Messages

Hello Franco

Well, indeed someone else might be missing it too.

I assume it will be available in the repo with the next release?

So thank you for adding it, and manual install is no problem in our case, as the playbook includes a task for this.
In my case I have already merged a PR that runs the script in question in a venv, so I can wait ...

Thank you for your support and explanations

Greetings
Klaus

Hello Franco.

Thank you for your reply and explanation.

Just to be clear: what scripts are we talking about? Official Python scripts found somewhere (with a Link just for reference) or custom scripts you've written yourself?

With my head down, I have to admit that rather the last is the case ...
https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense-checkmk/blob/main/files/firmware_status.py


So I will refactor that in order to use a venv (as Patrick suggested in #2)

Since 25.1.4 (https://forum.opnsense.org/index.php?msg=233320) the updated installation is missing py311-setuptools.
The package is not available in the repository.
As some monitoring scripts we use rely on this, wee need a fix for this.
Is this a error that will be fixed soon or will the setuptools package be gone for ever?

Thank you for any hints.

https://docs.opnsense.org/manual/firewall.html#processing-order
And the "quick" setting might be important here ...

... I will push to Github and you can take a look.

Great! Always interested and curious

There is a new feature in OPNsense that allows the importer to find CDs, and this fits perfectly.

Yes, I have followed the thread and seen the new feature with interest too ... The ideal for me would be a similar process like we do for linux since ages: build a customized preseeded cd image that will bring up the device with a working basic configuration and pass it over to the config management tool in use for finishing ...

For WireGuard, because it is a plugin, there needs to be a triggering event for the packages for the plugin to be installed.

Thanks for the hint, but I am aware of this ...
Using ansible we install packages and plugins too (https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense-plugpack), but maybe something went wrong in the order ...
The trick with the update process sounds quite interesting ... will notice this, thanks.

Thanks for the feedback and looking forward for your github repo..

Sounds interesting ...
btw. the ansible playbook I linked surely can be used to create a initial config:
https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense-playbook/blob/main/firewalls.yml#L24:L31
and we use it right this way: initial deploy and continuous maintenance based on the same tool and configuration  ... but that is another story, don't mind ...

Is the wireguard cfg you generate working if you apply it on a virgin install?

In the env where we use the generated cfg from scratch we use IPSec VPNs, and these work out of the box: (generate cfg, install opnsense, copy generated config.xml in place, reboot, works)
Just as a test  I tried once a device with additional wireguard config from scratch, but no wg instance was started ... as it is not our prod env and not the main problem at the moment, I did not dive deeper into it. (was at least more then a year ago, maybe the updates since then changed behavior ...)
Just interested if your approach creates a working wg config or the approach of just injecting a valid wg config in xml format is not sufficient ...

So some notes on the deploy experience would be appreciated ...

off topic, as it is not a jupyter Notebook.
But the ansible playbook from https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense uses a (fetched) config.xml and ensures some settings based on configurations made in yaml files  before provisioning them back to the device ...
So if you skip the config.xml fetch and push step, you have the same effect ... validating could be surely be implemented if someone is willing to contribute this ...

I have implemented this in our ansible role for unbound + dnsbl (https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-role-unbound)
If I find the time, I can open a PR, or if you like, you can do this too .. the main lines are https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-role-unbound/blob/main/templates/unbound-dnsbl-updater.py.j2#L82:L96 ... it is open source ...

It is not as intuitive as it could be

... at least the docs are updated.

I would prefer the usage of
local-zone: "donaldtrump.com" redirect
local-data: "donaldtrump.com A 0.0.0.0"
in order to block duck.donaldtrump.com and f... and s... etc...
As it will have the same behavior of returning 0.0.0.0 instead of NXDOMAIN ...

To give a broad hint here: if you miss something from the documentation fell free to complete it and create a pull request. Those who use the opnsense firewall regularly will find things obviously and will newer miss it from the documentation. Those who just start using it now are the people who should are not yet blind by habit and fill realize some things are missing ... everyone can help ...
https://github.com/opnsense/docs/pull/402

I don't think it's confusing at all.

I agree ... You just have to get used to it. So pointing the OP to the right direction it the way to help.
I just realized this is really missing in the docs ...
And regarding the confusing reordering: I think it is still better then those just allowing to push lines only step by step up and down one position ...

Anhand nur der einen Zeile kann ich zwar nur mutmaßen aber in der Regel sind das nur callbacks z.B. mit RST flag die da geblockt werden (oft komisches Verhalten der Applikationen ...), ergo nicht mal wirklicher Traffic  ... das sollte IMHO nicht das große Problem sein, insofern davon nicht ganz viele im Log vorbeirauschen ...
Genauere Diagnose ist ohne exakte Beschreibung echt schwierig ...
Du müsstest schon etwas genauer beschreiben als "nur zur Hälfte die Weboberfläche" ... HTTP(S) funktioniert oder nicht, aber halbe Zustände kennt es IMHO nicht ... es sei denn dein VPN ist mehr als instabil und hat vielleicht noch MTU Probleme ...
Also: analysieren, auf den Kern herunterbrechen und dann kann wird einem in der Regel recht gut geholfen ...
BSP: analysiere mal den traffic mit tcpdump/wireshark wenn alles wie erwartet funktioniert und dann mit den Problemen. Mitschnitte vergleichen und schon hat man oft das Problem geknackt ...

Code Select Expand

$ curl -s  http://www.haproxy.org/ | grep -i "<title>"
    <title>HAProxy - The Reliable, High Performance TCP/HTTP Load Balancer</title>
... no UDP mentioned there ...
AFAIK haproxy supports udp just for dgram syslog, no other udp is supported ...
And as portforwarding is working several layers below the URL, I am afraid you will be out of luck with this ...
Maybe nginx can help you here (but this is not my field of expertise ...)

Von wo funktioniert nun was nicht so richtig? Vom RZ -> HQ?
Hier wären da die DNS Config der Geräte nicht ganz uninteressant ... ist die opn box als forwarder mittels dnsmasq oder unbound involviert?
Und natürlich FW Regeln auf der OPN und der HQ FW ...
Wenn ja, dann würde ich mal auf der opn box auf dem internen iface mittels tcpdump od.     Interfaces: Diagnostics: Packet Capture bei einem Verbindungsaufbau mal mitlauschen und prüfen was da schief geht oder im nichts landet ...