Messages

I have following Interfaces
Home (VLAN30) - 192.168.30.0/24
Surveillance (VLAN40) - 192.168.40.0/24

OPNSense IP are 192.168.30.1, 192.168.40.1, etc

I want to block Home network from accessing OPNSense GUI

I tried creating alias like this containing all OPNSense IP addresses



But this rule ended up blocking internet access altogether, what is the best way to block certain Interfaces from accessing OPNsense IP addresses without manually adding OPNsense address one by one for each interface?

1. Download the config.xml from your old machine (System > Configuration > Backups > Download Configuration)
2. Open the xml file
3. Replace anything that says "igb" with "igc"
4. Fresh install OPNSense in your new machine
5. Restore the modified config file into new machine (System > Configuration > Backups > Restore Configuration)

I always use this method without any issue, just remember to reinstall the plugin after restoring as you have to do it manually, after the plugin is reinstalled, all the previous configuration for each plugins will be restored.

Yep, that's it. I unticked the USB and it works now.

I have a box that runs OPNSense which has LCD with 4 buttons (up/down/enter/esc button) which is very common but how do I use the plugin? I've installed it but I can't find LCDd-sdeclcd.conf inside /usr/local/etc/. Do I have to create the file myself? I believe in pfSense, it has GUI under the Services menu.



UPDATE: For anyone who are interested. After installing the LCDProc plugin, I do have the LCDd-sdeclcd.conf inside /usr/local/etc/ (I was lazy and use the "find" command and I mistype the word, hence I can't find it), so you just need to modify the LCDd-sdeclcd.conf file, settings may vary based on your hardware, but for me the conf file content was

Code Select Expand

[server]
DriverPath=/usr/local/lib/lcdproc/
Driver=hd44780
Bind=127.0.0.1
Port=13666
ReportToSyslog=yes
User=nobody
Foreground=no
Hello="  Welcome to"
Hello="   OPNsense!"
GoodBye="Thanks for using"
GoodBye="   OPNsense!"
WaitTime=5
TitleSpeed=5
ServerScreen=on
Backlight=open
ToggleRotateKey=Enter
PrevScreenKey=Up
NextScreenKey=Down

[menu]
MenuKey=Escape
EnterKey=Enter
UpKey=Up

[hd44780]
ConnectionType=ezio
Device=/dev/cuau1
Keypad=yes
Size=16x2
KeyMatrix_4_1=Enter
KeyMatrix_4_2=Up
KeyMatrix_4_3=Down
KeyMatrix_4_4=Escape

Restart the firewall and it works afterwards

Disable the "use USB" option. It dorsn't do what you probably think it does  ;)

However, the cable that I used is USB to RJ45 Console Cable, which I assume is that I need to tick the "Use USB-based serial ports", so what's actually the option for? I will give it a try when I get home

I remember the first time I installed OPNSense, it's done via serial (with serial images). However after many updates, I no longer use the serial console port, but today I tried it but I can't seem to get the login prompt. It stopped after showing "SSH" text. 
 
 
 
I didn't get the "login:" menu. And my primary console is already set to serial. 
 
 
 
Any idea why?

I bought a 1u machine called Imperva Secure Sphere X1010, I never heard this vendor before so I opened the box and it's just a regular x86 with i3-2120, 8GB of DDR3, and 1TB WD Enterprise HDD. The thing has password which I don't know so I just went to BIOS and install OPNSense on it which is working fine except I can only use 2 out of 6 ports.

Here's the picture of the available ports


I can only use the em4 (MNG1) and em5 (MNG2). em0, em1, em2, and em3 are not working even though all of these ports are detected in OPNSense. When it's plugged, the light doesn't came up, it does on em4 and em5.

Here's the booting log from OPNSense (I replace the mac address with xx:xx...)

