Messages

Why want you define your own proposals? If I open the drop-down list, I can find any combination, I can think of. I'm missing nothing here.

To use PFS, key exchange methods may be added to the proposals for the IPsec SAs e.g.
esp_proposals = aes128-sha256-ecp384-modp3072
expected.

Why do I want to create my own proposals? Because in 95% of cases I don't control the other end of the tunnel and no other firewall I've ever seen limits the combinations available. It's a needless restriction.

PFS seemingly you can enable by selecting a DH group cipher in your phase 2/child ESP proposal

The whole point of OPNsense is to put a useful GUI overtop of the CLI processes. Including a "default" proposal just because the underlying process does, and not listing what it is anywhere other than in the actual processes docs seems insane from a UI point of view. Ironically even with full help on in the GUI, child ESP proposal has zero help and while the main connections proposal help does have something, it doesn't explain what "default" is

VPN's are almost never between two OPNsense devices and require exactly matching tens of settings, why would you make it look completely different, and name damn near every field differently from ever other product made?

Hi All

I feel like I'm going crazy here. I'm looking to setup an IPSEC S2S tunnel from an OPNsense firewall to potentially a number of other firewalls. I appear to be running the "new" UI for this and all the docs I can find talk about a legacy mode, and the documentation for legacy mode makes sense. It talks about Phase 1 and Phase 2, it talks about proposals, shared secrets, IKE and ESP and all the normal IPSEC things.

This new UI doesn't even have most of that. I can see you can select proposals when seeing up a new connection, but there appears to be no place to edit or add to the predefined ones. Lifetimes _may_ be under the advanced section of the connection but aren't called lifetimes, instead they are, I'm guessing, Re-auth time and Rekey time. No mention of PFS anywhere.

I get this might all just be trying to make it easier for beginner users, but wow does this not look like any IPSEC setup I've ever encountered (and I've been in networking for a couple of decades)

Am I on the right path here? Can we just not create our own proposals (not to mention what exactly _is_ the default proposal)? Is PFS supported anywhere?

This is about the most useful piece of docs I've found but there are... gaps

Thanks

PS. Sorry for the frustrated tone, but this is, well, frustrating :)

Awesome, thanks!

That appears to have solved it thanks!

Can you outline why this fixed it? Is radvd detecting that unbound isn't running on port 53 and so giving out system DNS servers to clients thinking there is no DNS server running on opnsense?

That's the only thing I can think of I just didn't think it was _that_ smart :)

Thanks

Hi

I've got Track Interface on for my WAN interface and IPv6 has been working fine for years. After upgrading to 23.1.7 I noticed that radvd (at least I think it it's radvd doing it) appears to be advertising Cloudflare and Google IPv6 DNS servers to the LAN clients, as well as the opnsense server itself. However after rolling back it's happening on my previous version of 21.1.3 as well so it's probably been going on for a while and I've just never noticed.

What this means is my internal DNS resolution isn't working anymore. I've also got AdGuardHome installed and running on port 53 but forwarding local queries to Unbound on 5353. AdGuardHome's DHCP is disabled so I don't _believe_ that's involved.

Logs don't appear to show much but then radvd is seemingly "Automatic" and so doesn't have any exposed config options but it's config file doesn't have these DNS servers in it. They are however specified under System -> Settings -> General -> DNS Servers.

How do I stop external DNS server being advertised to my LAN clients?

Thanks

Ok, so no idea what was going on. I poked around with a couple of things (one of which was I was using the wrong config file when running it from command line. Then started getting can't bind, port in use even though it wasn't running (and neither was dnsmasq) and just said screw it and restarted (I'd done that before).

Anyway, after the restart it came up just fine *shrug*

I just upgraded to 21.7.1 and Unbound now won't start from the GUI. However, going to the shell and running

unbound -c /var/unbound/unbound.conf

make it start no problem. There is nothing in the logs indicating any sort of issue on both the failed starts and the starts from the command line.

Can anyone point me in the right direction here? Even putting a -d on the command line doesn't show me any errors on start (probably because it starts successfully).

What command line does opnsense actually use to start Unbound?

Thanks