Messages

Hello,

My Caddy was down.
Apparently, it wasn't looking for my SSL certificates in the right place.
Time to find out what's going on.
I check for upgrades... a Caddy update!
I install it. No more problems, it works.

Thanks, team!

No manpower and frequently lack of vendor documentation/cooperation for the AP side of things.

Yes, I see that, many opensource drivers are reverse engineering .

From what I understand the driver is ok for client access but not as point access.

If I don't find another solution, I'll actually use an dedicated access point.

Hello.

first of all, thank you team. I've been using OPNSense for some time now and even the major updates have gone smoothly. So thank you for that.

My current problem is with the wifi.
I've just updated to 24.7, but I don't think it's related.
I've always had problems connecting my other machines to my OPNSense wireless networks,  I'm a bit confused.

So

Code Select Expand


root@onpsense:~ # usbconfig list
ugen0.1: <Intel XHCI root HUB> at usbus0, cfg=0 md=HOST spd=SUPER (5.0Gbps) pwr=SAVE (0mA)
ugen0.2: <RTL8811AU 802.11a/b/g/n/ac WLAN Adapter Realtek Semiconductor Corp.> at usbus0, cfg=0 md=HOST spd=HIGH (480Mbps) pwr=ON (500mA)
root@onpsense:~ # sysctl -n net.wlan.devices
rtwn0

ok, we have my usb wifi card.
And I have :

• Interfaces > Wireless -> rtwn0_wlan1
• Interfaces > Assignement -> rtwn0_wlan1 = Wifi, (identifier : opt8)
• Interfaces > [Wifi] ->
  
  • Enable: checked
  • Identifier opt8
  • Device  rtwn0_wlan1
  • IPv4 Configuration Type: static IPV4
  • IPv4 address: 192.168.60.1
  • Standard: it worked with 802.11ng, but it doesn't work. I tried again with 802.11g or 802.11a, same result KO
  • 802.11g OFDM Protection Mode: Protection mode off
  • Transmit power: default
  • channel: auto
  • Regulatory settings: ETSI; FR ETSI; Indoor
  • Mode: Access Point (Note: when I use Infrastructure, I see other  wirless ssid on Interfaces > Wireless -> Wifi status)
  • Minimum standard: Any
  • Enable Hide SSID: UNchecked
  • WPA: Enable
  • WPA Mode: WPA2
  • WPA Key Management Mode: Pre-Shared Key
  • Access Point Authentication: Shared Key Authentication
  • WPA Pairwise: AES
  • Key Rotation: 60
  • Master Key Regeneration: 3600

But my others devices, can't see my SSID.  :o

But:

Code Select Expand


root@onpsense:~ # dmesg | grep -A5 -B5 rtwn0
ig4iic3: <Intel Gemini Lake I2C Controller-7> mem 0xa171a000-0xa171afff,0xa1719000-0xa1719fff irq 34 at device 23.3 on pci0
ig4iic3: Using MSI
iicbus3: <Philips I2C bus (ACPI-hinted)> on ig4iic3
ichsmb0: <Intel Gemini Lake SMBus controller> port 0xf040-0xf05f mem 0xa1716000-0xa17160ff at device 31.1 on pci0
smbus0: <System Management Bus> on ichsmb0
rtwn0 on uhub0
rtwn0: <Realtek 802.11ac WLAN Adapter, class 0/0, rev 2.10/2.00, addr 1> on usbus0
rtwn0: MAC/BB RTL8821AU, RF 6052 1T1R
lo0: link state changed to UP
pflog0: permanently promiscuous mode enabled
re1: link state changed to UP
vlan0: changing name to 'vlan01'
vlan1: changing name to 'vlan02'
--
re0: link state changed to UP
re4: link state changed to UP
nd6_dad_timer: called with non-tentative address fe80:6::21e:6ff:fe45:487f(re5)
wg0: link state changed to UP
wlan0: Ethernet address: 20:0d:b0:46:68:02
wlan0: changing name to 'rtwn0_wlan1'
nd6_dad_timer: called with non-tentative address fe80:d::21e:6ff:fe45:5c5e(vlan03)
rtwn0: rtwn_tx_beacon_check: cannot push beacon into chip, error 60!
rtwn0: unable to push beacon into the chip, error 60
rtwn0: rtwn_newstate: could not move to RUN state