Code Select Expand

em0: <Intel(R) Gigabit CT 82574L> port 0xe000-0xe01f mem 0xfbd00000-0xfbd1ffff,0                                                                                                             xfbd20000-0xfbd23fff irq 16 at device 0.0 on pci1
em0: EEPROM V2.1-0
em0: Using 1024 TX descriptors and 1024 RX descriptors
em0: Using 2 RX queues 2 TX queues
em0: Using MSI-X interrupts with 3 vectors
em0: Ethernet address: xx:xx:xx:xx:xx:86
em0: netmap queues/slots: TX 2/1024, RX 2/1024
pcib2: <ACPI PCI-PCI bridge> irq 16 at device 28.1 on pci0
pci2: <ACPI PCI bus> on pcib2
em1: <Intel(R) Gigabit CT 82574L> port 0xd000-0xd01f mem 0xfbc00000-0xfbc1ffff,0                                                                                                             xfbc20000-0xfbc23fff irq 17 at device 0.0 on pci2
em1: EEPROM V2.1-0
em1: Using 1024 TX descriptors and 1024 RX descriptors
em1: Using 2 RX queues 2 TX queues
em1: Using MSI-X interrupts with 3 vectors
em1: Ethernet address: xx:xx:xx:xx:xx:87
em1: netmap queues/slots: TX 2/1024, RX 2/1024
pcib3: <ACPI PCI-PCI bridge> irq 18 at device 28.2 on pci0
pci3: <ACPI PCI bus> on pcib3
em2: <Intel(R) Gigabit CT 82574L> port 0xc000-0xc01f mem 0xfbb00000-0xfbb1ffff,0                                                                                                             xfbb20000-0xfbb23fff irq 18 at device 0.0 on pci3
em2: EEPROM V2.1-0
em2: Using 1024 TX descriptors and 1024 RX descriptors
em2: Using 2 RX queues 2 TX queues
em2: Using MSI-X interrupts with 3 vectors
em2: Ethernet address: xx:xx:xx:xx:xx:88
em2: netmap queues/slots: TX 2/1024, RX 2/1024
pcib4: <ACPI PCI-PCI bridge> irq 19 at device 28.3 on pci0
pci4: <ACPI PCI bus> on pcib4
em3: <Intel(R) Gigabit CT 82574L> port 0xb000-0xb01f mem 0xfba00000-0xfba1ffff,0                                                                                                             xfba20000-0xfba23fff irq 19 at device 0.0 on pci4
em3: EEPROM V2.1-0
em3: Using 1024 TX descriptors and 1024 RX descriptors
em3: Using 2 RX queues 2 TX queues
em3: Using MSI-X interrupts with 3 vectors
em3: Ethernet address: xx:xx:xx:xx:xx:89
em3: netmap queues/slots: TX 2/1024, RX 2/1024
pcib5: <ACPI PCI-PCI bridge> irq 17 at device 28.4 on pci0
pci5: <ACPI PCI bus> on pcib5
em4: <Intel(R) Gigabit CT 82574L> port 0xa000-0xa01f mem 0xfb900000-0xfb91ffff,0                                                                                                             xfb920000-0xfb923fff irq 16 at device 0.0 on pci5
em4: EEPROM V2.1-0
em4: Using 1024 TX descriptors and 1024 RX descriptors
em4: Using 2 RX queues 2 TX queues
em4: Using MSI-X interrupts with 3 vectors
em4: Ethernet address: xx:xx:xx:xx:xx:8a
em4: netmap queues/slots: TX 2/1024, RX 2/1024
pcib6: <ACPI PCI-PCI bridge> irq 16 at device 28.5 on pci0
pci6: <ACPI PCI bus> on pcib6
em5: <Intel(R) Gigabit CT 82574L> port 0x9000-0x901f mem 0xfb800000-0xfb81ffff,0                                                                                                             xfb820000-0xfb823fff irq 17 at device 0.0 on pci6
em5: EEPROM V2.1-0
em5: Using 1024 TX descriptors and 1024 RX descriptors
em5: Using 2 RX queues 2 TX queues
em5: Using MSI-X interrupts with 3 vectors
em5: Ethernet address: xx:xx:xx:xx:xx:8b
em5: netmap queues/slots: TX 2/1024, RX 2/1024
 

All ports detected in OPNSense (I replace the mac address with xx:xx...)

