Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - marirs

Pages1
#1
24.1, 24.4 Legacy Series / Re: Wireguard not adding routes to peers after upgrade to 24.1.10 from 24.1.2
October 22, 2024, 10:23:35 AM
Found the issue:

https://github.com/opnsense/core/issues/7355

Had to change IPv4 Configuration Type to "None" on the Wireguard interface.
#2
24.1, 24.4 Legacy Series / Wireguard not adding routes to peers after upgrade to 24.1.10 from 24.1.2
October 22, 2024, 07:27:58 AM
I upgraded from 24.1.2 to 24.1.10 and it seems that routes to Wireguard peers no longer get added. eg. if I have a peer with "Allowed IPs" set to "10.2.0.0/24" I cannot ping 10.2.0.1 from the router because there is no route added. Manually adding a route: route -4 -v add 10.2.0.0/24 -interface wg1 gets things working again. "Disable Routes" is NOT checked in the Wireguard instance settings. I have made no config changes after the upgrade and thing were working fine in 24.1.2.
#3
23.7 Legacy Series / Captive portal / spamming "tls clienthello on clear port" on console / ddos?
December 08, 2023, 05:41:52 AM
When captive portal is enabled and someone connects a device like an Amazon Echo or a Firestick or Google speaker, the console is spammed with messages like:

2023-12-07T22:35:47.183132-06:00 router lighttpd 86435 - - (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.71/src/h1.c.441) unexpected TLS ClientHello on clear port (10.102.80.10)

Each device seems to make a connection every ~second or so, so with multiple devices you get this message multiple times a second.

The problem seems to be that these devices are making requests to external ips, and this is intercepted by the hotspot and redirected to the hotspot portal. I'm not sure if multiple devices will overload the hotspot web server.

The only solution I can think of is to ban clients that repeatedly do this, but I'm not sure how to set up the firewall rules to do this?

Any other solution or workaround?
#4
General Discussion / How to differentiate between multiple captive portals with freeradius
August 13, 2022, 06:59:27 AM
I'm using two captive portals on two interfaces (guest, staff), and authenticating using freeradius.

However, I can't figure out which interface the request is coming from in freeradius, which means that 'guest' users will be able to log in to the 'staff' network (and vice versa)

These are the attributes received in freeradius:

Code Select

(0) Received Access-Request Id 68 from 10.102.0.1:58440 to 10.102.0.105:1812 length 83
(0)   User-Name = "test"
(0)   Service-Type = Login-User
(0)   Framed-Protocol = 15
(0)   NAS-Identifier = "62f71ef65546a"
(0)   NAS-Port = 0
(0)   NAS-Port-Type = Ethernet
(0)   User-Password = "test"


The only solution I can think of is using two (virtual) freeradius servers. Am I missing something? Ideally, the radius request should include the interface that is associated with the request.
Pages1