I don't understand, if I can see other networks ... then the driver is loaded and working, right?
I don't see RTL8811AU on https://www.freebsd.org/releases/14.1R/hardware/, but but it was the same for the previous version.

What did I do wrong?  :-\

Hello,
I think I have the same problem.
The service is stopped, I try to start it, for a few seconds the service icon is green but always returns to red.
I uninstalled - restarted OPNsense - intall Crowdsec, the problem is still there.

Note: I have had the problem for some time.

Code Select Expand


#  tail /var/log/crowdsec/crowdsec-firewall-bouncer.log
time="28-04-2024 22:22:37" level=error msg="Get \"http://127.0.0.1:8080/v1/decisions/stream?\": dial tcp 127.0.0.1:8080: i/o timeout"
time="28-04-2024 22:23:07" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: i/o timeout"
time="28-04-2024 22:23:07" level=error msg="Get \"http://127.0.0.1:8080/v1/decisions/stream?\": dial tcp 127.0.0.1:8080: i/o timeout"
time="28-04-2024 22:23:37" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: i/o timeout"
time="28-04-2024 22:23:37" level=error msg="Get \"http://127.0.0.1:8080/v1/decisions/stream?\": dial tcp 127.0.0.1:8080: i/o timeout"
time="28-04-2024 22:24:07" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: i/o timeout"
time="28-04-2024 22:24:07" level=error msg="Get \"http://127.0.0.1:8080/v1/decisions/stream?\": dial tcp 127.0.0.1:8080: i/o timeout"
time="28-04-2024 22:24:37" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: i/o timeout"
time="28-04-2024 22:24:37" level=error msg="Get \"http://127.0.0.1:8080/v1/decisions/stream?\": dial tcp 127.0.0.1:8080: i/o timeout"
time="28-04-2024 22:25:07" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: i/o timeout"
time="28-04-2024 22:25:07" level=error msg="Get \"http://127.0.0.1:8080/v1/decisions/stream?\": dial tcp 127.0.0.1:8080: i/o timeout"
time="28-04-2024 22:25:37" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp 127.0.0.1:8080: i/o timeout"
time="28-04-2024 22:25:37" level=error msg="Get \"http://127.0.0.1:8080/v1/decisions/stream?\": dial tcp 127.0.0.1:8080: i/o timeout"


