Messages

Thanks! that seems to have addressed my issue.

I added a new nic ( as a guest network ) to opensense.  I followed this guide ( https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-captive-portal-on-opnsense )  I have only set up the firewall rules and have not started on the captive portal.

once set up I was testing and everything seemed to work but when I was connecting to the firewall itself I would interminably get a lag before pages would load. This seemed to me like a timeout of some kind.

doing an nslookup on my firewall from my linux box gave two responses 1 for each network

fred@alice:~# nslookup myfirewall.net
Server:         127.0.0.53
Address:        127.0.0.53#53

fred@alice:~# nslookup myfirewall.net
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   myfirewall.net
Address: 192.168.10.1
Name:   myfirewall.net
Address: 192.168.20.1

the .20 is on the new network and has a rule that blocks access to the firewall from that network. (see zenarmor link)

this means when going to my firewall gui if dns resolves to 192.168.20.1, the request times out because the fw rule does not allow access to the gui on 192.168.20.1

I have tried adding a dns override but this has not solved my issue. ( the override ip is given when looking up the override name but nslookup 
  myfirewall.net still gives both ips.) 

I am not sure how to attack this problem.
Thanks for your time,
GF

Thanks for the response. I really need to find a way to allow lan access the lansec I was hoping I could do this through opnsense. I think i'll try this with nginx proxy manager though I don't trust it (security wise ) as much as opnsense.

I have two lans ( lan and lansec  as an example )
to isolate lansec fw rules to block access to LAN and also block access to the fw itself but does allow internet (WAN ) access.

I would like to set up something like captive portal  but have it authenticate traffic that goes from LAN to LANSEC. I don't want anything on lansec forced to authenticate to get onto the network. so this is clearly not the typical use for captive portal.

I unsuccessfully tried using captive portal but am not sure if this is the appropriate tool. Is there a way to do this?

as an example   if my desktop is on the LAN ( it did not need to authenticate to get onto the LAN) and I open a browser and point it to a server on the lansec network I'd like opnsense to authenticate me before allowing that connection.   

let me know if more detail is needed and thanks for your time.
GF

Thanks for the quick response. I will look for a card with the RTL8125 chipset

running on opnsense 24.712_4

I added a new nic to the machine (TEG-25GECTX) trendnet 2.5G port 

when I go to interfaces -> overview I can see  unassigned interface enc0 
but when I go to assignments the card is not listed there.
its also not listed in the dropdown for LAN or WAN

is this card not supported or am I going something wring (missing a step) ?

Thanks for your time,
GF

well, I'm a bit disappointed no one was able to tell me how opnsense uses duckdb.  No I am not complaining about this forum or anyone who helps people on it. Just disappointed I got no response.  That said here is how I fixed my issue.

first I backed up the entire disk using DD then I backed up the configuration via the gui.
I then downloaded the older 23.7 installer and overwrote the original disk.

I set the wan/lan interfaces and set the lan ip  then upgraded from 23.7.x to 23.7.12_5
then I reapplied my configuration.
I had to manually reinstall my plugins but once installed the configs had been restored  (still need to test this)

once that was complete, I then ran the update to 24.1  which worked without issue.
then ran the update again to get to 24.1.6/freebsd 13.2-release-p11/opnssl 3.0.13

I'm not sure how the duckdb got messed up nor how opnsense uses it, but I hope this helps someone out if they end up with the same issue, I find it hard to believe I am the first person this has happened to.

-GF

Thanks for the link! this is not something I have a lot of familiarity with.  I managed to get letencrypt working with the acme plugin which seems a much better solution in the first place.

Thanks again,

GF

opnsense 23.7.12_5

when into system -> settings -> admin   
just wanted to enable password protection on console menu  but when I hit save I get the error

"the following input errors were detected
    Certificate XXXX is not intended for server use "

and my change did not save. 

now, my browser says the cert is valid.  I did create it with my own internal CA

what does "not intended for server use " even mean?  note this is for opnsense not for  openvpn
and why does it work but I can't save any changes on this page?

I would like to solve this before tring to upgrade to 24.x

thanks,
GF

I attempted to upgrade from 23.7.12_5  to 24.1 but the upgrade crashes with an error with duckdb ??

I have always kept my firewall up to date so I'm not sure what this means.  How can i fix this ? What did I do wrong to get this error? 

I mean I can go to duckidb.org but I'm not sure how its being used with opnsense or how I would go about trying to import it into a new db since I'm guessing the new db version is part of the update so does not exist on my  23.7.12_5.   I'm not sure how to attack this problem.

any thoughts would be apricated!

GF

-----------   error message  -------------------

***GOT REQUEST TO UPGRADE***
Currently running OPNsense 23.7.12_5 at Tue Mar 19 16:43:04 EDT 2024
Fetching packages-24.1-amd64.tar: ... done
Fetching base-24.1-amd64.txz: ...................... done
Fetching kernel-24.1-amd64.txz: .......... done
Extracting packages-24.1-amd64.tar... done
Extracting base-24.1-amd64.txz... done
Extracting kernel-24.1-amd64.txz... done
Please reboot.
>>> Invoking upgrade script 'squid-plugin.php'
Squid web proxy is not active. Not installing replacement plugin.
>>> Invoking upgrade script 'unbound-duckdb.py'
Traceback (most recent call last):
  File "/usr/local/opnsense/site-python/duckdb_helper.py", line 65, in __enter__
    self.connection = duckdb.connect(database=self._path, read_only=self._read_only)
duckdb.IOException: IO Error: Trying to read a database file with version number 39, but we can only read version 51.
The database file was created with DuckDB version v0.6.0 or v0.6.1.

