Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - janci

Pages: [1] 2

24.7 Production Series / Re: some packet get trough router to server

« on: October 14, 2024, 07:30:34 am »

yes, that a option I was thinking about but I dont see any service making a connection to external IP to that port. OK, I will try to monitor ...

anyway, thanks for tip

24.7 Production Series / some packet get trough router to server

« on: October 13, 2024, 08:55:31 pm »

hi, I am not sure if this is related to opnsense but trying to understand what is going on.

I have server in local network, opnsens router is forwarding tcp 80 and 443 port from WAN to server. I have firewall on server and time to time I can see that firewall reject udp connection to port 14738 {several times in few seconds} and connection is comming from external ip {it is not from local net or any other vlans I have} I have static public ip on WAN

for example :

Code: [Select]

IN_public_REJECT: IN=lag1 OUT= MAC=0e:a8:4e:1d:3f:ed:00:0d:b9:58:db:24:08:00 SRC=141.148.95.205 DST=192.168.53.43 LEN=960 TOS=0x00 PREC=0x00 TTL=51 ID=28793 DF PROTO=UDP SPT=6969 DPT=14738 LEN=940

it is not clear how is that possible. thanks for help ...

24.1 Legacy Series / Re: KEA DHCP

« on: March 01, 2024, 08:06:07 pm »

I am just trying to migrate one VLAN from ICS to KEA but find out that ICS is binding *.67 s KEA is not able to start.
hope this will be solve soon so we could run both.

23.1 Legacy Series / Unbound is not registering new DHCP lease

« on: March 06, 2023, 07:30:00 pm »

Hi

I was reporting this issue in 21.7 release. After some time it was fixed.

I did upgrade to 23.1 and and I'm seeing the problem again.

happen just now:
- new device connected to network
- new devices get IP and it can access local network and internet
- I can ping that new device from my laptop BUT only using IP
- if I am using hostname I get error saying not able resolve name ...

I did login to router and run this command:

Code: [Select]

sudo ps -aux|grep unbo
root    88022   5.1  3.3 197748 134948  -  S    Sun14      34:07.57 /usr/local/bin/python3 /usr/local/opnsense/scripts/unbound/logger.py (python3.9)
unbound 84539   0.0  1.4 145996  56208  -  Ss   Sun14       0:38.30 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root    87907   0.0  0.1  12756   2232  -  Is   Sun14       0:00.00 daemon: /usr/local/opnsense/scripts/unbound/logger.py[88022] (daemon)
jano    95697   0.0  0.1  12748   2364  0  S+   18:45       0:00.01 grep unbo

then I did restart unbound in web gui and run that command on console again:

Code: [Select]

sudo ps -aux|grep unbo
root    76021   4.6  0.4  25764  15348  -  Ss   18:45       0:05.32 /usr/local/bin/python3 /usr/local/opnsense/scripts/dhcp/unbound_watcher.py --domain doma (python3.9)
root    76350   1.5  2.8 192116 115176  -  S    18:45       0:05.85 /usr/local/bin/python3 /usr/local/opnsense/scripts/unbound/logger.py (python3.9)
unbound 31762   0.0  1.3 145996  55064  -  Ss   18:45       0:01.00 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root    76233   0.0  0.1  12756   2232  -  Is   18:45       0:00.00 daemon: /usr/local/opnsense/scripts/unbound/logger.py[76350] (daemon)
jano    71423   0.0  0.1  12748   2364  0  S+   18:46       0:00.01 grep unbo

As you can see after restarting unbound service watcher is running. But was not.

Just let me know which log to check (maybe I need to tune log level) to find out more details so I can help to find out what's going on.

21.7 Legacy Series / Re: Unbound is not registering new DHPC lease

« on: February 15, 2022, 09:03:02 pm »

just updating
I did update to 22.1. and problem remain, so if I change configuration of unbound it will restart but watcher is not running so I have to start it manually.

General Discussion / Re: NextDNS

« on: February 07, 2022, 11:52:06 am »

aha, somohow I did not understand CN field correctly and I did put there just XXXX part.

thanks, it is working now

21.7 Legacy Series / Re: Fresh install over existing UFS, import config and format as ZFS - possible?

« on: February 07, 2022, 11:05:40 am »

I am another happy user who succesfully transfere from UFS -> ZFS.

thanks to @teosoft for steps and @Greelan to mention about password for installer which is same as root which is after import same as original

edit:
original verzion was 21.7 but I did flash 22.1. to usb and boot it from that, so I did also upgrade OPNSense

General Discussion / Re: NextDNS

« on: February 05, 2022, 09:38:53 pm »

I did find out that I did post to not correct thread, so copy past my question here

1) account at nextdns created
2) disable dnscrypt
3) remove dnscrypt conf from /usr/local/etc/unbound.opnsense.d/
4) in Unbound DNS > DNS over TLS adding new record, for CN I did used ID of endpoints from setup tab of nextdns gui
5) restart unbound
6) dns is not working
7) checking log on Unbound DNS and following error is find

2022-02-03T21:08:05 unbound[92145] [92145:2] notice: ssl handshake failed 45.90.28.179 port 853
2022-02-03T21:08:05 unbound[92145] [92145:2] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

any idea?
thanks

NOTE #1
cat /usr/local/etc/unbound.opnsense.d/dot.conf

server:
tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 45.90.28.179@853#XXXXX

NOTE #2
I still run opnsense 21.7.7
should I update to 22 ?

