Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
I have an actual SSL cert for my domain.com
When I install this cert, and setup OPN to use it, then I get an error about router.domain.com doesnt match the cert which is for domain.com.
I have my system configured thusly:
The hostname of OPN is router. I have an Unbound override for router.domain.com pointing to 192.168.1.1. I also have an override for domain.com to point to 192.168.1.1 as well. Furthermore I have a firewall rule to allow my computer only to access the router via domain.com or router.domain.com. Thus no intrepid employees *should* be able to access it.
IF I try to access the domain.com I get a potential DNS rebind error. When this happens, I dont have the SSL mismatch error, but I cant login either. When I disable DNS rebind prophylactic, I can access the login page using domain.com
Maybe I need another actual cert for router.domain.com? And another for mail, SAN, etc, etc? I thought we could apply these subdomains to the cert when its generated as alternate names in the cert? Then we can use one cert for these subdomains. Or am I flawed in my logic today?***GOT REQUEST TO UPDATE***
Currently running OPNsense 23.7.11 at Sat Jan 20 11:27:16 MST 2024
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking for upgrades (21 candidates): .......... done
Processing candidates (21 candidates): ........ done
The following 15 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
beep: 1.0_1 -> 1.0_2 [OPNsense]
choparp: 20150613 -> 20150613_1 [OPNsense]
fontconfig: 2.14.2,1 -> 2.15.0_1,1 [OPNsense]
ivykis: 0.42.4 -> 0.42.4_1 [OPNsense]
opnsense: 23.7.11 -> 23.7.12 [OPNsense]
opnsense-installer: 23.1 -> 24.1 [OPNsense]
os-sunnyvalley: 1.3 -> 1.4_1 [OPNsense]
pkcs11-helper: 1.29.0 -> 1.29.0_1 [OPNsense]
py39-cryptography: 41.0.7_1,1 -> 41.0.7_2,1 [OPNsense]
py39-netaddr: 0.10.0 -> 0.10.1 [OPNsense]
py39-numpy: 1.25.0_3,1 -> 1.25.0_4,1 [OPNsense]
py39-trio: 0.23.2_1 -> 0.24.0 [OPNsense]
rrdtool: 1.8.0_2 -> 1.8.0_3 [OPNsense]
smartmontools: 7.4 -> 7.4_1 [OPNsense]
sudo: 1.9.15p4 -> 1.9.15p5 [OPNsense]
Number of packages to be upgraded: 15
15 MiB to be downloaded.
[1/15] Fetching py39-cryptography-41.0.7_2,1.pkg: .......... done
[2/15] Fetching py39-numpy-1.25.0_4,1.pkg: .......... done
[3/15] Fetching choparp-20150613_1.pkg: . done
[4/15] Fetching rrdtool-1.8.0_3.pkg: .......... done
[5/15] Fetching ivykis-0.42.4_1.pkg: ......... done
[6/15] Fetching beep-1.0_2.pkg: . done
[7/15] Fetching py39-trio-0.24.0.pkg: .......... done
[8/15] Fetching pkcs11-helper-1.29.0_1.pkg: .......... done
[9/15] Fetching os-sunnyvalley-1.4_1.pkg: . done
[10/15] Fetching fontconfig-2.15.0_1,1.pkg: .......... done
[11/15] Fetching opnsense-23.7.12.pkg: .......... done
[12/15] Fetching sudo-1.9.15p5.pkg: .......... done
[13/15] Fetching smartmontools-7.4_1.pkg: .......... done
[14/15] Fetching opnsense-installer-24.1.pkg: ... done
[15/15] Fetching py39-netaddr-0.10.1.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/15] Upgrading py39-cryptography from 41.0.7_1,1 to 41.0.7_2,1...
[1/15] Extracting py39-cryptography-41.0.7_2,1: .......... done
[2/15] Upgrading py39-numpy from 1.25.0_3,1 to 1.25.0_4,1...
[2/15] Extracting py39-numpy-1.25.0_4,1: .......... done
[3/15] Upgrading ivykis from 0.42.4 to 0.42.4_1...
[3/15] Extracting ivykis-0.42.4_1: .......... done
[4/15] Upgrading py39-trio from 0.23.2_1 to 0.24.0...
[4/15] Extracting py39-trio-0.24.0: .......... done
[5/15] Upgrading pkcs11-helper from 1.29.0 to 1.29.0_1...
[5/15] Extracting pkcs11-helper-1.29.0_1: .......... done
[6/15] Upgrading choparp from 20150613 to 20150613_1...
[6/15] Extracting choparp-20150613_1: ...... done
[7/15] Upgrading rrdtool from 1.8.0_2 to 1.8.0_3...