Code Select Expand


# tail /var/log/crowdsec/crowdsec.log
time="2024-04-28T22:23:30+02:00" level=warning msg="You are using sqlite without WAL, this can have a performance impact. If you do not store the database in a network share, set db_config.use_wal to true. Set explicitly to false to disable this warning."
time="2024-04-28T22:23:30+02:00" level=info msg="Enabled feature flags: <none>"
time="2024-04-28T22:23:30+02:00" level=info msg="Crowdsec v1.6.0-freebsd-4b8e6cd7"
time="2024-04-28T22:23:30+02:00" level=info msg="Loading prometheus collectors"
time="2024-04-28T22:23:31+02:00" level=info msg="Loading CAPI manager"
time="2024-04-28T22:23:32+02:00" level=info msg="CAPI manager configured successfully"
time="2024-04-28T22:23:32+02:00" level=error msg="Machine is not enrolled in the console, can't synchronize with the console"
time="2024-04-28T22:23:32+02:00" level=info msg="CrowdSec Local API listening on 127.0.0.1:8080"
time="2024-04-28T22:23:32+02:00" level=info msg="Start sending metrics to CrowdSec Central API (interval: 23m2s once, then 30m0s)"
time="2024-04-28T22:23:32+02:00" level=info msg="Start push to CrowdSec Central API (interval: 3s once, then 10s)"
time="2024-04-28T22:23:32+02:00" level=info msg="capi metrics: sending"
time="2024-04-28T22:23:32+02:00" level=info msg="last CAPI pull is newer than 1h30, skip."
time="2024-04-28T22:23:32+02:00" level=info msg="Start pull from CrowdSec Central API (interval: 2h1m51s once, then 2h0m0s)"
time="2024-04-28T22:23:32+02:00" level=info msg="Loading grok library /usr/local/etc/crowdsec/patterns"
time="2024-04-28T22:23:34+02:00" level=info msg="Loading enrich plugins"
time="2024-04-28T22:23:34+02:00" level=info msg="Successfully registered enricher 'GeoIpCity'"
time="2024-04-28T22:23:34+02:00" level=info msg="Successfully registered enricher 'GeoIpASN'"
time="2024-04-28T22:23:34+02:00" level=info msg="Successfully registered enricher 'IpToRange'"
time="2024-04-28T22:23:34+02:00" level=info msg="Successfully registered enricher 'reverse_dns'"
time="2024-04-28T22:23:34+02:00" level=info msg="Successfully registered enricher 'ParseDate'"
time="2024-04-28T22:23:34+02:00" level=info msg="Successfully registered enricher 'UnmarshalJSON'"
time="2024-04-28T22:23:34+02:00" level=info msg="Loading parsers from 6 files"
time="2024-04-28T22:23:34+02:00" level=info msg="Loaded 2 parser nodes" file=/usr/local/etc/crowdsec/parsers/s00-raw/syslog-logs.yaml stage=s00-raw
time="2024-04-28T22:23:34+02:00" level=info msg="Loaded 1 parser nodes" file=/usr/local/etc/crowdsec/parsers/s01-parse/opnsense-gui-logs.yaml stage=s01-parse
time="2024-04-28T22:23:34+02:00" level=info msg="Loaded 2 parser nodes" file=/usr/local/etc/crowdsec/parsers/s01-parse/pf-logs.yaml stage=s01-parse
time="2024-04-28T22:23:34+02:00" level=info msg="Loaded 1 parser nodes" file=/usr/local/etc/crowdsec/parsers/s01-parse/sshd-logs.yaml stage=s01-parse
time="2024-04-28T22:23:34+02:00" level=info msg="Loaded 1 parser nodes" file=/usr/local/etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml stage=s02-enrich
time="2024-04-28T22:23:34+02:00" level=info msg="Loaded 1 parser nodes" file=/usr/local/etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml stage=s02-enrich