The storage of DuckDB is not yet stable; newer versions of DuckDB cannot read old database files and vice versa.
The storage will be stabilized when version 1.0 releases.

For now, we recommend that you load the database file in a supported version of DuckDB, and use the EXPORT DATABASE command followed by IMPORT DATABASE on the current version of DuckDB.

See the storage page for more information: https://duckdb.org/internals/storage

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/etc/rc.syshook.d/upgrade/20-unbound-duckdb.py", line 41, in <module>
    if export_database('/var/unbound/data/unbound.duckdb', '/var/cache/unbound.duckdb', 'unbound', 'unbound'):
  File "/usr/local/opnsense/site-python/duckdb_helper.py", line 147, in export_database
    with DbConnection(source, read_only=True) as db:
  File "/usr/local/opnsense/site-python/duckdb_helper.py", line 75, in __enter__
    raise StorageVersionException(str(e))
duckdb_helper.StorageVersionException: IO Error: Trying to read a database file with version number 39, but we can only read version 51.
The database file was created with DuckDB version v0.6.0 or v0.6.1.

The storage of DuckDB is not yet stable; newer versions of DuckDB cannot read old database files and vice versa.
The storage will be stabilized when version 1.0 releases.

For now, we recommend that you load the database file in a supported version of DuckDB, and use the EXPORT DATABASE command followed by IMPORT DATABASE on the current version of DuckDB.

See the storage page for more information: https://duckdb.org/internals/storage
>>> Error in upgrade script '20-unbound-duckdb.py'
***DONE***


-----------------------end message -------------------------------

Inxsible :
things i have tried:
     setting the vpn client dns to the ip address of my lan  (no joy, ip addresses work, but no names resolve
     I added the dns service to the vpn interface  and changed the vpn client to point to the vpn interface (vpn tunnel in my case this is 10.10.0.x  my lan is 192.168.10.x )  with the same results.

in both cases I can point a browser at the fw lan ip address and get a response so i know its not being blocked by an fw rule (or i should say i think it is not as i am clearly not an opnsense expert )

as noted when doing research i changed the vpn client dns server to 8.8.8.8 and that also worked (for external stuff anyway ) so it appears the issue is not with dns specifically nor with making a connection to the vpn.
i found a post on issues with open vpn and unbound  (https://forums.openvpn.net/viewtopic.php?t=26983 ) though it is from 2018 it did not have a solution.

this prompted me to take unbound out of the equation ( and also opnsense as well ) by building a forwarding dns server sitting inside my lan. it forwards requests to opnsense and this solution does work.

I'd really like to fix this issue rather than use yet another server. but i'm not sure what to check.

Inxsible :  thanks for the response,  when testing I did add the lan ip of my opnsense server under vpn server client settings.  when i connected with the client i could see in the logs dns server 192.168.10.1 was added. I just could not get a connection.    when i swapped that out with 8.8.8.8 i could then get to everything externally but then nothing internal would resolve.  when I set up a forwarding dns server inside my network and changed the vpn server client dns to use that ip, everything started to work.

when I did have the fw ip as the vpn server client dns, i was able to point a browser at the ip of the opnsense server and get a connection so i know its not a fw rule blocking me. I could also point my browser to any other internal ip.  the issue seems to be the vpn can not connect to the unbound dns server.


Errored out :  thanks for the response I completely missed that board when i posted my question!
   do you know if i can move a post from one board to another or if i should simply repost this on the other one?

so my issue seems to be with the vpn client not being able to connect to the dns server on opnsense. 
i changed the dns in the vpn config to use 8.8.8.8 and i could resolve and connect to everything but my internal servers (which use opnsense unbound overrides )

then i set up an internal dns server which in turn forwards requests to opnsense and pointed my vpn clients to the new machine and everything seems to be working now.

so i'm guessing there is a FW rule missing ?  I tried adding rules to opensense lan interface to allow all traffic from the vpn interface but that didnt seem to help.

I have never used vpn before so i'm not quite sure how to attack this issue. Ideally i'd like to use the opnsense dns server directly instead of needing an intermediate box forwarding vpn requests to opnsense.

if there is any doc you could point me to i'd really appreciate it 

I am using OPNsense 20.7.8-amd64

I am trying to get vpn to work and found the following
https://homenetworkguy.com/how-to/configure-openvpn-opnsense/

i am trying to set up vpn for my iphone and ipad. 

when i connect to the vpn, i can see i'm on the 10.10.0.x network which is the ipv4 tunnel network ( as described in the doc above )

I can get to my internal ip addresses  ( 192.168.x.x ) but I can't get to anything internal ( i have unbound dns running on opnsense )  via dns. 
I can see in the vpn log on the iphone it says dns server 192.168.10.1 was added its just not working. I CAN get to the IP address (and thus to the opnssense gui ) just not via the dns name.

i'm not sure what logs/config info would be helpful, but i'm happy to provide anything that would be helpful. Not sure what  i did wrong.

thanks for your time,
John