Messages

Screenshots for clarity:

Hello,

Doing a fresh install of OPNsense on 26.1, having used v25 in the past. I noticed two things in the new "Firewall Rules [new]" that I believe are worth calling out for improvement.

• When creating a new rule, it's unclear if "Interface" is actually being parsed for the rule or if it's a display value to help with filtering. If it's a display, I'd expect it to say "(not parsed)" or similar in the help text, like the Description and other not parsed fields. If it is parsed, how is it different than the Source value? I checked the wiki, and this isn't called out clearly: https://docs.opnsense.org/manual/firewall.html#interface-filter. The wiki seems to describe interface filtering on the rules page, not in creating a new rule or the purpose of that value.
• Moving forward under the assumption it's a non-parsed value to be used for filtering, I set the "Invert Interface = true" and Interface = WAN. In Source, I selected all net except my "WAN net". I'm now creating a rule that should apply to all Interfaces except my WAN. However, when I go back to the Rules list and filter by interface, I can't find that rule under any category. It should appear under all interfaces except WAN, but instead, it's only available under "All rules". With anyfilter applied, it's missing.

Let me know if I'm wrong on the above please!

Have a good one!

[Final Update: All is now working.]

Final Update: All is now working.  8)

Summary: If you disable IPv6 while DHCPv6 is enabled, the Web UI is bugged and won't let you configure other DHCPv6 settings because the "Enable DHCPv6 on $interface interface" box is checked. Unfortunately, this box is hidden, so you won't be able to uncheck it from UI.

Steps to resolve the issue if you've disabled IPv6 with DHCPv6 still enabled/running:

• SSH to the machine and run "ifconfig | grep ::1". You should see a line returned, which is from the lo0 interface
• Run these to get rid of that stuck config:
  ifconfig lo0 inet6 ::1 delete
  ifconfig lo0 inet6 fe80::1 delete
• Now go to Interfaces: [LAN] and set "IPv6 Configuration Type to "Static IPv6"
• Under the "Static IPv6 Configuration" block, set the IP address to ::1 and dropdown 128. Click Save
• Now you should be able to go to Services: DHCPv6: [LAN]. Uncheck "Enable DHCPv6 server on LAN interface. Click Save". All of the prior steps were to get this checkbox to even be available in the UI.
• Go back to Interfaces: [LAN]. Now you can set IPv6 Config Type to "Track Interface" and point it to the WAN below. I also had to check "Allow manual adjustment of DHCPv6 and Router Advertisements" (or DHCPv6 service wouldn't start again). Save again.
• Reboot - This was crucial. Under Services: DHCPv6: [LAN], my available range had an error: No available address range for configured interface subnet size. Reboot fixed this.
• Finally, I could go to Services: DHCPv6: [LAN] and "Enable DHCPv6 server on this interface". I set the Range from "::" to "::ffff" according to https://homenetworkguy.com/how-to/configure-ipv6-opnsense-with-isp-such-as-comcast-xfinity/
• Click Save and validate DHCPv6 is now running as expected.

There's definitely a bug in the Web UI, because all of this should not be necessary to get in this exact order. Specifically, if you need to disable DHCPv6 service for an interface, that box needs to be available in the UI, which it's not.

Progress!

From this thread: https://forum.opnsense.org/index.php?topic=12384.msg56931#msg56931
I took the steps from 3kj2w:

Code Select Expand

ifconfig lo0 inet6 ::1 delete
ifconfig lo0 inet6 fe80::1 delete

I wasn't able to Track Interface, but I was able to now set a Static IPv6 config (::1/128).
Now DHCPv6 could at least start and I could get to Services: DHCPv6: [LAN], which previously didn't show up.
Then I could uncheck "Enable DHCPv6 on this interface".
Then I could switch Interfaces: [LAN] IPv6 Configuration Type to Track Interface.

It seems there's a bug where turning off DHCPv6 doesn't modify the config files. So if you disable DHCPv6, maybe you can't re-enable it? I don't know specifics yet.. but I'm making progress.

[Track Interface Error]

Hello,

Version: 23.1.10_1-amd64

Symptom: After extended downtime, IPv6 broke completely. I disabled IPv6 and everything worked. I tried to re-enable IPv6 and OPNsense UI won't let me. DHCPv6 service permanently stoppped.

Details:
I previously had IPv6 working fine. I did some extended maintenance in my network and my modem was unplugged for hours. When everything was restarted, Comcast assigned me a new IPv4 IP, and I assume they assigned me a new IPv6 too, but can't confirm.

