Messages

1

23.1 Legacy Series / Re: Losing DHCP and maybe more since 23.x

« on: May 06, 2023, 05:17:49 am »

Thanks very much. Is there a way to auto-restart using either monit or some other service? In pfSense I used to use a watchdog to do that.

Still not sure why I'm losing connectivity, though knowing I've lost it is interesting.

2

23.1 Legacy Series / Losing DHCP and maybe more since 23.x

« on: May 05, 2023, 07:19:59 am »

I've been running 22.x since it came out and my system has been very stable. I updated to 23.1, and since then, my system will occasionally (maybe every ~2-3 days) stop serving up DHCPv4 addresses to machines on my network. Even if hardcode an address and ping or try to connect to the router, I cannot. I don't really know how to troubleshoot this more, since the only good fix I've found is to reboot the box. My questions:

1. Any good way to look at the logs from before the previous shutdown?
2. I've seen monit, but I haven't figured out how to use it to make sure that e.g. DHCP is up and running, or other core services
3. I've read through a bit of the forum and I haven't seen others with similar trouble. What should I do to help narrow this down so I can file a formal bug report, if that is indeed what this is?

thanks!

3

22.1 Legacy Series / Re: ddclient invalid reply talking to Namecheap

« on: June 07, 2022, 07:15:50 pm »

Thanks for sharing that config. It's similar enough to mine that it unfortunately didn't help. I'm now working with support at Namecheap to figure out what I'm supposed to enter as the domain to update. My wild guess is I'd have to make something like e.g. 'dd.EXAMPLE.COM' and then make a CNAME that aliases that, rather than just using EXAMPLE.COM as the dynamic host.

4

22.1 Legacy Series / ddclient invalid reply talking to Namecheap

« on: June 07, 2022, 06:34:31 am »

I'm setting up OPNsense to update dynamic DNS at provider Namecheap. In this case, the dynamic address is assigned to my base domain (e.g. example.com), so at Namecheap I have that configured as "@". In ddclient on OPNsense, I have configured the base domain (example.com).

In my logs I'm seeing that the domain is not found. I'm unable to set "@.example.com" in ddclient so I'm guessing that the base domain name is correct. My logs show the following errors. Can anyone tell me what I'm doing wrong?

Code: [Select]

2022-06-06T21:28:26-07:00 Notice ddclient[50858] 63477 - [meta sequenceId="78"] FAILED: updating EXAMPLE.com: Invalid reply.
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="77"] WARNING: </interface-response>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="76"] WARNING: <debug><![CDATA[]]></debug>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="75"] WARNING: <Done>true</Done>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="74"] WARNING: </responses>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="73"] WARNING: </response>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="72"] WARNING: <ResponseString>Validation error; not found; domain name(s)</ResponseString>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="71"] WARNING: <ResponseNumber>316153</ResponseNumber>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="70"] WARNING: <Description>Domain name not found</Description>

5

22.1 Legacy Series / Re: After power outage, IPv4 WAN doesn't automatically start

« on: June 07, 2022, 06:20:07 am »

Just wanted to bump this to see if anyone had any ideas?

6

22.1 Legacy Series / WAN DHCP on IPv4 - retry until it gets an IP?

« on: June 03, 2022, 06:39:07 am »

We had a power outage a few days ago, and OPNsense came up fine after the outage, but only had a IPv6 gateway to my ISP. I manually disabled the WAN interface and then re-enabled it, and after that both IPv4 and IPv6 came up.

Is there a setting I need to do to force IPv4 to keep retrying to come up on WAN?

Also is there magic (such as firewall rules or otherwise) to let my internal IPv4 network use the IPv6 gateway to my WAN? thanks a lot.

(Edit: Renamed the subject for clarity)

7

22.1 Legacy Series / Re: Firewall rules to allow OpenVPN access to my LAN

« on: April 07, 2022, 08:12:05 am »

Ok I've figured it out. I had the OpenVPN server set to listen on Interface "any". It needs to listen on Interface "WAN". D'oh!

thanks all!

8

22.1 Legacy Series / Re: Firewall rules to allow OpenVPN access to my LAN

« on: April 06, 2022, 05:14:24 am »

Thanks. I realized I created that interface for VPN when I was trying to look at the live firewall log and wanted to watch all traffic on the interface. I deleted it and still don't seem to be able to reach the intranet, though the VPN seems intact.

9

22.1 Legacy Series / Re: Firewall rules to allow OpenVPN access to my LAN

« on: April 05, 2022, 11:53:04 pm »

bumping this with the hope that anyone has ideas?

