Messages

1

Virtual private networks / Re: Questions to Migrate OpenVPN Servers legacy to Instances New

« on: July 24, 2024, 06:58:25 pm »

I am revisiting opnsense and grappling with the new openvpn options to migrate a server to an instance. What I have noticed is, if I leave bind interfaces blank, it does not seem to bind to the desired interface to which traffic is being forwarded:
I port forward udp/1194 from WAN to an opt interface (DMZ), and the only way I can get a client connection is if I explicitly set the bind field to the DMZ IP. I haven't checked yet to see what interfaces openvpn is actually listening on when I leave the bind interface field empty. But so far, seems it is not listening on at least one of the OPT interfaces.
Also I prefer not to hard code IP addresses where possible, but this seems to have become increasingly necessary.

2

General Discussion / Re: Ping to LAN interface returns WAN IP Address

« on: November 09, 2023, 11:40:02 am »

Thank you for both suggestions. Either should work in my case.

Incidentally, after posting I noticed that if I exclude wan from unbound listening interfaces, its IP is not returned in DNS answer. However that's not nececssary in the case of the various OPT interfaces. They don't seem to appear in the DNS response.

I understand that unbound listen 'all' is the default and recommended option. I do recall some time in the past I had issues when I did not select that, and the problem was not simply because DNS was absent on the omitted interfaces. IIRC it was something to do with interfaces, assigned to VPN, not being up at boot time.

Thanks again.

3

General Discussion / Re: Ping to LAN interface returns WAN IP Address

« on: November 08, 2023, 03:37:57 pm »

Whilst it may not be a bug, how to remove the wan ip from dns response to the lan hostname?

If, say, you have a port forward (with NAT reflection enabled) on the WAN for http/s, and this directs to an internal webserver, then depending on which IP your client OS chooses, you will hit opnSense admin web interface or the other internal webserver.

4

23.7 Legacy Series / URL table alias file formats

« on: November 06, 2023, 04:35:26 pm »

What are the supported formats for files pulled in for this alias type? I understand a single list if IPs or CIDRs is supported.
Can it parse other formats?
Many thanks.

5

23.7 Legacy Series / Acme plugin and its dedicated ssh keys

« on: November 05, 2023, 02:25:59 pm »

I am setting up the acme plugin and using the 'sftp upload' and 'ssh command' actions.
I configured some actions, activated the plugin and an acme staging account.
I noticed the acme generated ssh rsa pubkey (that I'd copied to the remote hosts) had been regenerated at some point. This obviously caused the automations to begin failing.
What changes in the acme config trigger ssh keys in /var/etc/acme-client/sftp-config/ to be regenerated?
Many thanks.

6

22.1 Legacy Series / Re: Port forwards, auto firewall rules & associating pipes

« on: February 16, 2022, 02:12:15 pm »

1. If I create a port forward rule, select multiple interfaces and select make new firewall rule association, no firewall rules are generated. This only works for new forwarding rules where a single interface is chosen. Is this by design?

Since posting I think I found the answer to my first question. With multiple interfaces selected, the firewall rule is created, under floating rules.
However the interfaces that rule acts on are not displayed in the floating rules list and it doesn't seem possible to open a view on details of an autogenerated/system-managed floating rule.

7

22.1 Legacy Series / Port forwards, auto firewall rules & associating pipes

« on: February 16, 2022, 11:42:20 am »

I have a few questions on port forwards, auto firewall rules & associating pipes. I'd be grateful for any help.

1. If I create a port forward rule, select multiple interfaces and select make new firewall rule association, no firewall rules are generated. This only works for new forwarding rules where a single interface is chosen. Is this by design?

2. When creating a forward rule, I can select firewall interfaces by name in the 'Destination' dropdown. However these same aliases are not available in 'Redirect target IP' dropdown. There, I need to specify firewall's interface IP or have manually created aliases for such. It strikes me these built-in aliases should also be available in the 'Redirect target IP' dropdown too. I find I create port fowards for DNS, NTP etc and often reference the firewall's IP on the selected interface (rather than 127.0.0.1).

3. Bandwidth limits associated with a particular port forward or firewall rule. e.g. restricting bandwidth available to a public facing webserver exposed via NAT. Is it possible to associate an existing traffic shaper pipe directly within a rule or forwarding definition? Or is traffic shaping configured solely within the Shaper section of the opensense interface?

I'm new to opnsense and enjoying exploring the interface. One thing that would help me is higher contrast text. I find the grey on off white difficult to read after a while. Can I change the theme?