[7/15] Extracting rrdtool-1.8.0_3: .......... done
[8/15] Upgrading beep from 1.0_1 to 1.0_2...
[8/15] Extracting beep-1.0_2: ..... done
[9/15] Upgrading sudo from 1.9.15p4 to 1.9.15p5...
[9/15] Extracting sudo-1.9.15p5: .......... done
[10/15] Upgrading opnsense-installer from 23.1 to 24.1...
[10/15] Extracting opnsense-installer-24.1: .......... done
[11/15] Upgrading py39-netaddr from 0.10.0 to 0.10.1...
[11/15] Extracting py39-netaddr-0.10.1: .......... done
[12/15] Upgrading os-sunnyvalley from 1.3 to 1.4_1...
[12/15] Extracting os-sunnyvalley-1.4_1: ..... done
[13/15] Upgrading fontconfig from 2.14.2,1 to 2.15.0_1,1...
[13/15] Extracting fontconfig-2.15.0_1,1: .......... done
[14/15] Upgrading opnsense from 23.7.11 to 23.7.12...
[14/15] Extracting opnsense-23.7.12: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh'
Writing firmware settings: FreeBSD OPNsense SunnyValley
Writing trust files...done.
Scanning /usr/share/certs/blacklisted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring system logging...done.
[15/15] Upgrading smartmontools from 7.4 to 7.4_1...
[15/15] Extracting smartmontools-7.4_1: .......... done
Running fc-cache to build fontconfig cache...
=====
Message from opnsense-23.7.12:
--
Beep! Beep!
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
pkg-static: Repository SunnyValley has a wrong packagesite, need to re-create database
pkg-static: Repository SunnyValley cannot be opened. 'pkg update' required
The following package files will be deleted:
/var/cache/pkg/py39-cryptography-41.0.7_2,1~36e2b7bb37.pkg
/var/cache/pkg/py39-numpy-1.25.0_4,1~e964a4d6b8.pkg
/var/cache/pkg/py39-cryptography-41.0.7_2,1.pkg
/var/cache/pkg/rrdtool-1.8.0_3~10892ade99.pkg
/var/cache/pkg/py39-numpy-1.25.0_4,1.pkg
/var/cache/pkg/choparp-20150613_1~b7435fd133.pkg
/var/cache/pkg/choparp-20150613_1.pkg
/var/cache/pkg/py39-trio-0.24.0.pkg
/var/cache/pkg/rrdtool-1.8.0_3.pkg
/var/cache/pkg/ivykis-0.42.4_1~4605b98c8c.pkg
/var/cache/pkg/ivykis-0.42.4_1.pkg
/var/cache/pkg/beep-1.0_2~c44ab54fc1.pkg
/var/cache/pkg/beep-1.0_2.pkg
/var/cache/pkg/py39-trio-0.24.0~8f5a78e036.pkg
/var/cache/pkg/pkcs11-helper-1.29.0_1~0a69a9cb9d.pkg
/var/cache/pkg/opnsense-23.7.12~5b505fa4b7.pkg
/var/cache/pkg/pkcs11-helper-1.29.0_1.pkg
/var/cache/pkg/os-sunnyvalley-1.4_1~559a61733f.pkg
/var/cache/pkg/os-sunnyvalley-1.4_1.pkg
/var/cache/pkg/fontconfig-2.15.0_1,1~b8c79e808c.pkg
/var/cache/pkg/fontconfig-2.15.0_1,1.pkg
/var/cache/pkg/opnsense-installer-24.1.pkg
/var/cache/pkg/opnsense-23.7.12.pkg
/var/cache/pkg/sudo-1.9.15p5~4ec658bae7.pkg
/var/cache/pkg/sudo-1.9.15p5.pkg
/var/cache/pkg/smartmontools-7.4_1~32379df1a0.pkg
/var/cache/pkg/smartmontools-7.4_1.pkg
/var/cache/pkg/opnsense-installer-24.1~03df1a534b.pkg
/var/cache/pkg/py39-netaddr-0.10.1~2f60b605d6.pkg
/var/cache/pkg/py39-netaddr-0.10.1.pkg
The cleanup will free 15 MiB
Deleting files: .......... done
All done
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***
***GOT REQUEST TO UPDATE***
Currently running OPNsense 23.7.11 at Sat Jan 20 10:49:23 MST 2024
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking for upgrades (19 candidates): .......... done
Processing candidates (19 candidates): ....... done
Checking integrity... done (0 conflicting)
The following 12 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
beep: 1.0_1 -> 1.0_2 [OPNsense]
choparp: 20150613 -> 20150613_1 [OPNsense]
fontconfig: 2.14.2,1 -> 2.15.0_1,1 [OPNsense]
opnsense: 23.7.11 -> 23.7.12 [OPNsense]
opnsense-installer: 23.1 -> 24.1 [OPNsense]
os-sunnyvalley: 1.3 -> 1.4_1 [OPNsense]
pkcs11-helper: 1.29.0 -> 1.29.0_1 [OPNsense]
py39-netaddr: 0.10.0 -> 0.10.1 [OPNsense]
py39-trio: 0.23.2_1 -> 0.24.0 [OPNsense]
rrdtool: 1.8.0_2 -> 1.8.0_3 [OPNsense]
smartmontools: 7.4 -> 7.4_1 [OPNsense]
sudo: 1.9.15p4 -> 1.9.15p5 [OPNsense]
Number of packages to be upgraded: 12
[1/12] Upgrading py39-trio from 0.23.2_1 to 0.24.0...