10

22.1 Legacy Series / [SOLVED] Firewall rules to allow OpenVPN access to my LAN

« on: March 31, 2022, 07:38:41 pm »

I'm a relatively new convert from pfSense to opnsense. I've been happy with it, but I'm still unsure how to get my firewall rules configured correctly.

First, when I navigate to Firewall -> Rules, I have a ruleset for "OPENVPN" and a second ruleset for "OpenVPN". Is this correct? The all-caps one is from the Interface that I created that maps to "ovpns1". I'm unsure what the ruleset for "OpenVPN" came from, nor how/if to delete it.

Both of these rule sets are empty, except for some default rules on the OPENVPN for blocking bogon networks. When I connect to the VPN, I find that I can't even connect to the VPN's gateway (192.168.x.1) to get to opnsense. It feels like it's a firewall block, since the telnet command gets hung.

Is there some obvious thing I'm missing? Thanks much.

I've put a few screenshots showing the interfaces, the VPN rules, and the firewall logs, at this link. https://imgur.com/a/98vZ7nX

EDIT: I figured out what's wrong. I needed to setup the VPN server to listen on Interface "WAN" instead of Interface "any".

11

22.1 Legacy Series / Re: Setting up AdGuard Home for only some subnets?

« on: March 01, 2022, 01:17:52 am »

Thanks, this sounds exactly like what I need to do.

Would you be willing to share a screenshot or detail of the floating firewall rule?

I did something of this sort with Unbound and AdGuardHome. I kept Unbound on 9 of my VLANs plus localhost. (10.0 thru 10.8, and localhost) The 10th VLAN (which is streaming TV i.e. Roku and Apple) has AdGuard listening on port 53 and forwarding to localhost:53 for upstream. I did this lazy approach so I could see what the streaming TV's are doing. Also did an outbound NAT port 53 into localhost:53 to stop the Roku going to 8.8.8.8. Next step is looking at ZenArmor to stop DoT & DoH from getting out, as I see my iPhone when on Wifi goes to some dns-apple.com site it looks like for resolution. So far it's working good. The only gotcha, I had to modify my floating rule to reverse/ignore via an alias my domain/dns to allow them outside access (no blocking of anykind) as backup/testing of name resolution.

12

22.1 Legacy Series / Setting up AdGuard Home for only some subnets?

« on: February 28, 2022, 05:41:14 pm »

Hi, I'm trying to setup AdGuard Home for my home network, but I have to leave one subnet untouched by AdGuard.

Is the right way to do this to do a few port forwarding rules so that the networks I want protected redirect to AdGuard's DNS port, and the other nets point to Unbound directly? It looks like AdGuard Home has support for mapping individual clients, but I'd prefer to do this with rules of the form:

192.168.1.0/24 --> AdGuard DNS --> Unbound DNS forward
192.168.41.0/24 --> Unbound DNS directly

(I configure the "Unbound DNS forward" as a fallback DNS server in AdGuard Home.)

I'm running AdGuard Home via the os-adguardhome-maxit community plugin, btw.

thanks

13

22.1 Legacy Series / Re: DMZ web server inaccessible from LAN, but fine from WAN

« on: February 28, 2022, 12:05:42 am »

Thank you! Yes for some reason I only had the Firewall Advanced setting for "Reflection for port forwards" set, the other two were not. Turning those on and reloading the firewall seems to have done the trick, even after I deleted the overrides in Unbound. Thanks very much!

yeah i tried to use dns but kept getting issues with it getting confused and not working for a while etc.

just make sure you have all three NAT settings ticked in Firewall: Settings: Advanced

and create a nat port forwarding rule for what you want make sure nat reflection is ticked in the rule. and auto create a filter rule too.
if you've done it right you'll see the rule in the Firewall: Rules: Floating bit.
make sure its top of the rules. 

thats what i've got and it now worked.  hopefully it does for you

14

22.1 Legacy Series / Re: [SOLVED] CPU utilization much higher than with pfSense

« on: February 27, 2022, 08:25:43 pm »

Bug filed: https://github.com/opnsense/plugins/issues/2869

15

22.1 Legacy Series / Re: DMZ web server inaccessible from LAN, but fine from WAN

« on: February 27, 2022, 07:58:31 pm »

Thank you to @Koldnitz. I added DNS overrides to make this work, at least for now. I'd still prefer to solve this via the firewall rules so I don't need to explicitly add each host to Unbound (a wildcard won't work for what I need since I direct some entries to external services in the cloud). But for now, I'm at least able to get this working.

https://homenetworkguy.com/how-to/deploy-nginx-proxy-manager-in-dmz-with-opnsense/

The part in the above link about split DNS might be useful to you.

It seems he is did something similar to what you are doing.

Cheers,