Messages

I changed the firewall from LAN NET to any and it allowed traffic to flow. Does this create an exposure?

How is a LAN NET defined for an IPv6 network when the network is DHCPv6?

I am seeing blocks in my firewall for traffic originating on the LAN side to do things like DNS lookups or HTTPS traffic.

The rule that triggered this action is:

@5 block drop in log inet6 all label "Default deny rule IPv6"

OPNsense 15.7.15-amd64   
FreeBSD 10.1-RELEASE-p19   
LibreSSL 2.2.3

In the wan interface tab at the bottom; make sure you are not blocking private networks.

How do you filter the firewall logs so that I can look at my IPv6 blocks only?

The ssh works, I am in the right groups and can now connect. What I can't do is sudo commands. I am trying to not rely on the root logon for anything.

There isn't a /etc/sudoers file (is that what's needed on BSD?) I did add my user to wheel manually and it didn't have any effect.

That's awesome. It might be an interesting feature enhancement to make one of the monitoring interfaces a pseudo one which pings against an external server to derive its value. This way it can be managed in the GUI.

I can confirm the workaround works, but there is still an issue with proper group membership.

/etc/inc/auth.inc contains:

Code Select Expand

/* admins access gives wheely rights */
if (userHasPrivilege($user, 'page-all')) {
$user_group = 'wheel';
}

However my user is only in admins and the custom group I set up for ssh_users. The user is not able to sudo as a result.

Thanks, I will try this out.

I have added a user, ssh key, admin privileges, and shell access via the web gui. The user is not being allowed to login with the following error:

NO LOGINS: System going down at 10:32


pam_nologin: pam_sm_acct_mgmt: Administrator refusing you: /var/run/nologin

Connection closed by

I ssh into the firewall with root and I am able to see that my new user is not added to the group I created for SSH, nor wheel. I do see that the auth key is there along with the proper shell /bin/csh.

Is there something else needed?

--bcj

You can run a dynamic IP address update utility from any PC behind the ISP router. This could be your OpnSense firewall or a Windows PC, etc.

In order to run an updater on the OpnSense firewall which is independent of the functions built in, you would want to run it from a script of some sort. I don't use no-ip, so I can't speak to whether or not this script would work. It was found using Google. For reference: http://techgeekjay.blogspot.com/2013/03/no-ip-automatic-update-bash-script-for.html

A few pieces have been changed such as using sh for the interpreter instead of bash and log locations.

Code Select Expand

#!/bin/sh

# No-IP uses emails as passwords, so make sure that you encode the @ as %40
USERNAME=--account name--
PASSWORD=--my password--
HOST=--my host name--
LOGFILE=/var/log/noip.log
STOREDIPFILE=/var/run/current_ip
USERAGENT="Simple Bash No-IP Updater/0.4 antoniocs@gmail.com"

if [ ! -e $STOREDIPFILE ]; then
touch $STOREDIPFILE
fi

NEWIP=$(curl http://icanhazip.com/)
STOREDIP=$(cat $STOREDIPFILE)

if [ "$NEWIP" != "$STOREDIP" ]; then
RESULT=$(curl -o "$LOGFILE" -s --user-agent "$USERAGENT" "https://$USERNAME:$PASSWORD@dynupdate.no-ip.com/nic/update?hostname=$HOST&myip=$NEWIP")

LOGLINE="[$(date +"%Y-%m-%d %H:%M:%S")] $RESULT"
echo $NEWIP > $STOREDIPFILE
else
LOGLINE="[$(date +"%Y-%m-%d %H:%M:%S")] No IP change"
fi

echo $LOGLINE >> $LOGFILE

exit 0

Save this to the firewall, adjust the values as needed at the top and set it up in a cron job.

--bcj

You could write a script to do it and run the script from any computer behind the modem/router.

Code Select Expand

#!/bin/sh

PUBLIC_IP=$(curl -s http://ipecho.net/plain; echo)
echo $PUBLIC_IP

If my provider provided any host name it would be in their naming convention and not mine; therefore useless to me. The IPv6 DHCP services are not handled locally. Instead, they are handled by my provider. IPv4 host names are provided locally by the inside DHCP services. These names are meaningful to me.

I do have the track interface's IPv6 address set up as a DNS provider and I am running the Unbound DNS server. This is currently managed manually and I have a request for consideration thread opened to make it automated. https://forum.opnsense.org/index.php?topic=795.0

Hi Franco,

How would the hosts file learn of the IP addresses and how would it update when the provider makes a change? I don't see how that is possible.

--bcj

IPv6 addresses are assigned by my Internet provider and I would like to use my LAN's track address as the DNS server for my dual stack hosts.

Would you consider adding a checkbox on the services_dhcp.php page to add the LAN IPv6 address to the DNS list of the IPv4 DHCP requests? This should also stop the propagation of the routers IPv6 DNS servers to the inside hosts.

Right now I am putting the address into my global lists manually, but I would rather the inside clients not have the ability to query outside servers.

Thanks for any considerations!

Feel free to do whatever you'd like, I appreciate the willingness to incorporate the feedback! The arp -a command doesn't take anything on my side to execute for what it is worth but I don't know if that's always the case for others.

Enjoy your weekend as well.