Messages

[+1]

Hi, a bit late to the party, but a huge +1 from me for this issue.
Thanks franco for the explanation, this is important to keep in mind. And of course I don't want to criticise all the effort you guys put in to accomplish this. I just want to recommend seeing the nested scrolling as a bug that needs fixing, rather than an "icing on the cake"-style feature request.

Thanks @maverickcdn! I did not notice the "advanced options" toggle.
Great to see that the feature is indeed there and I was just too dumb to see it ;)

This is still a problem. I also need tun-mtu and am therefore currently forced to use the legacy server, with the deprecation notice looming over it.

There even was a related GitHub issue once:
https://github.com/opnsense/core/issues/6758
-- It was about the "port-share" option, but the underlying issue is the same (not being able to set OpenVPN options through the GUI).
This was denied as "not planned".

I really hope that this can be improved. I do understand that OpenVPN options are a nightmare and OpnSense wants to keep the UI tidy, but this feels like Apple removing well-needed features because they think that "you should not need this".

Hi, thanks for the replies!

I just assumed that the APs must be on the same subnet, I've never actually set up such a system before.
If it's better to have them in different subnets, that would be no problem.

Maybe I'm just not understanding WiFi roaming good enough. All the enterprise-grade 802.11__ extensions seem very complicated and since we do not (yet) have a Radius server, we can't use most of them anyway.
So I think the pragmatic thing would be to stay with our current WiFi hardware, set them all to the same SSID/credentials, and that way "take what we can get" in terms of WiFi roaming, without having to change that much in the network configuration.

But just out of curiosity, how would I set up a roaming WiFi spanning all three sites, where client devices use mainly the uplink of the site they are in? Or is this not possible?

Hi all,

I have a situation that is, I think, a bit unusual. At least for my level of networking expertise :D

I manage a small company network spanning 3 offices that are close to each other, but not directly attached so there is no fixed cabling between them. Each one operates more or less standalone, with its own opnSense device as firewall. We have 2 wireless links set up, connecting the offices (see image for a rough topology sketch).

Currently, each site has its own WiFi networks (one for employees, one for guests). We want to improve this situation, so that we have the same WiFi networks in all offices.

Of course we could just use the same SSIDs and Passwords across the sites, but this has other downsides and I want to take the chance to use more professional equipment that can be managed centrally.

So I was thinking about getting three Access Points (e.g. the Ubiquiti UF6+) and using the UniFi controller software to set them up to "really" broadcast the same network. This would require the APs to be in the same VLAN which I could set up easily (the wireless links are on layer 2 to act as "virtual cables", carrying tagged VLANs).

However, since each of the sites has its own DSL uplink and opnSense firewall, this poses the question which one of those would handle the traffic. Naturally, I want to avoid having only one site handling all the WiFi traffic while the rest needs to go through the wireless links. (However, this would probably still work since performance is not the issue here, neither latency nor bandwidth are particularly critical).

So, my question is: Is this a reasonable plan, and how would I configure the opnSense firewalls to handle this? Or is this idea of a unified WiFi using 3 different uplinks stupid/unfeasible?

Thanks in advance for any input.

Yes I did, thanks so much!

Late to the game, but still: I think this would be quite a handy feature, but also am not sure if it is easily achievable with unbound.

My desired scenario would be similar: Allowing different blocklist configurations for different interfaces, so not only enable/disable DNS blocking per interface. For example, having a "global blocklist" on all interfaces (e.g. for blocking malware/phishing), and additional blocklists per interface (e.g. for blocking certain content).

I have also experienced WAN flapping with v22.1.4. (All Intel NICs, if that's relevant)
Disabling MAC Spoofing and/or IPS did not resolve the issue, neither did a rollback to 22.1.1.
Finally I had to re-install 21.7 to reach stability again.

Update: Yes, this works like a charm. Shame on me for not noticing, and thanks to pmhausen for explaining!
Marking this thread as solved now.

:O

Seems I have overlooked this for quite some time (I have a lot of Host overrides, so the "Domain Override" part is only visible after scrolling).
But yeah, that should do exactly what I need. Thanks for pointing that out!
I will try this as soon as possible.

Thank you for the reply! But I don't see how that would work, maybe I'm not getting it.
AFAIK Domain overrides are specific to one host, giving it an IP that then will not be looked up through the "regular" means. But I don't know the IPs of the hosts in the domain that I want to forward... so all requests to any hosts in that domain need to be answered by a DNS server in that domain.
Is this possible with Domain overrides?

Hi all,

with the 21.7 release, the "Custom Options" field for Unbound was removed. Since this was already announced and the use of this field discouraged for quite some time, this is not a surprise.

However, I find myself wondering if there are plans to make some more features of Unbound accessible via the GUI instead.

For example, I used the custom options to set up DNS forward zones for specific domains. To me this seems like a feature that could be relevant for more people. However, without the field in the GUI you have to connect via SSH/Terminal and change a config file manually. The GUI only supports a general "DNS forwarding" setting, which cannot be restricted to certain domains.

So my question is: Are there any plans to add more configuration options like those forward zones to the opnSense GUI for Unbound?

Thanks and Regards

Thanks for the reply!

While those mechanisms you mention definitely work "outside of the product", we use internal certificates generated by OPNsense for the VPN accounts of our employees.

I guess we have to schedule notifications in our calendar then :-/

Hello everyone,

first time posting here, so if this is the wrong topic, please feel free to move the thread.

I have a question that was asked on this forum once before (https://forum.opnsense.org/index.php?topic=10860.0), but got no replies/answers. It's pretty simple:
"Is there a way to get notified when certificates are about to expire?"

In our case (as was in the post linked above), it's about SSL certificates used for VPN. It would be a good idea for other certificates too, I guess.

Thanks and regards