Messages

1

24.7 Production Series / Re: Should I be concerned about this repeated error in my logs regarding xmlrpc ?

« on: September 10, 2024, 04:42:37 pm »

I get this while I'm trying to configure HomeAssistant integration that tries to access the OPNSense API

2

24.1 Legacy Series / Re: IPv6 Prefix Alias

« on: June 18, 2024, 04:20:05 pm »

The existing/auto-generated aliases that start with double underline (

Code: [Select]

__an_interface_name) look like they could do what I need, but I haven't found a way to use them.

3

24.1 Legacy Series / Re: NTP-Server problem

« on: June 17, 2024, 03:57:26 pm »

deleted

4

24.1 Legacy Series / Re: NTP-Server problem

« on: June 17, 2024, 03:40:15 pm »

Just for anyone else landing here.

I get the same error when interface Vlan03 is included either by individually selecting interfaces or by unselecting all for "All (recommended)". It also doesn't matter if I only select the IPv4 or IPv6 variant.

I have several interfaces which are configured the same (just different IP and VLAN ID) and selecting these doesn't cause issues.

There is only one instance of ntpd running even when I select several interfaces.

Just for anyone else landing here.

I get the same error when interface Vlan03 is included either by individually selecting interfaces or by unselecting all for "All (recommended)". It also doesn't matter if I only select the IPv4 or IPv6 variant.

I have several interfaces which are configured the same (just different IP and VLAN ID) and selecting these doesn't cause issues.

There is only one instance of ntpd running even when I select several interfaces.

When Vlan03 is selected

Code: [Select]

[15:56:43] ops: <102>1 2024-06-17T15:53:37+02:00 firewall.example.com ntpd 12199 - [meta sequenceId="191"] Listen normally on 3 vlan03 [fe80::6662:66ff:fe21:833%11]:123
<99>1 2024-06-17T15:53:37+02:00 firewall.example.com ntpd 12199 - [meta sequenceId="192"] bind(24) AF_INET6 [fd00:0:0:23::]:123 flags 0x11 failed: Can't assign requested address
When Vlan03 is not selected

Code: [Select]

[15:59:21] ops: <102>1 2024-06-17T15:58:41+02:00 firewall.example.com ntpd 16772 - [meta sequenceId="143"] Listen normally on 0 lo0 [::1]:123
<102>1 2024-06-17T15:58:41+02:00 firewall.example.com ntpd 16772 - [meta sequenceId="144"] Listen normally on 1 lo0 127.0.0.1:123
<102>1 2024-06-17T15:58:41+02:00 firewall.example.com ntpd 16772 - [meta sequenceId="145"] Listen normally on 2 vlan02 10.22.0.254:123
<102>1 2024-06-17T15:58:41+02:00 firewall.example.com ntpd 16772 - [meta sequenceId="146"] Listen normally on 3 vlan02 [fe80::6662:66ff:fe21:833%10]:123
<102>1 2024-06-17T15:58:41+02:00 firewall.example.com ntpd 16772 - [meta sequenceId="147"] Listen normally on 4 vlan02 [fd00:0:0:22::]:123
<102>1 2024-06-17T15:58:41+02:00 firewall.example.com ntpd 16772 - [meta sequenceId="148"] Listen normally on 5 vlan02 [2a0d:xxxx:xxxx:xxxx:6662:66ff:fe21:833]:123

It looks like there is some duplication, but I haven't figured out yet what or why (this line `inet6 fd00:0:0:23:: prefixlen 64 duplicated`)

Code: [Select]

vlan03: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: IoT (opt5)
        options=4100000<NETMAP,NOMAP>
        ether 64:62:66:21:08:33
        inet6 fe80::6662:66ff:fe21:833%vlan03 prefixlen 64 scopeid 0xb
        inet6 fd00:0:0:23:: prefixlen 64 duplicated
        inet6 2a0d:xxxx:xxxx:xxxx:6662:66ff:fe21:833 prefixlen 64
        inet 10.23.0.254 netmask 0xffff0000 broadcast 10.23.255.255
        groups: vlan
        vlan: 30 vlanproto: 802.1q vlanpcp: 0 parent interface: igb3
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Disabling and enabling the interface assigned to vlan3 allowed me to start ntpd bound to all interfaces, but after a restart the error was back.

5

Web Proxy Filtering and Caching / Re: [HAPROXY] websocket upgrade

« on: May 08, 2024, 10:55:43 am »

@Bunch thanks a lot.
With your instructions it worked immediately.

6

Virtual private networks / Re: Routing between local network and Wireguard

« on: September 15, 2023, 11:38:47 am »

It is it working.
I just had the AllowedIPs completely backwards.
I thought it's what is allowed destination on the source, but it's allowed source on the destination 

7

Virtual private networks / Routing between local network and Wireguard

« on: September 14, 2023, 05:10:13 pm »

I tried to get OPNSense work with Wireguard and among others tried this tutorial
- https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
- https://forum.opnsense.org/index.php?topic=27449.0https://forum.opnsense.org/index.php?topic=27449.0.

I try to connect to my home network from my phone.

I also looked at the RoadWarrior tutorial, but my situation is different because of CGNAT.

I have Wireguard installed on a VPS because of CGNAT (Starlink).
OPNSense and my phone connect to it.
I configured it as split tunnel, so that the phone only routes access to 192.168.2.0/24 over Wireguard
and the local network only routes 10.7.0.0/24 over Wireguard.
Direct internet access is still working fine on the local network and the phone when connected to Wireguard.

The Wireguard peers can ping each other (10.7.0.1, 10.7.0.2, 10.7.0.3),
but nothing from 192.168.2.0/24 can reach any of the other peers and my phone also can not reach anything from 192.168.2.0/24.

So for example a ping to the phone (10.7.0.2) from a local PC (192.168.2.1) or OPNSense itself (192.168.2.254) seems to never pass anything to 10.7.0.3 (OPNSense Wireguard gateway).
Ping from the local PC (192.168.2.1) to OPNSense Wireguard gateway (10.7.0.3) works though.

I added a Route to 10.7.0.0/24 over the OPNSense Wireguard gateway.

My networking and OPNSense knowledge is limited and I try to get a few confusing things out of the way.

1) When I have firewall rules to allow anything in and out, do I need the firewall rules from the tutorial to make routing work?
I assume that firewall rules are only to prevent traffic, not to redirect it, except perhaps to resolve ambiguity.
I think OPNSense should pass between 192.168.2.0/24 and 10.7.0.0/24 without any of the firewall rules in the tutorial. Is that correct.


2) Is NAT actually required to connect between phone and local network?
I assumed that this use case should work without NAT, but all tutorials include a NAT section.
I assumed this would be only be required for internet access from private addresses or in case of networks with overlapping private addresses.

Any hints on what misconceptions I'm falling for?


What also kills me is the "AllowedIPs" in Wireguard.
For split tunnel it's stated that "10.7.0.3/32" should be used.
I have this in the VPS Wireguard ("/etc/wireguard/wg0.conf"),
but on the other peers I need to use "10.7.0.3/24" and "10.7.0.2/24", otherwise the peers can not ping each other.
I probably should ask about that in a Wireguard forum instead.