Messages

Thanks Mr Maurice. 
I did add the domain.com to the alt hostnames, and all is well in Denmark now. 
I obviously didnt think to try that. 

Thanks again!
:beer

Sooooo...
I must no understand DNS Rebind protection too well.
Its supposed to block access from the private address clients (LAN) to the DNS servers via hostname/IP?

I would really like to access my OPN via name (router.domain.com) WITHOUT the annoying untrusted cert warning.

Code Select Expand


I have an actual SSL cert for my domain.com
When I install this cert, and setup OPN to use it, then I get an error about router.domain.com doesnt match the cert which is for domain.com.
I have my system configured thusly:
The hostname of OPN is router.  I have an Unbound override for router.domain.com pointing to 192.168.1.1.  I also have an override for domain.com to point to 192.168.1.1 as well.  Furthermore I have a firewall rule to allow my computer only to access the router via domain.com or router.domain.com.  Thus no intrepid employees *should* be able to access it.

IF I try to access the domain.com I get a potential DNS rebind error.  When this happens, I dont have the SSL mismatch error, but I cant login either.  When I disable DNS rebind prophylactic, I can access the login page using domain.com

Maybe I need another actual cert for router.domain.com?  And another for mail, SAN, etc, etc?  I thought we could apply these subdomains to the cert when its generated as alternate names in the cert?  Then we can use one cert for these subdomains.  Or am I flawed in my logic today?
Or am I better to sliver the DNS off OPN and make a standalone DNS server?

Imma jump on this bandwagon too.  For me I have none the issues with KEA.  Until I enable the control agent.  Then I get the same error as this post is titled. 

Nevermind....
I did a reboot for another reason.  I attempted the update again and is successful now...

Code Select Expand


***GOT REQUEST TO UPDATE***
Currently running OPNsense 23.7.11 at Sat Jan 20 11:27:16 MST 2024
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking for upgrades (21 candidates): .......... done
Processing candidates (21 candidates): ........ done
The following 15 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
beep: 1.0_1 -> 1.0_2 [OPNsense]
choparp: 20150613 -> 20150613_1 [OPNsense]
fontconfig: 2.14.2,1 -> 2.15.0_1,1 [OPNsense]
ivykis: 0.42.4 -> 0.42.4_1 [OPNsense]
opnsense: 23.7.11 -> 23.7.12 [OPNsense]
opnsense-installer: 23.1 -> 24.1 [OPNsense]
os-sunnyvalley: 1.3 -> 1.4_1 [OPNsense]
pkcs11-helper: 1.29.0 -> 1.29.0_1 [OPNsense]
py39-cryptography: 41.0.7_1,1 -> 41.0.7_2,1 [OPNsense]
py39-netaddr: 0.10.0 -> 0.10.1 [OPNsense]
py39-numpy: 1.25.0_3,1 -> 1.25.0_4,1 [OPNsense]
py39-trio: 0.23.2_1 -> 0.24.0 [OPNsense]
rrdtool: 1.8.0_2 -> 1.8.0_3 [OPNsense]
smartmontools: 7.4 -> 7.4_1 [OPNsense]
sudo: 1.9.15p4 -> 1.9.15p5 [OPNsense]

