Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Cuffs

Pages: [1] 2

22.1 Legacy Series / Re: Trying to add ssh user, but missing access rights in "Effective Priviliges"

« on: April 13, 2022, 09:59:45 am »

Thanks Franco for the clarification.

Also feedback from my side (not knowing if this is a bug and how to raise one).

What really got me off track is:
A user that shall be allowed SSH and has a shell assigned also needs the right "GUI: All pages"

So it seems impossible to add users with only SSH access at the moment.
Not sure if this works as designed or not?

ty
Christian

22.1 Legacy Series / Trying to add ssh user, but missing access rights in "Effective Priviliges"

« on: April 10, 2022, 09:23:31 am »

Hi

I'm trying to create a user which has SSH login rights.

From https://docs.opnsense.org/manual/how-tos/user-local.html I know I should set that right via a group or directly on the user itself under "Effective Priviliges" by assigning "User - System - Shell account access"

But I'm missing that item. There are no "User -" items like in the screenshot in the Link obove.

I only see access rights for GUI I could assign (see attachment).

Am I blind? Or is there something else to be done?

ty,
Christian

22.1 Legacy Series / Re: VLAN Interface Errors

« on: February 09, 2022, 07:24:58 pm »

Quote from: ajm on February 09, 2022, 07:01:46 pm

igb0 itself is not configured as an Interface.

This might be the problem

Assign igb0 without ipv4 or ipv6 settings.

I guess then the GUI settings will work

cheers
Christian

22.1 Legacy Series / Re: Should I migrate 19.1. to 22.1 performance wide?

« on: February 08, 2022, 06:16:07 pm »

Do you use bridges?
If so FreeBSD 13 has improvements there

22.1 Legacy Series / Re: Big performance loss after upgrade

« on: February 06, 2022, 04:28:54 pm »

Ok,
lacking the skills to really follow @ocochards benches I chose to do what he calls "drunk method".
I tried out random things.

In the end I reinstalled the box with OPNSense 22.1 and rebuilt the config today.
What can I say... performance is back.

Thanks to FreeBSD 13 I even can use bridges to transfer SMB ~50 to 75 MB/sec. now

I suspect some tunables carried over from 21.7 might have caused my issues, but this is only a wild guess.

Just wanted to let the internet know what solved the problem for me.

Cheers
Christian

22.1 Legacy Series / Big performance loss after upgrade

« on: January 29, 2022, 11:58:24 am »

Hi

This is the topology:

.-----+------.
| O igb0 +
| P | .------------. .------------.
| N igb1 +--Trunk--+ Switch +- -+ RPi |
| s | .------------. .------------.
| e igb2 +
| n | .------------.
| s igb3 +----------+ Laptop |
| e | .------------.
.------------.

RPi is connected to an access port in VLAN10
Laptop is connected to default LAN interface on OPNSense (no VLAN)

igb1 is connected to a trunk port, native VLAN10 and some other ones tagged.
(i know it might be better to change to everything tagged, I planned to do that in 22.1)

Before Upgrading I performed iperf3 tests and got throughputs ~900MBit
After Upgrading the same test shows ~300MBit
No changes were made to any config.

I have read through some articles of https://github.com/ocochard
There I also found the bridge performace issue in FreeBSD12 which was one of the reasons to update OPNSense to 22.1.

Question:
How to debug where this bottleneck resides (I'm very sure it is inside the OPNSense box)?
What board tools of OPNSense / FreeBSD13 can you recommend to look at?

I suspect it has to do with Queues/number of CPUs bound to the interface/interrupts/whatever?

Cheers
Christian

German - Deutsch / Re: DomainListen erstellen und nutzen - Probleme Whatsapp

« on: January 13, 2022, 10:53:45 pm »

Quote from: fox-octi on January 13, 2022, 04:06:06 pm

Ok,
verstehe deinen Ansatz, welcher auch über die Firewall Regeln umgesetzt werden kann, solange man die Domains kennt.