NOTE #3
I suspect that my IPS changing my dns queries.
I did check for dns leaks and when using 9.9.9.9 in resolve.conf on my linux laptop then it looks OK
but when using nexdns 45.90.28.179 then dns leak test web page show me that I am using google or opendns.

thats for 53 port and I think that they are doing same trick for 853.
so response is coming form different IP as request was sent to and it could be problem of "certificate verify failed"

what do you think?

General Discussion / Re: DNSCrypt or NextDNS to protect home network? What do you use please

« on: February 03, 2022, 11:12:52 pm »

I suspect that that IPS changing my dns query.
I did check for dns leaks and when using 9.9.9.9 in resolve.conf on my linux laptop then it looks ok
but when using nexdns 45.90.28.179 dns leak test web page show me that I am using google or opendns.

thats for 53 port
I think that they are doing same trick for 853.
so response is coming form different IP as request was sent to.

what do you think?

General Discussion / Re: DNSCrypt or NextDNS to protect home network? What do you use please

« on: February 03, 2022, 09:20:00 pm »

1) account at nextdns created
2) disable dnscrypt
3) remove dnscrypt conf from /usr/local/etc/unbound.opnsense.d/
4) in Unbound DNS > DNS over TLS adding new record, for CN I did used ID of endpoints from setup tab of nextdns gui
5) restart unbound
6) dns is not working
7) checking log on Unbound DNS and following error is find

2022-02-03T21:08:05 unbound[92145] [92145:2] notice: ssl handshake failed 45.90.28.179 port 853
2022-02-03T21:08:05 unbound[92145] [92145:2] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

any idea?
thanks

edit #1:
cat /usr/local/etc/unbound.opnsense.d/dot.conf

server:
tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 45.90.28.179@853#XXXXX

edit #2:
I still run opnsense 21.7.7
should I update to 22 ?

General Discussion / Re: DNSCrypt or NextDNS to protect home network? What do you use please

« on: February 02, 2022, 10:04:46 pm »

I am using dnscrypt and I think it is using protocol which is not DNS over TLS / HTTP.
https://dnscrypt.info/protocol/

nextDns is supporting DoH and DoT
https://help.nextdns.io/t/x2hmvas/what-is-dns-over-tls-dot-dns-over-quic-doq-and-dns-over-https-doh-doh3

so client {your router} is comunicating with oposite side by secure channel. But what happend on oposite side? in case DNScrypt there can be any from many servers {some of them are privacy friendly some not} but in case NextDNS there is just one company.

I am planing to try NextDNS to see how it is working and what benefit I get. But know, I dont know.

General Discussion / Re: Anyone setup NextDNS?

« on: February 02, 2022, 09:48:50 pm »

not sure but check https://docs.opnsense.org/manual/unbound.html?highlight=unbound#advanced-configurations

for correct path of that nextdns.conf

21.7 Legacy Series / how to change what kes sshd is offering as HostKey

« on: December 20, 2021, 08:38:13 pm »

I would like to change configuration of sshd so it will offer only

HostKey /conf/sshd/ssh_host_ed25519_key

Know, and I think as default it offers

HostKey /conf/sshd/ssh_host_rsa_key
HostKey /conf/sshd/ssh_host_ecdsa_key
HostKey /conf/sshd/ssh_host_ed25519_key

thanks for advice

21.7 Legacy Series / Re: Unbound is not registering new DHPC lease

« on: December 20, 2021, 08:35:22 pm »

sorry, Meanwhile I did update to 21.7.7-amd64 and unbound_dhcpd.py did not start.

which log file should I look at?
it is bit conusing for me, I am not able to find correct log file in web gui.
and on console I am not sure too.

edit:
1) I did got to Services -> Unbound DNS -> Log file
2) search for "watcher"
3) I can see that "daemonize unbound dhcpd watcher" string did appear in log cca at time when I was updating.
4) but I did remember that I did log into router over ssh and check if it is running and wasn't

21.7 Legacy Series / Re: Unbound is not registering new DHPC lease

« on: November 20, 2021, 08:53:54 am »

I did update my router to OPNsense 21.7.5-amd64 today.
BUT /usr/local/opnsense/scripts/dns/unbound_dhcpd.py did not start so I did start it manualy.

do you have some news / progress on this? should I write a bug ?

thanks

Pages: [1] 2