time="2024-04-28T22:23:34+02:00" level=info msg="Loaded 8 nodes from 3 stages"
time="2024-04-28T22:23:34+02:00" level=info msg="No postoverflow parsers to load"
time="2024-04-28T22:23:34+02:00" level=info msg="Loading 4 scenario files"
time="2024-04-28T22:23:34+02:00" level=info msg="Adding leaky bucket" cfg=hidden-darkness name=crowdsecurity/opnsense-gui-bf
time="2024-04-28T22:23:34+02:00" level=info msg="Adding leaky bucket" cfg=divine-darkness name=crowdsecurity/ssh-slow-bf
time="2024-04-28T22:23:34+02:00" level=info msg="Adding leaky bucket" cfg=billowing-cloud name=crowdsecurity/ssh-slow-bf_user-enum
time="2024-04-28T22:23:34+02:00" level=info msg="Adding leaky bucket" cfg=icy-voice name=firewallservices/pf-scan-multi_ports
time="2024-04-28T22:23:34+02:00" level=info msg="Adding leaky bucket" cfg=divine-flower name=crowdsecurity/ssh-bf
time="2024-04-28T22:23:34+02:00" level=info msg="Adding leaky bucket" cfg=spring-river name=crowdsecurity/ssh-bf_user-enum
time="2024-04-28T22:23:34+02:00" level=info msg="Loaded 6 scenarios"
time="2024-04-28T22:23:34+02:00" level=info msg="loading acquisition file : /usr/local/etc/crowdsec/acquis.yaml"
time="2024-04-28T22:23:34+02:00" level=warning msg="No matching files for pattern /var/log/nginx/*.log" type=file
time="2024-04-28T22:23:34+02:00" level=warning msg="No matching files for pattern ./tests/nginx/nginx.log" type=file
time="2024-04-28T22:23:34+02:00" level=warning msg="No matching files for pattern /var/log/auth.log" type=file
time="2024-04-28T22:23:34+02:00" level=warning msg="No matching files for pattern /var/log/syslog" type=file
time="2024-04-28T22:23:34+02:00" level=warning msg="No matching files for pattern /var/log/httpd-access.log" type=file
time="2024-04-28T22:23:34+02:00" level=warning msg="No matching files for pattern /var/log/httpd-error.log" type=file
time="2024-04-28T22:23:34+02:00" level=info msg="loading acquisition file : /usr/local/etc/crowdsec/acquis.d/opnsense.yaml"
time="2024-04-28T22:23:34+02:00" level=info msg="Force add watch on /var/log/audit" type=file
time="2024-04-28T22:23:34+02:00" level=info msg="Adding file /var/log/audit/latest.log to datasources" type=file
time="2024-04-28T22:23:34+02:00" level=info msg="Force add watch on /var/log/lighttpd" type=file
time="2024-04-28T22:23:34+02:00" level=info msg="Adding file /var/log/lighttpd/latest.log to datasources" type=file
time="2024-04-28T22:23:34+02:00" level=info msg="Force add watch on /var/log/filter" type=file
time="2024-04-28T22:23:34+02:00" level=info msg="Adding file /var/log/filter/latest.log to datasources" type=file
time="2024-04-28T22:23:34+02:00" level=info msg="Starting processing data"
time="2024-04-28T22:23:34+02:00" level=info msg="Error machine login for  : ent: machine not found "
time="2024-04-28T22:23:34+02:00" level=info msg="retrying in 0 seconds (attempt 2 of 2)"
time="2024-04-28T22:23:34+02:00" level=info msg="Error machine login for  : ent: machine not found "
time="2024-04-28T22:23:34+02:00" level=fatal msg="starting outputs error : authenticate watcher (): API error: ent: machine not found"


