Messages

1

General Discussion / Best practice for giving local staff a router status page

« on: March 22, 2024, 04:53:55 pm »

So with a handful of branch offices, on each site's OPNsense router we have a locked down user role that enables local staff to check things like failover status, WAN details and such. Read only for configuration, few menu items, and with "reboot" enabled among very few action options.

Now the Effective Privileges don't seem to exclude, or I haven't found or understood it, a way to lock down this user, dashboard-wise. So, ocassionally I find widgets changed or content added. Trying not to be paranoid, but if users can upload their own animated GIF file to the Pictures widget.. cat memes or not, I won't think that is a good idea and plan to change this setup. So I'll no longer holding it wrong.

If you have a similar model, enabling local staff to interact with OPNsense, how do you do a (mostly read-only) status page?

2

Hardware and Performance / Re: Looking to upgrade the RAM in a DEC740

« on: April 07, 2023, 05:20:10 pm »

Thank you all for the detailed replies! I'll check with page in / page out activity, however I do suspect I let myself be fooled by being more familiar with Linux, so may not rush towards upgrading.

3

Hardware and Performance / Re: Smart Managed Switch: Cisco or Zyxel

« on: April 04, 2023, 04:39:26 pm »

You haven't said what for - or a price range. Adding my 2ct here anyhow.

Zyxel does consumer gear, I have that at home (GS1200). VLANs they can do, and while the UI is modern, running the configuration is not without problems (small handful of VLANs). I need to reboot the switches every month or so, because data throughput slows down considerably over time. Annoyin. I'm eyeing Aruba for a refresh in homelab gear.

The older rackmount and PoE switches that run in the company data rack work nicely and without any issues. These are XGS2210 and GS2210 specimen, and they stay out of your way and just work. Newer stuff supports Nebula and cloud management, haven't touched those yet.

4

Hardware and Performance / Looking to upgrade the RAM in a DEC740

« on: February 22, 2023, 12:06:20 pm »

For the office we got a DEC740 which has 4GB of RAM. Memory usage is around 40%, which is fine. But, the Swap is always around 59%, so several GB worth of swapping at all times.

The datasheet does not mention user-upgradable RAM, but it does mention its DDR4. We have some of that in store, so could in theory just add to or replace the given RAM to e.g. get 8GB. This could reduce wear and tear on the mass storage considerably, I'd think.

Has anyone done this RAM upgrade successfully? Is that possible or encouraged even?

5

22.7 Legacy Series / Switching WAN provider - transfer given firewall rules to new interface used

« on: October 05, 2022, 04:44:14 pm »

There's an ISP change coming up for us, on a multi WAN setup. So atm we have both VDSL (WAN1) and fibre-with-copper (WAN2) active. Coming up will be the fibre-with-copper to be replaced by a fibre connection that does not use copper on the last 50cm of a legacy cabling installation. 

There's no rush with the new setup, because all three shall continue to run in parallel for weeks or even months, and this DEC740 has enough ports for all of it. I'll stick to one aspect of the changes.

From what I've gathered I now have a full setup of WAN interfaces, and a range of firewall rules and such for WAN2. When the new ISP will offer IP it'll connect via interface ax1 - do I have to rebuild everything for the new WAN?

Maybe there is an easy way to copy over given firewall rules to the new interface? It would at least be convenient to be able to do that.

Any pointers appreciated.

6

22.1 Legacy Series / Re: os-ddclient

« on: September 14, 2022, 10:38:07 am »

I'm in the no-ip.com boat, and am using groups. This piece of information https://www.noip.com/support/knowledgebase/limit-hostnames-updated-dynamic-dns-client/ is what helped me:

Some clients don’t like a colon( : ) character as a separator, you can use the url encoded colon character %3A, %23, or # if you run into this issue.

As noted above, the OPNsense UI does not do a good job, substituting %3A was rejected there. Also, I was getting badauth from debugging on the commandline before the change.

So the login parameter in /usr/local/etc/ddclient.conf needs this. Note the login line has %3A instead of a colon between groupname and username. Also, I don't explicitly specify an interface since my OPNsense is an exposed host behind another router.

Code: [Select]

syslog=yes                  # log update msgs to syslog
pid=/var/run/ddclient.pid   # record PID in file.
ssl=yes

# the Inet interface is implicit
use=cmd, cmd="/usr/local/opnsense/scripts/ddclient/checkip -t 0 -s noip-ipv4",
protocol=noip, \
login=group%3Anom@example.com, \
password=NunAYurBusiness \
example.ddns.net

7

21.7 Legacy Series / Re: [SOLVED] Wireguard, Interfaces and Assignments: can't reenable instance

« on: April 22, 2022, 10:01:46 am »

Short version, if you have more than one Local instance of wireguard, any Endpoint belonging to one of the servers must not have more than the TunnelIP address /32 assigned to it. If it has, like in 10.10.10.5/32 192.168.1.0/24 then this happens: the wg instance will not show in "List Configuration", it will not start, and there is no error message to be found, not even in "sudo wg show".