Code Select Expand

Valid interfaces are:

em0              xx:xx:xx:xx:xx:86
em1              xx:xx:xx:xx:xx:87
em2              xx:xx:xx:xx:xx:88
em3              xx:xx:xx:xx:xx:89
em4              xx:xx:xx:xx:xx:8a
em5              xx:xx:xx:xx:xx:8b

If you do not know the names of your interfaces, you may choose to use
auto-detection. In that case, disconnect all interfaces now before
hitting 'a' to initiate auto detection.

I checked the BIOS to see if there's any setting to enable them, but I can't seem to find anything


Anyone familiar with this kind of box can give me some insight on why the first 4 ports aren't working?

I recently enabled the Blocklist features under Services > Unbound DNS > Blocklist to block ads on network level and use all of the DNSBL list except the Blocklist.site.



After I enabled this feature, Netflix will give me tvq-pb-101 error code. I disabled it and it works fine again. How do I know which domain in the list is blocking Netflix?

Anyone know what kind of CPU this FW has? I looked around and doesn't seem to be able to find the information.

192.168.20.21 is my CUPS print server 
192.168.0.7 is my printer 
 
I've created this rule 
 
https://i.imgur.com/blKecpq.png 
 
But I'm not able to connect to 192.168.0.7 from 192.168.20.21, if I remove the RFC1918, it works but I don't want subnet 192.168.20.x to be able to connect to other VLAN expect the one I specify. 
 
What am I missing in the firewall rule?

I have VLAN for IoT. Chromecast and Google Home Speaker is one of them. I'm not able to cast audio/video to Chromecast/Google Home so I installed mDNS (os-mdns-repeater) plugin and turn it on for both IoT and my home network. 
 
The Google Home speaker works (I can now cast my audio from my phone/PC/etc), however I can't get Netflix/Youtube casting to work (it won't detect my Chromecast/TV with casting capabilities). 
 
Weird thing is I turn off mDNS and audio casting still works. 
 
Any idea why?

Hello, I'm not an expert.

But I kept hearing about the statement Native LAN (VLAN1) should not be used.

But I'm confused about the implementation. Assuming I have 2 ports in my firewall.

eth0: WAN
eth1: LAN - 192.168.1.x

Then I created 3 VLAN
vlan10: Management (eth1) - 192.168.10.x
vlan20: Home (eth1) - 192.168.20.x
vlan30: IoT (eth1) - 192.168.30.x

And I configure the firewall rules so that
1. vlan10 can access vlan20 and vlan30 but not the other way around.
2. vlan20 can access vlan30 but not the other way around.
3. vlan30 can't access other network.

And let's say I have 6 port switch.
sw0: uplink (connected to eth1)
sw1: vlan10
sw2: vlan20
sw3: vlan30
sw4: vlan10 for native, vlan20 and vlan30 tagged (connected to AP so it can broadcast SSIDs for vlan20 and vlan30)
sw5: untagged (this is where I configure everything)

Now that everything is done, what are we going to do with the sw5 or should I say the 192.168.1.x? By "don't use it", does that mean just leave it and make sure nothing is plugged/accessible by end user or do I have to disable it? Because if I disable it, I'm going to lose access to 192.168.1.x.

Can someone explain this concept to me.

Also, how do I get the switch to get 192.168.10.x IP address instead of 192.168.1.x without another port on the firewall? Or is it impossible?

Hi

simply but a rule on top of the block rule to allow the traffic from the Guest net to the Guest address with port 53 (DNS) and IPv4 UDP or IPv4 TCP/UDP.

KH

Thanks, works perfectly 

Hello friend, 
 
I'm using Unbound DNS for all interfaces in my network. 
 


 
I have a Guest network (VLAN100), I block this Guest network from accessing other network (RFC1918) in the Firewall rules. 
 

 
Unfortunately, that means the clients under Guest VLAN won't be able to resolve DNS. How do I block Guest VLAN from accessing private network (RF1918) but still allow the clients under Guest VLAN to resolve the DNS?