Messages

I've just setup a wireguard tunnel to my box and will hope that wherever I have to go that traffic won't be blocked.

I'm going to be doing some traveling and want to make a device to bring with me. I've got a small machine setup with opnsense and an 8 port managed switch. My plan is to make it so I can plug this machine into my internet wherever I am and then have some of the ports on the switch give me full access to my home network as if I was there. I've setup site to site wireguard before but the second device won't know it's external ip and might have to get through nat before connecting. Does anyone have any experience with this type of setup? Would wireguard still be good or would openvpn on say port 443 be better to minimize the chances of being blocked?

Thank you,

Perfect. Thank you. That is along the lines of what I was able to determine.

I've switched my dhcp over to Kea. I've currently got the control agent disabled. Should I enable it? What purpose does it serve?

Thank you.

I've got an instance of opnsense that has been running without issue for over a year now. I'm wanting to add a second one in an ha configuration (carp). I'm wondering how I should start with the second one? Should I set it up with a restore from the existing primary or should it be blank with minimal configuration and let the sync process set it up?

Thank you.

Thank you Franco. I did the Reset DNS data option and was able to upgrade two remote sites without issue.

I did a clean install importing the existing config and it all went well. The only downside is this will have me visit all the other sites that I maintain so I'm on site when trying the upgrade.

Thanks.

The upgrade went fine on my test environment instance so I figured I'd try it on my main instance and got the following when upgrading:

Code Select Expand

***GOT REQUEST TO UPGRADE***
Currently running OPNsense 23.7.12_5 at Tue Jan 30 09:41:44 EST 2024
Fetching packages-24.1-amd64.tar: ......................................... done
Fetching base-24.1-amd64.txz: .......... done
Fetching kernel-24.1-amd64.txz: ..... done
Extracting packages-24.1-amd64.tar... done
Extracting base-24.1-amd64.txz... done
Extracting kernel-24.1-amd64.txz... done
Please reboot.
>>> Invoking upgrade script 'squid-plugin.php'
Squid web proxy is not active. Not installing replacement plugin.
>>> Invoking upgrade script 'unbound-duckdb.py'
Traceback (most recent call last):
  File "/usr/local/opnsense/site-python/duckdb_helper.py", line 65, in __enter__
    self.connection = duckdb.connect(database=self._path, read_only=self._read_only)
duckdb.IOException: IO Error: Trying to read a database file with version number 39, but we can only read version 51.
The database file was created with DuckDB version v0.6.0 or v0.6.1.

The storage of DuckDB is not yet stable; newer versions of DuckDB cannot read old database files and vice versa.
The storage will be stabilized when version 1.0 releases.

For now, we recommend that you load the database file in a supported version of DuckDB, and use the EXPORT DATABASE command followed by IMPORT DATABASE on the current version of DuckDB.

See the storage page for more information: https://duckdb.org/internals/storage

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/etc/rc.syshook.d/upgrade/20-unbound-duckdb.py", line 41, in <module>
    if export_database('/var/unbound/data/unbound.duckdb', '/var/cache/unbound.duckdb', 'unbound', 'unbound'):
  File "/usr/local/opnsense/site-python/duckdb_helper.py", line 147, in export_database
    with DbConnection(source, read_only=True) as db:
  File "/usr/local/opnsense/site-python/duckdb_helper.py", line 75, in __enter__
    raise StorageVersionException(str(e))
duckdb_helper.StorageVersionException: IO Error: Trying to read a database file with version number 39, but we can only read version 51.
The database file was created with DuckDB version v0.6.0 or v0.6.1.

The storage of DuckDB is not yet stable; newer versions of DuckDB cannot read old database files and vice versa.
The storage will be stabilized when version 1.0 releases.

For now, we recommend that you load the database file in a supported version of DuckDB, and use the EXPORT DATABASE command followed by IMPORT DATABASE on the current version of DuckDB.

See the storage page for more information: https://duckdb.org/internals/storage
>>> Error in upgrade script '20-unbound-duckdb.py'
***DONE***

Is there a manual way to force the db to upgrade to a supported version?

Thank you

Thank you for the reply. I figured as much but thought I'd ask incase there was a way I wasn't aware of. I've tried all the different prefix sizes from 64 to 56 and the only one that works is 64. (Here is one of the threads where I was trying different things: https://www.dslreports.com/forum/r33652078-IPv6-Prefix-Size)

I'll just now have to hope that my ISP eventually implements IPv6 better in the future.

Thank you.

My ISP only provides a /64 address and I've got it working just fine on my main network. Does anyone know of a way to make IPv6 available to my other vlans too?

I have reached out to my ISP (Robbers in Canada) and they say they won't give anything larger than /64 so the obvious (and easy) method isn't an option.

Additional fun information. So it seems that if the windows computer is on a domain and you have both ipv4 and ipv6 enabled it will just get the ipv4 dns information but if you disable ipv4 and only have ipv6 enabled it will properly pull down the ipv6 dns entries. I guess another strange Microsoft thing.

Which router advertisements mode should I be using to have it hand out the dns server information? All the settings I've tried so haven't worked.

I've got another setup where I don't have the "Allow manual adjustment of DHCPv6 and Router Advertisements" checked and it is handing out itself as the dns server no problem. I just can't seem to get this other instance to hand out the dns servers I want.

IPv6 browsing is working on the network it just isn't handing out the dns servers I want.

Setup: my isp is handing out a /64 prefix via dhcp and I've got track interface enabled on my lan interface.

So I've currently got a bunch of rules that are setup between vlans and I've got two rules one for IPv4 and one for IPv6 and other than the TCP version they are the same. Is there any drawbacks to setting them up as a single IPv4+IPv6 rule?

Also if I've got an alias for networks that contains both IPv4 and IPv6 networks will the rule properly know how to apply that with the version combined?

My guess is yes but just wanted to confirm as the default configuration on the LAN connection is two separate rules.

Thank you,

Thank you all for the suggestions. I've come up with one more and that is to just use dnsmasq for the vlan that has access to the tunnel and then use unbound for all other vlan's.

Thank you,

Does anyone know if there is a way to setup a domain override in Unbound for just a single interface? What I'm trying to do is setup a vpn tunnel for a single VLAN and have only clients on that vlan have dns entries forwarded to the dns on the other side where clients on all other vlan's will have their dns requests go to the standard public resolvers.

I'm just hoping there is a way without having to setup another dns server.

Thank you,