Messages

Hi,

how do I get rid of an unused firewall alias that appears as still being referenced and can not be deleted?

When I try to delete it, I'm getting an info that a rule is still using it, but I deleted the rule and then deleted the whole interface the rule was used with.  There is no way that this alias should still be used in any way.

So far, I was only to disable the alias.  It's for a host and contains an IPv4 address.

Oh, cool, I didn't know that!  I pasted them with space(s) in between ...

Thanks, it's working now!

I guess it didn't like that I copied and pasted two addresses at the same time into the field.

Thank you very much!

The help text of that option could be more clear.  Here's a suggestion:

Code Select Expand


Automatically update option data for relevant attributes as routers,
dns servers and ntp servers when applying settings from the gui.


Perhaps make that

Code Select Expand


Use data from the settings of this firewall for DHCP options given
to clients when the 'Auto collect option data' option is enabled.
With this option disabled, you can specify the DHCP options
given to clients manually.


... and rename that option to something like 'Use default DHCP options'.


PS: Is there a way to specify multiple DNS servers?  I tried that and it said I need to specify valid addresses.

Hi,

how can I specify different DNS server(s) per subnet when using KEA?

Sorry, it was all my fault: I failed to enable the interface after assigning it.  After enabling it, it now shows up :)

Hi,

I have set up a wireguard peer and assigned an interface to the connection.  Now I want to create a floating firewall rule to allow the remote peer on the wireguard interface to access hosts on a local subnet.  In this case, the peer is a single host.

But OPNsense doesn't allow me to pick the wireguard interface but only the wireguard group for creating floating rules :(

Since there will be some site-to-site connections as well that will also be hidden in the wireguard group, I can't use the wireguard group in the floating rules.  I need the particular interfaces that are hiding in the wirguard group.  The rules for all the wireguard conections will be different.

How do I get the wirguard interface usable to create floating firewall rules?

I need to  use an alias to specify a name server address for clients on a VLAN.

The address of the name server is an IPv6 address on another VLAN.  It's assigned to the server through DHCPv6.  I have created an alias for the server as a dynamic IPv6 host because the IPv6 prefix may change at any time.  So the only way to somehow specify the address of the DNS server seems to be using the alias.

Unfortunately, in the DHCPv6 configuration of the interface the client is connected to, the web interface won't let me use the alias to specify a name server but says "A valid IPv6 address must be specified for the primary/secondary DNS servers."

So how am I supposed to specify a valid IPv6 address for DNS server?


I've given the DNS server also the address fd53::11/16 on one of its interfaces.  I could use that as address for the DNS server for the clients, but opnsense does not have an interface in that network.  Since the interface for the VLAN the clients are in is tracking the WAN interface to get IPv6 addresses, there doesn't seem to be any way to put an additional IPv6 address on that interface, and the DNS server remains unreachable.

How can I give interfaces that are tracking the WAN interface for IPv6 addresses additional addresses?

I guess I could add another VLAN and give opnsense another interface to make the DNS server reachable, but that seems like a rather convoluted solution and overkill for a problem that should be easy to solve.

Thanks!  Are you sure the information shown on that page is true?  It seems to me it depends on what you set as prefix length for the interface yourself, not what your ISP actually gives you.

Is there no other way?

It seems that other routers figure it out automatically.  Or not?

How do I know which IPv6 prefix length has been assigned by the provider?

...and thanks for raising the original topic of configuration of BIND on Opnsense, defaultuserfoo. It is something I am about to test myself.

It'll be a while before I can make the change here.  If you can read/understand bind configuration files, you should be fine.  If you want to look at them, they're under /usr/local/etc/namedb.

The ISC changed the terms to primary and secondary with BIND 9 and there is no arguing about that fact. Probably you missed the memo.

Well, I didn't get a memo.  I'm not argueing about that they decided to use different words for the same thing.  I'm only saying that they should have picked better words and that they shouldn't have picked different ones to begin with.


PS:  I think you're right about the 'technical artifact'.  I keep forgetting that 'artifact' in English doesn't mean 'artifact' as in something that is very old, and that it means something artifically created instead.

@defaultuserfoo, let's get the politics out of it. A secondary server gives authoritative answers. It will continue to do so if the primary drops permanently dead, there being no technical/configuration difference in that respect.

The remote server doesn't give any answers to the local server other than in response to zone transfer requests for those zones for which it is configured to transfer them when they have been requested.  It doesn't request anything from the local server unless the local server would be configured to answer requests from the remote server if the remote server were configured to send requests to the local one.

The secondary can be updated directly by the admin, even while a primary exists (if you do not mind a potential discrepancy) and will not be overridden unless the primary is updated. That overriding is solely a function of a selection of update direction (which you find more convenient to update directly) and trivial to switch around; nothing else.

Both the remote and the local server can be updated or not.  There's no discrepancy, and nothing gets overridden.

Something might be overriden, or discrepancies could be created, if the both the local and the remote server were both authortitative for the same zones.  If they were, that would be a misconfiguration, or weren't it?

For these reasons, ISC adopted the primary/secondary terminology as reflecting reality, where use of master/slave is misleading and futile. You will find that other people either have made or are making this change. It's in the docs.

This is not reasons but invalid.  It's confusing and may be misleading.  Master/slave is evident and not misleading, nor futile.

You don't see how "master" and "slave" could be problematic terms in today's political environment?

No, what's the problem?  What has politics to do with it?

Seriously? People being triggered by some technical artifact being named "slave"? Where have you been living?

Seriously.  What's wrong with these people?  Zone entries in the configuration of DNS servers aren't a technical artifact anyway.

Besides, 'primary' and 'secondary' is nonsense.  Technically, they are all master zones; the difference is that master zones are local, or 'native' if you want to call it that way, while the DNS server acts as a slave by getting zones from and serving zones on behalf of another DNS server which is therefore called 'master'.  So you could call them maybe 'local', or 'native', and 'foreign', or 'alien', zones, but not 'primary' or 'secendary'.  'Secondary' even indicates that there might be 'tertiary', and so on, zones, and that makes it confusing.  However, 'master' and 'slave' zones are evident, and there's no reason for changing their naming.

Do you have any idea how to create SRV records through the GUI?

Sure, see screen shot - of course you can only create entries in master/primary zones.

Thanks, that works :)