Other API calls work, necessary permissions are granted)
* The certificate itself is correct (wildcard certificate, also used in several other places without problems)
* The contents of cert/privkey are read correctly from the files and the variables "cert" and "key" contain the correct data ("-----BEGIN CERTIFICATE-----" etc etc)
* The certificate UUID comes from the Web UI: Opening the "info" popup for the old certificate and watched in browser's dev tools, which API URL was called --> it contained the UUID
* I even once "replayed" an entire API call from the Web UI that worked there, by copying the URL and POST parameters object from the dev tools to the python code. Still the same errors.

I'd be glad to share the script once it is working.
Any help is much appreciated!

[+1]

Hi, a bit late to the party, but a huge +1 from me for this issue.
Thanks franco for the explanation, this is important to keep in mind. And of course I don't want to criticise all the effort you guys put in to accomplish this. I just want to recommend seeing the nested scrolling as a bug that needs fixing, rather than an "icing on the cake"-style feature request.

Thanks @maverickcdn! I did not notice the "advanced options" toggle.
Great to see that the feature is indeed there and I was just too dumb to see it ;)

This is still a problem. I also need tun-mtu and am therefore currently forced to use the legacy server, with the deprecation notice looming over it.

There even was a related GitHub issue once:
https://github.com/opnsense/core/issues/6758
-- It was about the "port-share" option, but the underlying issue is the same (not being able to set OpenVPN options through the GUI).
This was denied as "not planned".

I really hope that this can be improved. I do understand that OpenVPN options are a nightmare and OpnSense wants to keep the UI tidy, but this feels like Apple removing well-needed features because they think that "you should not need this".

Hi, thanks for the replies!

I just assumed that the APs must be on the same subnet, I've never actually set up such a system before.
If it's better to have them in different subnets, that would be no problem.

Maybe I'm just not understanding WiFi roaming good enough. All the enterprise-grade 802.11__ extensions seem very complicated and since we do not (yet) have a Radius server, we can't use most of them anyway.
So I think the pragmatic thing would be to stay with our current WiFi hardware, set them all to the same SSID/credentials, and that way "take what we can get" in terms of WiFi roaming, without having to change that much in the network configuration.

But just out of curiosity, how would I set up a roaming WiFi spanning all three sites, where client devices use mainly the uplink of the site they are in? Or is this not possible?

Hi all,

I have a situation that is, I think, a bit unusual. At least for my level of networking expertise :D

I manage a small company network spanning 3 offices that are close to each other, but not directly attached so there is no fixed cabling between them. Each one operates more or less standalone, with its own opnSense device as firewall. We have 2 wireless links set up, connecting the offices (see image for a rough topology sketch).

Currently, each site has its own WiFi networks (one for employees, one for guests). We want to improve this situation, so that we have the same WiFi networks in all offices.

Of course we could just use the same SSIDs and Passwords across the sites, but this has other downsides and I want to take the chance to use more professional equipment that can be managed centrally.

So I was thinking about getting three Access Points (e.g. the Ubiquiti UF6+) and using the UniFi controller software to set them up to "really" broadcast the same network. This would require the APs to be in the same VLAN which I could set up easily (the wireless links are on layer 2 to act as "virtual cables", carrying tagged VLANs).

However, since each of the sites has its own DSL uplink and opnSense firewall, this poses the question which one of those would handle the traffic. Naturally, I want to avoid having only one site handling all the WiFi traffic while the rest needs to go through the wireless links. (However, this would probably still work since performance is not the issue here, neither latency nor bandwidth are particularly critical).

So, my question is: Is this a reasonable plan, and how would I configure the opnSense firewalls to handle this? Or is this idea of a unified WiFi using 3 different uplinks stupid/unfeasible?

Thanks in advance for any input.

Yes I did, thanks so much!

Late to the game, but still: I think this would be quite a handy feature, but also am not sure if it is easily achievable with unbound.

My desired scenario would be similar: Allowing different blocklist configurations for different interfaces, so not only enable/disable DNS blocking per interface. For example, having a "global blocklist" on all interfaces (e.g. for blocking malware/phishing), and additional blocklists per interface (e.g. for blocking certain content).

I have also experienced WAN flapping with v22.1.4. (All Intel NICs, if that's relevant)
Disabling MAC Spoofing and/or IPS did not resolve the issue, neither did a rollback to 22.1.1.
Finally I had to re-install 21.7 to reach stability again.

Update: Yes, this works like a charm. Shame on me for not noticing, and thanks to pmhausen for explaining!
Marking this thread as solved now.

:O

Seems I have overlooked this for quite some time (I have a lot of Host overrides, so the "Domain Override" part is only visible after scrolling).
But yeah, that should do exactly what I need. Thanks for pointing that out!
I will try this as soon as possible.

Thank you for the reply! But I don't see how that would work, maybe I'm not getting it.
AFAIK Domain overrides are specific to one host, giving it an IP that then will not be looked up through the "regular" means. But I don't know the IPs of the hosts in the domain that I want to forward... so all requests to any hosts in that domain need to be answered by a DNS server in that domain.
Is this possible with Domain overrides?

Hi all,

with the 21.7 release, the "Custom Options" field for Unbound was removed. Since this was already announced and the use of this field discouraged for quite some time, this is not a surprise.

However, I find myself wondering if there are plans to make some more features of Unbound accessible via the GUI instead.

For example, I used the custom options to set up DNS forward zones for specific domains. To me this seems like a feature that could be relevant for more people. However, without the field in the GUI you have to connect via SSH/Terminal and change a config file manually. The GUI only supports a general "DNS forwarding" setting, which cannot be restricted to certain domains.

So my question is: Are there any plans to add more configuration options like those forward zones to the opnSense GUI for Unbound?

Thanks and Regards

Thanks for the reply!

While those mechanisms you mention definitely work "outside of the product", we use internal certificates generated by OPNsense for the VPN accounts of our employees.

I guess we have to schedule notifications in our calendar then :-/