Nur ist es über den Proxy weit treffsicherer als über Domainlisten in der Firewall.
Sobald große Provider mit vielen (dynamisch wechselnden) IPs hinter einer Domain und CDN involviert sind wirds mit der Firewall schwierig.
Netflix und Amazon Prime zB

Aber dir hilft der Proxy in deinem Fall denke ich nix.
Der supportet nur http und https

German - Deutsch / Re: DomainListen erstellen und nutzen - Probleme Whatsapp

« on: January 13, 2022, 07:19:13 am »

Denke nicht, nein.

Alle Domains in den nas_allow sind whitelisted für den Host nas
Der Rest geht ja sowieso nicht durch.

D.h. ich steuere pro Host/Hostgruppe die erreichbaren Domains.
Wenn der böse smartTV dann was anderes als Netflix versucht (zB über hbbtv eine Reichweitenmessung des Senders den ich gerade schaue), dann hat er Pech gehabt.

Der Vorteil ist eben die Steuerbarkeit pro Host.
Ich fange Werbung, Malware etc. über Pihole ab, steuere dann aber hier noch für bestimmte Hosts wo die hin dürfen.

Gibt es keine acl für einen Host der in der Firewall über den Proxy darf, dann kann der überall hin.

Einfach mal für einen Host ausprobieren - wenns nicht passt löscht man die Files wieder und fertig.

Web Proxy Filtering and Caching / Re: How do I restrict the proxy from allowing access to local networks?

« on: January 13, 2022, 07:05:26 am »

Hi

Yes, the NAT rules that redirect to the proxy

German - Deutsch / Re: DomainListen erstellen und nutzen - Probleme Whatsapp

« on: January 08, 2022, 03:53:02 pm »

Hallo

Ich habe eine ähnliche Anforderung gehabt.
Ich wollte steuern können, auf welche Domains der smartTV surfen darf und auf welche nicht.
Also ein Whitelisting von Domänen pro Client/Clientgruppe.

Ich bin zum Schluss gekommen dies über IP und Firewall zu lösen ist zu aufwändig und zu ungenau.
Mit der ganzen Cloudinfrastruktur und der verschlüsselten Kommunikation wird immer irgend eine IP in der Liste fehlen und irgendwas nicht funktionieren.

Darum verwende ich jetzt den Proxy transparent mit Custom ACLs.
Diese müssen aber am CLI von OPNsense eingestellt werden.
SSL no bump sites habe ich im GUI "." drin, somit wird SSL auch nirgends aufgebrochen.

Schau mal da:
https://forum.opnsense.org/index.php?topic=21730.msg102455#msg102455

lg
Christian

Web Proxy Filtering and Caching / Re: How do I restrict the proxy from allowing access to local networks?

« on: January 04, 2022, 09:19:32 am »

Yes

General Discussion / Re: Opnsense and Airplay

« on: January 02, 2022, 11:46:54 pm »

Hi

2 thoughts:

1, wired is on a different subnet and you are not repeating mdns between subnets
-> MDNS repeater must be installed in that case

2, the ports needed for Airplay are blocked by the firewall
-) filtering bridge might be enabled in case you use a bridge interface
-) if wired is on a different subnet then you must allow Airplay ports to be routed

br
Christian

Web Proxy Filtering and Caching / Re: how to avoid some IP subnets to use transparent proxy

« on: January 02, 2022, 06:26:51 pm »

Hi

Why not include !NoDSTProxy on the first rule as well?

br
Christian

General Discussion / Re: Please Make a Donation to OPNsense

« on: January 02, 2022, 06:19:38 pm »

50€ coming your way

The fabulous work the team is doing with OPNsense is definitely worth it.

Danke & frohes neues Jahr

Christian

Web Proxy Filtering and Caching / Re: How do I restrict the proxy from allowing access to local networks?

« on: January 02, 2022, 04:14:51 pm »

Quote from: fabian on November 13, 2021, 06:16:19 pm

Via a custom ACL. That is AFAIK not available in the Gui

Much too complicated IMO

I do that via a FW alias list containing all the local subnets and use that in the NAT rule pointing to squid as inverted destination.

So the allowed source can access all the external adresses via squid, but is not NATed when the destination is a local LAN IP.
(I also put Firehol etc. block lists there)

br
Christian

Pages: [1] 2