Number of packages to be upgraded: 15

15 MiB to be downloaded.
[1/15] Fetching py39-cryptography-41.0.7_2,1.pkg: .......... done
[2/15] Fetching py39-numpy-1.25.0_4,1.pkg: .......... done
[3/15] Fetching choparp-20150613_1.pkg: . done
[4/15] Fetching rrdtool-1.8.0_3.pkg: .......... done
[5/15] Fetching ivykis-0.42.4_1.pkg: ......... done
[6/15] Fetching beep-1.0_2.pkg: . done
[7/15] Fetching py39-trio-0.24.0.pkg: .......... done
[8/15] Fetching pkcs11-helper-1.29.0_1.pkg: .......... done
[9/15] Fetching os-sunnyvalley-1.4_1.pkg: . done
[10/15] Fetching fontconfig-2.15.0_1,1.pkg: .......... done
[11/15] Fetching opnsense-23.7.12.pkg: .......... done
[12/15] Fetching sudo-1.9.15p5.pkg: .......... done
[13/15] Fetching smartmontools-7.4_1.pkg: .......... done
[14/15] Fetching opnsense-installer-24.1.pkg: ... done
[15/15] Fetching py39-netaddr-0.10.1.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/15] Upgrading py39-cryptography from 41.0.7_1,1 to 41.0.7_2,1...
[1/15] Extracting py39-cryptography-41.0.7_2,1: .......... done
[2/15] Upgrading py39-numpy from 1.25.0_3,1 to 1.25.0_4,1...
[2/15] Extracting py39-numpy-1.25.0_4,1: .......... done
[3/15] Upgrading ivykis from 0.42.4 to 0.42.4_1...
[3/15] Extracting ivykis-0.42.4_1: .......... done
[4/15] Upgrading py39-trio from 0.23.2_1 to 0.24.0...
[4/15] Extracting py39-trio-0.24.0: .......... done
[5/15] Upgrading pkcs11-helper from 1.29.0 to 1.29.0_1...
[5/15] Extracting pkcs11-helper-1.29.0_1: .......... done
[6/15] Upgrading choparp from 20150613 to 20150613_1...
[6/15] Extracting choparp-20150613_1: ...... done
[7/15] Upgrading rrdtool from 1.8.0_2 to 1.8.0_3...
[7/15] Extracting rrdtool-1.8.0_3: .......... done
[8/15] Upgrading beep from 1.0_1 to 1.0_2...
[8/15] Extracting beep-1.0_2: ..... done
[9/15] Upgrading sudo from 1.9.15p4 to 1.9.15p5...
[9/15] Extracting sudo-1.9.15p5: .......... done
[10/15] Upgrading opnsense-installer from 23.1 to 24.1...
[10/15] Extracting opnsense-installer-24.1: .......... done
[11/15] Upgrading py39-netaddr from 0.10.0 to 0.10.1...
[11/15] Extracting py39-netaddr-0.10.1: .......... done
[12/15] Upgrading os-sunnyvalley from 1.3 to 1.4_1...
[12/15] Extracting os-sunnyvalley-1.4_1: ..... done
[13/15] Upgrading fontconfig from 2.14.2,1 to 2.15.0_1,1...
[13/15] Extracting fontconfig-2.15.0_1,1: .......... done
[14/15] Upgrading opnsense from 23.7.11 to 23.7.12...
[14/15] Extracting opnsense-23.7.12: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh'
Writing firmware settings: FreeBSD OPNsense SunnyValley
Writing trust files...done.
Scanning /usr/share/certs/blacklisted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring system logging...done.
[15/15] Upgrading smartmontools from 7.4 to 7.4_1...
[15/15] Extracting smartmontools-7.4_1: .......... done
Running fc-cache to build fontconfig cache...
=====
Message from opnsense-23.7.12:

--
Beep! Beep!
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
pkg-static: Repository SunnyValley has a wrong packagesite, need to re-create database
pkg-static: Repository SunnyValley cannot be opened. 'pkg update' required
The following package files will be deleted:
/var/cache/pkg/py39-cryptography-41.0.7_2,1~36e2b7bb37.pkg
/var/cache/pkg/py39-numpy-1.25.0_4,1~e964a4d6b8.pkg
/var/cache/pkg/py39-cryptography-41.0.7_2,1.pkg
/var/cache/pkg/rrdtool-1.8.0_3~10892ade99.pkg
/var/cache/pkg/py39-numpy-1.25.0_4,1.pkg
/var/cache/pkg/choparp-20150613_1~b7435fd133.pkg
/var/cache/pkg/choparp-20150613_1.pkg
/var/cache/pkg/py39-trio-0.24.0.pkg
/var/cache/pkg/rrdtool-1.8.0_3.pkg
/var/cache/pkg/ivykis-0.42.4_1~4605b98c8c.pkg
/var/cache/pkg/ivykis-0.42.4_1.pkg
/var/cache/pkg/beep-1.0_2~c44ab54fc1.pkg
/var/cache/pkg/beep-1.0_2.pkg
/var/cache/pkg/py39-trio-0.24.0~8f5a78e036.pkg
/var/cache/pkg/pkcs11-helper-1.29.0_1~0a69a9cb9d.pkg
/var/cache/pkg/opnsense-23.7.12~5b505fa4b7.pkg
/var/cache/pkg/pkcs11-helper-1.29.0_1.pkg
/var/cache/pkg/os-sunnyvalley-1.4_1~559a61733f.pkg
/var/cache/pkg/os-sunnyvalley-1.4_1.pkg
/var/cache/pkg/fontconfig-2.15.0_1,1~b8c79e808c.pkg
/var/cache/pkg/fontconfig-2.15.0_1,1.pkg
/var/cache/pkg/opnsense-installer-24.1.pkg
/var/cache/pkg/opnsense-23.7.12.pkg
/var/cache/pkg/sudo-1.9.15p5~4ec658bae7.pkg
/var/cache/pkg/sudo-1.9.15p5.pkg
/var/cache/pkg/smartmontools-7.4_1~32379df1a0.pkg
/var/cache/pkg/smartmontools-7.4_1.pkg
/var/cache/pkg/opnsense-installer-24.1~03df1a534b.pkg
/var/cache/pkg/py39-netaddr-0.10.1~2f60b605d6.pkg
/var/cache/pkg/py39-netaddr-0.10.1.pkg
The cleanup will free 15 MiB
Deleting files: .......... done
All done
Nothing to do.
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***


So im attempt update to 23.7.12 from 23.7.11.  Goes thru the procedure, and says everything is peachy, but then complains an update to 23.7.12 is available.  Here is the post update output:

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 23.7.11 at Sat Jan 20 10:49:23 MST 2024
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
Checking for upgrades (19 candidates): .......... done
Processing candidates (19 candidates): ....... done
Checking integrity... done (0 conflicting)
The following 12 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
beep: 1.0_1 -> 1.0_2 [OPNsense]
choparp: 20150613 -> 20150613_1 [OPNsense]
fontconfig: 2.14.2,1 -> 2.15.0_1,1 [OPNsense]
opnsense: 23.7.11 -> 23.7.12 [OPNsense]
opnsense-installer: 23.1 -> 24.1 [OPNsense]
os-sunnyvalley: 1.3 -> 1.4_1 [OPNsense]
pkcs11-helper: 1.29.0 -> 1.29.0_1 [OPNsense]
py39-netaddr: 0.10.0 -> 0.10.1 [OPNsense]
py39-trio: 0.23.2_1 -> 0.24.0 [OPNsense]
rrdtool: 1.8.0_2 -> 1.8.0_3 [OPNsense]
smartmontools: 7.4 -> 7.4_1 [OPNsense]
sudo: 1.9.15p4 -> 1.9.15p5 [OPNsense]

Number of packages to be upgraded: 12
[1/12] Upgrading py39-trio from 0.23.2_1 to 0.24.0...
[1/12] Extracting py39-trio-0.24.0: ....
pkg-static: Fail to create temporary file for /usr/local/lib/python3.9/site-packages/trio/_core/_tests/type_tests/nursery_start.py:Device not configured
[1/12] Extracting py39-trio-0.24.0... done
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***

Ive non the idea what the "Device no configured" is all about.  Ive been running OPN for quite a while, on the original install.

Just checking if Batman or a similar derivative is available on OPNSense.
If not whom could I send the feature request to?