So fixing this is simple, check your endpoints if it happens to you. Once the wg instance comes up, you will see the "new" instance in Interfaces > Assignments.

So this is interesting, and I led myself be led by various tutorials available on the internet for getting into these troubles. They say to "restrict" the client after connection to accessing a certain network range, add the 192.168.1.0/24 range to the endpoint definition. That might work for single instance setups, but does not work for me with many.

(I guess I need to  read more on cryptokey routing and all the interfacec types involved.)

8

21.7 Legacy Series / Re: Can't get Internet access from 2nd LAN

« on: April 07, 2022, 01:11:36 pm »

In the time that passed, did you solve your problem yet hushcoden? It likely has to do with outbound NAT.

If the default deny rule hits, its often because in Firewall -> NAT -> Outbound the main setting is very restrictive, in that your manual rules are not evaluated. Pragmatically that can be set to "Hybrid", such that "Automatic rules are added, but additional manual rules can be added as well."

See here: https://docs.opnsense.org/manual/nat.html#outbound

9

German - Deutsch / Re: OPNsense / *sense (Online) Usergroup?

« on: April 06, 2022, 05:04:53 pm »

Ich wäre dann auch gern dabei, künftig. Gesundheit ist allerdings klar wichtiger!

10

21.7 Legacy Series / [SOLVED] Wireguard, Interfaces and Assignments: can't reenable instance

« on: April 06, 2022, 04:36:15 pm »

So I had several Wireguard instances configured, on different ports, and things worked well. For testing I disabled one of the wireguard "servers". This instance wg1 stopped working, test completed. The other continued to work.

Now, in VPN > Wireguard > Local the box for wireguard1 is checked again, and the interface shows in Interfaces as wireguard1. It is enabled as far as the information available here says.

But, in Interfaces > Overview it is marked as "down", and in Assignments wg1 shows as being assigned to re0 (and a real MAC) instead of wg1 and 00:00:00:00:00:00. wg1 is not shown and not listed in the dropdown list for re-assigning. The interface wireguard1 did not have an IP address configured.

So even though it is an enabled instance (as per VPN , the interface shows, it cannot be used now that I turned it off.

How can I enable it again such that I can assign wg1 to the interface again, and it will actually work and show in VPN -> Wireguard -> List Configuration (or % sudo wg  show)?

Rebooting the machine, restarting all services, and disabling and re-enabling wireguard or the interface did not improve the situation. What have I missed? What to do now?

11

21.7 Legacy Series / [SOLVED] 2 WAN interfaces, one shows up in Services -> DHCPv4

« on: March 21, 2022, 04:33:24 pm »

So I've checked on other machines - than WAN connections always do show up in Services -> DHCPv4, that is except if they are PPPoE links.

While that still seems odd (why show WAN connections here at all), I'll decide to not care much.
Thank you for listening.

12

21.7 Legacy Series / [SOLVED] 2 WAN interfaces, one shows up in Services -> DHCPv4

« on: March 21, 2022, 03:45:34 pm »

I have a 3-port box with OPNsense on - a new setup. Box connects to a VDSL line on WAN1, which it does, and a fibre connection von WAN2, which it does. This one is set to a static IPv4 address and works as intended. I have both WAN show up under Interfaces -> WAN, which is fine.

But surprisingly the WAN2 shows up  an an interface I can enable DHCP on Services -> DHCPv4. Certainly it is not meant be this way. Why does it show there, and what did I do wrong to put it there? Most importantly, how do I fix it?

13

21.7 Legacy Series / Re: OPNsense Installation - VLAN Config

« on: January 19, 2022, 04:54:20 pm »

I don't see why not. The procedure above should work, and you can start sending tagged packets towards the interface.

14

21.7 Legacy Series / Re: Wireguard not passing UDP traffic - all UDP traffic blocked

« on: January 19, 2022, 04:50:26 pm »

Try enabling logging on all possibly relevant firewall rules, and check the log. 

15

21.7 Legacy Series / Re: Export of Firewall Alias, NAT, Rules

« on: January 18, 2022, 12:27:56 pm »

Yes, simply export. On import you can pick which part of the config.xml you want.