holy s****
I feel really stupid right now  :(

The following example from https://blog.ktz.me/configure-unbound-dns-for-openshift-4/ misled me

Verify with dig:

[alex@ktzTP redhat]$ dig *.apps.ocp4.ktz.lan +short
192.168.1.160

Thank you

PS:

Code Select Expand


> $ dig test.apps.okd.my-domain.lan +short
10.100.0.0
> $ dig foo.apps.okd.my-domain.lan +short
10.100.0.0

;)

Hello,

I would like to install okd/openshift on my HomeLab.
For this, I need to have a DNS entry like this

*.apps.<cluster_name>.<base_domain>.

A wildcard DNS A/AAAA or CNAME record that refers to the application ingress load balancer. [...]

https://docs.openshift.com/container-platform/4.10/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-dns-user-infra_installing-platform-agnostic

It's a "advanced-configurations", so I am referring to https://docs.opnsense.org/manual/unbound.html#advanced-configurations

I have create a file  /usr/local/etc/unbound.opnsense.d/okd.conf with the following content:

Code Select Expand


server:
local-data: "_etcd-server-ssl._tcp.okd.my-domain.lan 180 IN SRV 0 10 2380 etcd-0.okd.my-domain.lan."
local-data: "_etcd-server-ssl._tcp.okd.my-domain.lan 180 IN SRV 0 10 2380 etcd-1.okd.my-domain.lan."
local-data: "_etcd-server-ssl._tcp.okd.my-domain.lan 180 IN SRV 0 10 2380 etcd-2.okd.my-domain.lan."
local-zone: "apps.okd.my-domain.lan" redirect
local-data: "apps.okd.my-domain.lan 86400 IN A 10.100.0.0"
local-data-ptr: "10.100.0.1 etcd-0.okd.my-domain.lan"
local-data-ptr: "10.100.0.2 etcd-1.okd.my-domain.lan"
local-data-ptr: "10.100.0.3 etcd-2.okd.my-domain.lan"


It's ok for SRV, but for local and data zone I have:

Code Select Expand

> $ dig *.apps.okd.my-domain.lan +short
zsh: no matches found: *.apps.okd.my-domain.lan

> $ dig apps.okd.my-domain.lan +short
10.100.0.0

the expected result is nominally the following, right ?

Code Select Expand

> $ dig *.apps.okd.my-domain.lan +short
10.100.0.0

I don't understand where I made a mistake.

Thanks for the help.

PS: okd vlan : 10.100.0.0/24

"Services: Unbound DNS: Overrides->Domain" sert à transférer une zone DNS / un domaine vers un autre serveur. Ce n'est donc pas cela qu'il faut utiliser mais "Services: Unbound DNS: Overrides->Host", ne pas renseigner de host, juste le domaine et l'ip.

So it was pretty simple.
Thank you.

Hello,

I configured ubound with DNSSEC and Blacklist.
Everything works and for exemple:

Code Select Expand

$ dig mydomain.tld
mydomaine.tld  3600 IN A <publicIP>


1)
But now I would like that in my LAN, mydomain.tld = <private ip> and not <public ip> ( I host my "cloud").
In "Services: Unbound DNS: Overrides: Domain Overrides" I put Domain = mydomain.tld and IP = <private ip>.
But now when I test "dig mydomain.tld" I have a timeout ...

Do you know where this problem comes from?
I have probably activated something too much or I forgot to activate something, but I do not see what !

Salut,

Je viens de finir la config de l'IPv6 sur mon installation OPNsense-Proxmox. Par contre c'est de l'autohebergement physique (un odroid H2 pour OPNsense + srv maison proxmox) et je n'ai donc pas eu besoin de iptables!
Donc pour iptables, je suis pas sure de pouvoir aider mais pour opnsense ca devrait aller ... sauf que je vois pas  qu'elle IPv6 publique (avec son masque) t'a été attribuée:

PublicIP6="2a00:c70:1:xxx:xxx:xxx:xxx:1"

/? 64 ?

Bonjour,

J'ai réussi à configurer mon Unbound pour qu'il soit un DNS menteur (comme pihole par exemple).
Maintenant je cherche à faire 2 choses:

1) Je m'autoheberge et j'aimerais que quand je renseigne mon nom de domaine dans un navigateur web par exemple, la réponse fournis par Unbound soit l'adresse privée (v4 ou v6) de la ma VM est non pas les publiques.

Je pensais que cela devait se faire via "Services: Unbound DNS: Overrides" mais lorsque je teste (dig mondomaine.tld) aucune réponse pour mon nom de domaine ne m'est fournis (dig opnsense.org fonctionne toujours).
La solution doit être toute bête, il doit me manquer un truc à cocher quelque part, mais je vois pas.

2) Dans la continuité de ma précedente question, j'ai réussi à créer des enregistrements pour des machines interne à mon lan.
Concrètement:

Code Select Expand

$ dig host1.lan.mondomaine.tld
host1.lan.mondomaine.tld  3600 IN A 192.168.1.10

Mais y a t il une possibilité pour avoir la même chose sans nom de domaine ?

Code Select Expand

$ dig host1
host1  3600 IN A 192.168.1.10


Merci par avance pour les réponses!