Ugh!   Yes the typo comes again.....
Let me fix it now...
I did also edit the original post so please re-read.  Sorry for all this....

Yes, you are correct on what i am trying to do.  It is this.

You have a 192.168.0.0/24 ip range which is configured to hand out IPs 192.168.0.42 to 192.168.0.200.
You wish to statically assign network hardare to IPs 192.168.0.2 to 192.168.0.20.
You wish to statically assign some clients to IPs 192.168.1.21 to 192.168.1.41.
I wish to assign some to 192.168.0.21-.41

Apparently I do have the typo somehwere.

I'm still confused.  Are you trying to assign static 192.168.1.x ips to a 192.168.0.x pool or not?

you need to use the static mapping if you want to be lazy :)

in your Services > DHCPv4 > LAN go all the way down to the bottom and add Static DHCP Mapping. This uses the device MAC address.

Write down all the MAC address of all the devices individually and add them here.

-ADD MAC
-ADD IP
-ADD HOSTNAME
-ADD DNS
-ADD GATEWAY

you need to do this for every device.

That's what they're doing.  But AFAICT it's not working because they're trying to assign static ips outside of the subnet range.
Yes.  this i know.  It is very basic networking....  Im not trying to assign out of the subnet.

But alas, my autistic brain tends to thinks a little differently...

Please.  See in the original post, the complaint DHCP is sending about static, and dynamically configured lease.  This is the genesis of my thread..

My brain = aaargh!! ::) 

[/color]

Yes, you are correct on what i am trying to do.  It is this.

You have a 192.168.0.0/24 ip range which is configured to hand out IPs 192.168.0.42 to 192.168.0.200.
You wish to statically assign network hardare to IPs 192.168.0.2 to 192.168.0.20.
You wish to statically assign some clients to IPs 192.168.1.21 to 192.168.1.41.

Apparently I do have the typo somehwere.

This would be easier if you post a screenshot of your DHCP config screen(s).

Here is what I think you're saying.

You have a 192.168.0.0/24 ip range which is configured to hand out IPs 192.168.0.42 to 192.168.0.200.
You wish to statically assign network hardare to IPs 192.168.0.2 to 192.168.0.20.
You wish to statically assign some clients to IPs 192.168.1.21 to 192.168.1.41.

I'm unclear on is if you're trying to set up 192.168.1.0 IPs in a 192.168.0.0/24 range or if that's a typo.  DHCP can only assign IPs based on it's available range.  /24 won't give you 192.168.0.0 and 192.168.1.0.

SO maybe im not understand the reality of the DHCP pools.  Allow me to enumerate what I try do:

I have the OPNSense
I have 4 wireless AP, servers, etc, etc.  I want to use DHCP reservation here.
I have a few client I want to never change the IP, but im too lazy to go change the device to the static IP.
I want to use DHCP reservation here too.

Soooo.  I make the pools.

The IP of OPN is FOO.1
According to Services -> DHCP4 -> LAN, the available range is FOO.1 to FOO.254 (/24 network)
I have the DHCP4 RANGE setup from FOO.42 to FOO.200
I want all my network hardware to get the IP from pool of: FOO.2 to FOO.20
I want the clients I am too lazy to hand config from the pool of: FOO .21 to FOO.41
Everyone else gets FOO.42 to FOO.200 on a dynamic, no reserve basis.

So I do this and I get this error in the logs:

Code Select Expand

  Dynamic and static leases present for FOO.X.
Remove host declaration s_lan_0 or remove FOO.X
from the dynamic address pool for FOO.0/24

Where FOO.X is the client in my network hardware pool.  I use X because when I remove the one it complains about from static reserve, it gripes about another client.  I did also install  the MAC addresses of the devices I want in each pool, to that pool, and chekced the "DENY CLIENTS EXCEPT THOSE LISTED BELOW" on each pool ONLY. (Services -> DHCP4 -> LAN ->Additional Pools -> Pool:FOO, and Pool: BAR -> MAC Address Control)

I did NOT select the Deny clients.... check box on Services -> DHCP4 -> LAN.
So my understand of it is this:  The clients of the particular MAC in the FOO pool will get addresses in the FOO.2-20 range.  The other pool in its range.   If I remove a client MAC from any pool, it will only get an address from the FOO.42-200 range.