[1/12] Extracting py39-trio-0.24.0: ....
pkg-static: Fail to create temporary file for /usr/local/lib/python3.9/site-packages/trio/_core/_tests/type_tests/nursery_start.py:Device not configured
[1/12] Extracting py39-trio-0.24.0... done
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***[/color]Yes, you are correct on what i am trying to do. It is this.
You have a 192.168.0.0/24 ip range which is configured to hand out IPs 192.168.0.42 to 192.168.0.200.
You wish to statically assign network hardare to IPs 192.168.0.2 to 192.168.0.20.You wish to statically assign some clients to IPs 192.168.1.21 to 192.168.1.41.
I wish to assign some to 192.168.0.21-.41Apparently I do have the typo somehwere.
I'm still confused. Are you trying to assign static 192.168.1.x ips to a 192.168.0.x pool or not?you need to use the static mapping if you want to be lazy
in your Services > DHCPv4 > LAN go all the way down to the bottom and add Static DHCP Mapping. This uses the device MAC address.
Write down all the MAC address of all the devices individually and add them here.
-ADD MAC
-ADD IP
-ADD HOSTNAME
-ADD DNS
-ADD GATEWAY
you need to do this for every device.
That's what they're doing. But AFAICT it's not working because they're trying to assign static ips outside of the subnet range.
Yes. this i know. It is very basic networking.... Im not trying to assign out of the subnet.
But alas, my autistic brain tends to thinks a little differently...
Please. See in the original post, the complaint DHCP is sending about static, and dynamically configured lease. This is the genesis of my thread..
My brain = aaargh!!
This would be easier if you post a screenshot of your DHCP config screen(s).
Here is what I think you're saying.
You have a 192.168.0.0/24 ip range which is configured to hand out IPs 192.168.0.42 to 192.168.0.200.
You wish to statically assign network hardare to IPs 192.168.0.2 to 192.168.0.20.
You wish to statically assign some clients to IPs 192.168.1.21 to 192.168.1.41.
I'm unclear on is if you're trying to set up 192.168.1.0 IPs in a 192.168.0.0/24 range or if that's a typo. DHCP can only assign IPs based on it's available range. /24 won't give you 192.168.0.0 and 192.168.1.0.
Dynamic and static leases present for FOO.X.
Remove host declaration s_lan_0 or remove FOO.X
from the dynamic address pool for FOO.0/24you can install Chrony and use NTS.Yep. Here's a list of NTS servers:
- https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
- https://gitlab.com/-/snippets/2481323
I use:
time.cloudflare.com,ptbtime1.ptb.de,ptbtime2.ptb.de,ptbtime3.ptb.de,ntp2.glypnod.com,nts.sth1.ntp.se,nts.sth2.ntp.se,ntp.3eck.net,ntp.trifence.ch,ntp.zeitgitter.net,nts1.adopo.net,www.jabber-germany.de,www.masters-of-cloud.de,ntppool1.time.nl,ntppool2.time.nl,ptbtime4.ptb.de,paris.time.system76.com,ntp3.fau.de
Interesting. I hadn't realized there was an effort to do secure NTP.
Is your concern interception between the internet and the OPNSense machine, OPNSense and your LAN clients, or your LAN clients to the internet?
none6@pci0:3:0:0: class=0x028000 rev=0x00 hdr=0x00 vendor=0x168c device=0x003c subvendor=0x0000 subdevice=0x0000
vendor = 'Qualcomm Atheros'
device = 'QCA986x/988x 802.11ac Wireless Network Adapter'
class = network
ath0@pci0:4:0:0: class=0x028000 rev=0x01 hdr=0x00 vendor=0x168c device=0x002e subvendor=0x168c subdevice=0x30a4
vendor = 'Qualcomm Atheros'
device = 'AR9287 Wireless Network Adapter (PCI-Express)'
class = network