Messages

1

23.7 Legacy Series / Re: Firewall Scheduling

« on: November 10, 2023, 03:45:07 pm »

Found a post that shows direction is inbound not outbound (as I have it.) I've switched to inbound to see if that helps. Also found another post that a user had to schedule cron to kill all states at specific times to ensure any existing connections were terminated. Will try this first and see if I can solve this on my own but would appreciate any feedback

2

23.7 Legacy Series / Re: Firewall Scheduling

« on: November 10, 2023, 03:14:38 pm »

More screenshots.

3

23.7 Legacy Series / Firewall Scheduling

« on: November 10, 2023, 03:14:04 pm »

Hi Everyone

Running OPNsense 23.7.7_3-amd64

I've read several different posts and have mimicked the configuration in hopes of achieving the same goal. My son likes to stay up very very late on school nights (any night actually) and play video games, etc. My wife and I decided to implement scheduling for his devices in an attempt to curb this activity so he actually goes to sleep and is ready for school the next morning.

I thought I had this working, but this morning, I woke up around 1AM and walked by his room and sure enough, he's on his PS5 playing Fortnite with friends. I don't have it working I even then at the moment, logged into my OPNSense gateway and added an explicit BLOCK for his PS5 and still wouldn't stop the connection (can see this for 192.168.1.59 in the rules screenshot.)

Here's what I have:

- An ALIAS called KIDS_DEVICES with a list of IP addresses
- Two LAN firewall rules: An allow rule, linked to the schedule (below) and to the alias above. I also have a reject rule linked to the alias above, no schedule. Then the rest of my unrelated LAN rules follow. These two rules are directly beneath the pre-generated (19) rules.
- One schedule, with the following: Mon-Fri 0800-2300, Fri 0800-2359, Sat/Sun 0000-0000

I checked advance settings regarding states and scheduling under Advanced, it's disabled. I also found a Reddit post that scheduling should be on 0-15-30-45 in order to clear states, except for one rule, I did this.

Really need this kid to get proper sleep and not game with his friends into the wee hours of the morning. Could really use some help.

I'll try to add some screenshots to help

Thanks!

4

22.7 Legacy Series / Re: Randomized MAC Address filtering

« on: January 13, 2023, 10:29:44 pm »

I was able to resolve this by placing the configuration referenced above (github) as a local file (randommac.conf) in /usr/local/etc/dhcpd.opnsense.d which results in the outcome I'm looking for.

5

22.7 Legacy Series / Randomized MAC Address filtering

« on: January 02, 2023, 01:30:54 pm »

Hi Community,

I've been trying to enable this filtering mechanism (I know there are different ways to do this, but chose to use this approach) and the UI prevents me from using a specific MAC filtering pattern that I know ISC DHCP supports (I dropped to CLI to determine OPNSense is using ISC DHCP) which is the following:

Code: [Select]

A2,B2,C2,D2,E2,F2,12,22,32,42,52,62,72,82,92,02,A6,B6,C6,D6,E6,F6,16,26,36,46,56,66,76,86,96,06,AA,BA,CA,DA,EA,FA,1A,2A,3A,4A,5A,6A,7A,8A,9A,0A,AE,BE,CE,DE,EE,FE,1E,2E,3E,4E,5E,6E,7E,8E,9E,0E
I use a similar pattern on my UniFi USG at work to block random MACs and I can manually add this to /var/dhcpd/dhcpd.conf but the UI prevents this pattern. An example I've used in the past for ISC DHCP can be found in this github page:

https://gist.github.com/patrickdk77/bbcdcb5e5cee2b7fe9eba52224ba7751

The pattern I tried from was a Netgate forum on the same subject matter (which is where the string above comes from):

https://forum.netgate.com/topic/162075/how-to-block-randomized-mac-addresses/15

However, any manual edits I make to the raw configuration file will most likely be lost with upgrades or reboots or any DHCP changes.

Is there a way I can accomplish this with OPNSense?

6

General Discussion / Re: Slow Speed - can't find the mistake

« on: November 28, 2021, 04:32:27 am »

Switch info in that article was very useful to me as I was able to remap it to mine and VLANs are on my to-do (similar interface/layout.)

7

General Discussion / Re: Networking Questions

« on: November 28, 2021, 12:25:41 am »

Found a Reddit post that says lagg is not a supported interface and neither is bridge for sensei. So my mistake it would appear was adding the bridge0 and lagg0 devices instead of individual adapters (igb1+2+wifi)

Initial testing shows the lagg is up and running for a few minutes and then sensei kicks in and I think that's where it falls over.

Will reinstall and re-test since I can't keep network long enough to disable sensei and not sure how to do it from console otherwise.

8

General Discussion / Networking Questions

« on: November 27, 2021, 06:08:01 pm »

Hi Everyone,

This is my first post. I came into OPNsense by way of Qotom device. I have to admit, it's nice. 4 port intel (igb) nic version, i3-4010U w/8GB RAM and Samsung EVO 860 250GB SSD. OPNsense UI is practically instant on this device compared to my ASUS RT-AC3100 which is currently acting as my router.

I should preface by saying my networking know-how is maybe intermediate at best. I was going to open an issue at github but I found the forums and figured maybe someone could help me. I have the router plugged into my network and it's currently not acting as a router, I'm just getting it set up so I can swap it into place when ready.

I'm using a TRENDnet TEG-082WS (latest firmware) and under networking, I have 4 trunk groups I can create (the maximum.) I have my TrueNAS Scale bonded on port 7+8/active via LACP l2 (it defaulted to this; standard Linux bonding stuff.) I created a second trunk id (#2) and chose ports 4+5/active.

I've configured the OPNsense device thusly:

port0: wan/dhcp (currently not connected but will be to bonded ISP DSL 100/20)
port1: lagg/lacp (l2,l3,l4)*
port2: lagg/lacp (l2,l3,l4)
port3: wifi (currently nothing attached but will enable DHCP on it and use my ASUS 3100 as an AP wired here.)

lagg0 was created as per-documentation for LACP. Slave interfaces have no configuration other than being enabled. All devices are enabled/assigned.

I have a bridge0 configured with members being lagg0 and wifi and is assigned as LAN interface. Currently the LAN IP is hardcoded to 192.168.1.168 as my router is 192.168.1.1 and I've hand-added a default static route to 192.168.1.1 so it can talk to the Interwebs.

I have Suricata enabled (promisc) on WAN interface and Sensei enabled (promisc) on LAN interface. I did the cable dance/forced reboot but everything came back up working so I'm assuming it's fine there as I see the pretty graphs, etc (btw, this is very cool.)

When I connect the OPNsense router to my switch on ports 4+5 the lagg works. However, my NAS suddenly goes offline/unreachable until I kill trunk #2 and sometimes reset/rebuild trunk #1 (NAS)

I look at the switch and it shows that trunk #2 has aggregator id #1 the same as the NAS uses. At the time, I did have STP enabled (default disabled) but have since done a factory reset on the switch and have only configured NTP and the NAS lagg connection and have yet to continue testing.

*My question here is I noticed this morning that the NAS is LACP l2 and the OPNsense is LACP l2,l3,l4 and I came across a FreeBSD post about when acting as a router it should be l3 (see: Unbalanced LACP link) but I'm wondering if because it's set to l2,l3,l4 that it's killing the NAS lagg connection?

I figured I'd stop here and ask questions rather than getting frustrated at my lack of knowledge. I feel I'm so close to swapping it in as my router but can't quite get over the hump here