Is it all right?

If it is, why do I get the complaints in the DHCP log and how to dispose of it?

you can install Chrony and use NTS.

Yep. Here's a list of NTS servers:
- https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d
- https://gitlab.com/-/snippets/2481323

I use:
time.cloudflare.com,ptbtime1.ptb.de,ptbtime2.ptb.de,ptbtime3.ptb.de,ntp2.glypnod.com,nts.sth1.ntp.se,nts.sth2.ntp.se,ntp.3eck.net,ntp.trifence.ch,ntp.zeitgitter.net,nts1.adopo.net,www.jabber-germany.de,www.masters-of-cloud.de,ntppool1.time.nl,ntppool2.time.nl,ptbtime4.ptb.de,paris.time.system76.com,ntp3.fau.de

Ill give it a try....

Interesting.  I hadn't realized there was an effort to do secure NTP.

Is your concern interception between the internet and the OPNSense machine, OPNSense and your LAN clients, or your LAN clients to the internet?

Yes.  It obviously isnt well known, or most dont reallly give $.02 about it.  Anyway, NIST in the US offers an authenticated NTP service. Its free, and renews every september. 

Just checking to see if secure NTP can be configured on OPNSense.
If not, could it be enabled?

Vilhonator-
I was able to make this work by allowing DHCP on the AP interface for the router which has a 10.220.0.X address, then I was able to change the network for the AP provided by hostapd to the 10.220.1.X network.  All is working now with that section.  I applied the rules you mentioned and the wireless clients are off limits to any admin interface and any peers on the network.  I decided to abandon the Debian install, and used OpnSense as the access point.

-> A new concern:  I have 2 WLAN cards installed, but only one is recognised by OPNSense.  pciconf -lv shows:

Code Select Expand


none6@pci0:3:0:0:       class=0x028000 rev=0x00 hdr=0x00 vendor=0x168c device=0x003c subvendor=0x0000 subdevice=0x0000
    vendor     = 'Qualcomm Atheros'
    device     = 'QCA986x/988x 802.11ac Wireless Network Adapter'
    class      = network
ath0@pci0:4:0:0:        class=0x028000 rev=0x01 hdr=0x00 vendor=0x168c device=0x002e subvendor=0x168c subdevice=0x30a4
    vendor     = 'Qualcomm Atheros'
    device     = 'AR9287 Wireless Network Adapter (PCI-Express)'
    class      = network


the none6 item is not working.  ath0 is functioning correctly.  How to get the none6 to work?

Vilhonator
I'll give this a try later today or tomorrow and report back

Hello there.  Ive installed an external AP-nothing fancy just an old computer running a small install of Debian with hostapd.  Ive configured everything, but when I plug the AP into the port on the opnsense then entire machine stops responding.  I can get an IP but cant access admin interface or surf.  Disconnecting the AP does nothing.  Rebooting with the AP disconnected doesnt help.  The only recovery is to console in, and disable the interface the AP was attached to,  reboot, then everything will work.

So here is how I have my stuff setup:
bge0 <wan static IP> (built in NIC.  Broadcom Xtreme Gig ethernet)
bce0 <10.220.0.1/24 with DHCP turned on.  Pool is .2-.75>
bce1 <10.220.0.100/24 with DHCP turned on.  Pool is .101-.150>
bce0, bce1 are together on one card.

I can make any combination of the interfaces, and all is well, until the AP comes to the party.  So it <shouldnt> a flaking interface