Messages

I have to ask, you understand: Did you apply the changes? If so, you got me.

hehe, fair question, but yes.. i did save and apply.

gotcha.
So I went ahead and checked the statistics checkbox for a couple of my aliases. I.e. I enabled this for my PC's alias (2x IPv4 + 2x IPv6).
But now multiple hours later, I still get no packet or byte values to show in Firewall > Diagnostics > Aliases.

I don't know if you're missing it, but it would be "Statistics" under the alias config. Stats gathering from pf is a bit wonky, so there will be limitations. (I haven't examined them fully, but block rules don't appear to count, for instance.)

I did miss this so thank you for the info.
Can I enable this for all and everything or will this impact load or disk or whatever too negatively?

Curious. Is Firewall > Diagnostics > Aliases supposed to contain no packet or byte data?  Or am I missing a setting somewhere?

cool, much appreciated for the answers (and corrections).

uch, you are correct off course. corrected my previous post.

Follow-up Q:
The Optional interface ID is then simply the last 64 bits (60 really) to select the actual interface IP address?

Interface ID 0000000000000001 for 2001:db8:ffff:ff79:0000:0000:0000:0001 interface IP or
Interface ID 0000000000000254 for 2001:db8:ffff:ff79:0000:0000:0000:0254 interface IP or (at most)
Interface ID 7fffffffffffffff for 2001:db8:ffff:ff79:7fff:ffff:ffff:ffff interface IP?  (so actually the last 60 bits)

Can someone explain the details regarding getting/offering the correct/a specific prefix from an ISP?

Say I should get the following range:
eg. 2001:db8:ffff:ff00:0000:0000:0000:0000/56   
The prefix in this would be    2001:db8:ffff:ff00::0/56

Now, say i want 2001:db8:ffff:ff01::0/64 for one vlan 1  and 2001:db8:ffff:ff02::0/64 for vlan 2 and 2001:db8:ffff:ff79::0/64 for vlan 79.
How do I go about configuring OPNsense prefix IDs to enable that?

Should the prefix ID for vlan 1: 01, vlan 2: 02 and vlan 79: 79?

Or am I completely wrong here? Or is my ISP not giving me the correct range?

thank you both for taking the time to respond :)

My wireguard plugin shows up as missing (in red).

Code Select Expand

Name
Version Size Tier Repository Comment
os-wireguard (missing) N/A N/A N/A N/A N/A

When I click the + to install I get this 'warning': "Third party software
This software package is provided by an external vendor, for more information contact the author?"

When ignoring that warning and clicking install it doesn't appear to have anything to install:

Code Select Expand

***GOT REQUEST TO INSTALL***
Currently running OPNsense 24.7.2 at Tue Aug 27 21:19:10 CEST 2024
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'os-wireguard' have been found in the repositories
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***

Strang thing is though..  wireguard seems to be working. My client is able to connect and pass traffic.
So how do I get my system to show up correctly?  Rebooting did not help unfortunately.

After tinkering around with the new dashboard, I run into the following 'issues'.

1) can't seen to enlarge (vertically) the interfaces to show them all at once. Needing to scroll to see them is less than ideal.
2) both announcements and services tile will not remember their vertical size.

Sorry if IU am being a bit dense here somewhere, but I'd love to actually understand this now.

Anyone understand this and willing to explain?  Pretty please?

[in]

Nope. The "allow all out" rule is for traffic that did never come in anywhere. Like outbound DNS requests or NTP requests originating on the firewall itself. Download of updates. ICMP echo requests from gateway monitoring. These.
Hence the description: "let out anything from firewall host itself"

Mmm, then why do I see client<>server DNS traffic hitting this rule/label?

For example my client requesting DNS resolving from the server (not the FW).
In FIREWALL: LOG FILES: LIVE VIEW this shows up twice even though the FW should just pass the traffic:

client_vlan   OUT 2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   let out anything from firewall host itself   
server_vlan  IN   2024-03-25T19:04:53   <client IP>:64696   <server IP>:53   udp   My DNS rule


Sorry if IU am being a bit dense here somewhere, but I'd love to actually understand this now.

What exactly is concerning you about those rules? I believe it's required for NAT functionality. Also, did you happen to notice the rule direction?

No, I did not notice the direction.
Direction is OUT, whereas 'normal' rules are IN. Much appreciate to point this out.

So basically my FW rules block/allow INcoming traffic and once allowed the FW needs a rule to let this traffic back OUTgoing to the destination VLAN?

Or do I still misunderstand this rule?

Any ideas to debug this?

2024-03-25T17:21:11   Notice   root   /usr/local/etc/rc.d/os-udpbroadcastrelay: WARNING: failed to start osudpbroadcastrelay   
2024-03-25T17:21:11   Notice   root   /usr/local/etc/rc.d/os-udpbroadcastrelay: WARNING: failed to start osudpbroadcastrelay

For every VLAN, including WAN, my FW has automatically created the following rule (hidden under "Automatically generated rules" pulldown menu.

Code Select Expand


Protocol Source Port Destination Port Gateway # Schedule Description
IPv4+6*         * * *     * * * *     let out anything from firewall host itself


I would understand if the source would be VLAN_address, but not an allow any to any.
Since it is autogenerated, I can not simply delete or adapt this rule either.

Hopfully I am misinterpreting this rule? If not, where does it come from and how do I get rid of it?