After getting everything powered up, IPv6 wouldn't work (ping, requests, everything timed out). I followed this guide to disable IPv6: https://www.thomas-krenn.com/en/wiki/OPNsense_disable_IPv6. Afterwards, everything worked! Great, so I'll just undo everything that I did - Wrong..

Under Interfaces: [LAN], I tried to set "IPv6 Configuration Type" to both "Track Interface" or Static IP (set to ::1/128).

• Track Interface Error: The DHCPv6 Server is active on this interface and it can be used only with a static IPv6 configuration. Please disable the DHCPv6 Server service on this interface first, then change the interface configuration.
• Static IPv6 Error: This IPv6 address is being used by another interface or VIP.

• The DHCPv6 service will no longer start at all.
• The radvd service won't start from GUI, but I can manually start it from CLI with "/usr/local/etc/rc.d/radvd onestart"
• I don't see any updates in /var/log/dhcp/latest.log when I try to start it. Maybe there's a different log for v6?
• Perhaps the loopback interface is claiming ::1/128? "ifconfig" shows for lo0: inet6 ::1 prefixlen 128

Thoughts on how I can undo what I did and re-enable IPv6? I've tried following https://homenetworkguy.com/how-to/configure-ipv6-opnsense-with-isp-such-as-comcast-xfinity/, but obviously fail when I get to setting the IPv6 Config Type.

Based upon that block, I changed to the cli arguments accordingly and it then worked:

Code Select Expand

redacted

Your code is missing the space between cipher and hash (before -md). This will work. Thanks for this btw, it was great!:

Code Select Expand

grep -v "config.xml" encrypted_config.xml | tail -n +6 | openssl enc -base64 -d -aes-256-cbc -md sha-512 -iter 100000 -out decrypted_config.xml

The old dyndns package is still in the repos for 22.1, I tried a fresh install over the weekend, it's there. So no problem, you can update. I have no Realtek Nics though and I havn't tried every feature in 22.1 yet...

If I'm moving from 21.7, is it going to remove dyndns or automatically install ddclient in addition?

Well.. I have no idea how OPNsense ended up in that position, but your solution fixed it. Root didn't have any permission issues at the OS level, so I was able to easily just copy a good backup in place of the existing config.xml and a reboot restored everything to the way it should be.

I'll be setting up automated config backups now on this system, since I didn't have those enabled before.

Thanks marjohn56 & Inxsible!

That makes sense! Wasn't sure how to apply config from shell. I don't seem to be limited as root on the shell, so I'll give that a shot tomorrow once an outage is acceptable in the house.

Thanks!

On Android there is an app called Youtube Vanced. I believe it is usually recommended in place of the stock Android app.

I am a Pihole user, and unfortunately Pihole can't do anything for Youtube ads. They use the same domain as videos and other critical resources, so there's no way to block them at the domain level.

If I recall correctly, the last edit I made in any of the sections was not to the root user, but to the extra user I created. The user already existed and was an admin, but I couldn't SSH. So for testing purposes, I added the user to the admins group, and I edited the "Effective Permissions" under this user. I clicked "Select all" and saved. I'm not sure which action it was, but since that point, I haven't been able to make changes to any user as the root user.

Hmm.. I grabbed a safe backup file, tried to apply in the UI (as root user) and it says:
The following input errors were detected:
You do not have the permission to perform this action.

I don't understand. Somehow root lost permissions?

I checked in the UI, and

• There are only 2 users (root and my user)
• They are both recognized as system admins (denoted by red user icon).
• There is only 1 group (admins) and both users are part of it

I've logged in via SSH.

• root and the user are still part of the admins group, according to /etc/group

Root user can still do other things. I created a Firewall rule just fine and could delete it. But I can't seem to do system administration, even on the root user. I can't create a new user either, even just a low level user - not an admin.

Hello,

Running the latest 21.1.4. I'm currently logged in as root.

This morning I created a new user and assigned him to the admin group. I couldn't login as that user, so I gave him escalated rights by editing "Effective Privileges" under the user just to test. It seems as soon as I did this, the user became untouchable. I can no longer edit anything, including even adding a name or description.

I logged into the console and removed the user from admins group, but I assume OPNsense isn't reading the OS level groups? "pw groupmod admins -d <user>" and he's no longer an admins user, but the Web UI still shows him in the admins group.

The user has a certificate linked to him, but I can't remove it from certs page, and I can't edit the user to unlink it either.

When I go to the WebUI Groups, I have just the "admins" group, with 2 members (root and this user). I've rebooted, but no change.

I'm wary of messing around too much on the console side, as I don't want to remove him in the OS, but have config files or something that still reference him in OPNsense.

Thoughts on how to make this user editable again? I don't know his password, so I can't login as him to the WebUI or SSH.