Messages

1

Virtual private networks / Re: Do I really need to add OpenVPN as an interface for OpenVPN to work?

« on: March 18, 2024, 07:15:35 am »

Just an update for myself,
On the way to create a 2nd OpenVPN server for a different network, suddenly realized the OpenVPN rules may apply to all servers. If I create interfaces for each server, they can then have different sets of rules. 

2

24.1 Legacy Series / Re: Possible to choose multiple networks in the Source Address field?

« on: March 18, 2024, 07:11:35 am »

The "This Firewall" isn't really a network so it's not present in the Content of Network Group. Could first create an Alias containing "This Firewall" then it will show up in the Content 

Might be a mess to mange down the road, so decided to just stick with policy rounding to select the specific gateway/WAN-port instead of using the Default Gateway. With the "Allow default gateway switching" disabled, this method seems to work just fine.

3

Virtual private networks / Re: Do I really need to add OpenVPN as an interface for OpenVPN to work?

« on: March 17, 2024, 06:54:11 am »

Perhaps for services like DNS to bind to the VPN interface

4

24.1 Legacy Series / Re: Possible to choose multiple networks in the Source Address field?

« on: March 17, 2024, 06:05:52 am »

Create an Alias with multiple clients and choose the Alias in the Source.

New question, with Alias, Type - Network Group, how to include the firewall itself the 127.0.0.0/8 address?

5

24.1 Legacy Series / Re: Possible to choose multiple networks in the Source Address field?

« on: March 17, 2024, 05:58:06 am »

Yup, this should do the job.
Was wondering if there is any hidden toggle to enable multiple-selection.
Anyway, thanks for the quick reply

6

24.1 Legacy Series / Possible to choose multiple networks in the Source Address field?

« on: March 17, 2024, 05:16:32 am »

Firewall has multiple public IP addresses, and running VPN.
Trying to do manual or hybrid outbound NAT to specify a dedicated WAN for a group of clients.

Then realized the Source Address field doesn't allow choosing multiple items (something like pressing Shift key)..
Any way to select multiple networks like the auto-generated rule does, or perhaps 1 network per rule with multiple outbound rules?

Currently using policy rounding to kind of specifies the outbound WAN, kinda works for now.

7

Virtual private networks / Do I really need to add OpenVPN as an interface for OpenVPN to work?

« on: March 17, 2024, 03:01:33 am »

Looks like if I don't add OpenVPN as an interface, and enable it, clients won't be able to surf the internet.
After adding and enabling it as an interface, it appears under the firewall rules; now there are two items for OpenVPN, one is the usual interface rules and the other is the OpenVPN.

The interface is just enabled with the rest untouched (no address, no dhcp etc as openvpn has it by default).

Various documents recommend adding openvpn as an interface for the ease of applying rules, but isn't there already the OpenVPN section where rules can be applied?

Any thought?
Thanks

8

General Discussion / no data for Zone 0 (hw.acpi.thermal.tz0.temerature) temperature sensor

« on: March 11, 2023, 12:47:19 pm »

The CPU is intel C3758 so I enabled the intel core sensor under the Miscellaneous setting.
It shows the CPU's core temperature, but there is also an extra line Zone 0, not sure what is this for.

In the BIOS, there are 2 other temperature sensors.

I don't really need that temperature since I can get an idea of how hot the board is from the CPU temperature,
just curious if this is an known symptom or the like, and if any hotfix.

Thanks

9

General Discussion / Re: Host range in alias doesn't seem to work

« on: March 08, 2023, 03:01:15 am »

So it's working as expected even though a somewhat awkward representation for human eyes.
Under the Diagnostic page for Aliases,
let's say an alias containing 192.168.1.200-192.168.1.209
The Diagnostic page will show two lines

192.168.1.200/29
192.168.1.208/31

3 digits (000 to 111) to represent the 200 to 207
similarly on the 2nd line for the last bit change.

I somehow were expecting something like 10 individual lines; coupled with the rare implementation of the "-" which tempted my brain to think something weird was happening.
*it accepts both 192.168.1.200-209 and 192.168.1.200-192.168.1.209 for adding an alias, but rules will only work with the later.
*if I enter the 192.168.1.200/29 as Type host the firewall will return with error    Type network likely works then.

It makes sense now, just somewhat awkward for the brain.
The "Find reference" also works perfectly, pretty much mystery solved now 

Thanks for all the quick tips

10

General Discussion / Re: Host range in alias doesn't seem to work

« on: March 07, 2023, 06:53:13 pm »

Definitely fewer entries than the total number of individual addresses,
though from memory they all have 1 or more lines with a network mask attached; didn't pay extra attention previously, perhaps multiple individual addresses were "shorten" into 1 entry.
Will have another look, and update later today.

11

General Discussion / Re: How to setup OPNsense for preconfigure - as another machine on the network?

« on: March 07, 2023, 01:46:56 pm »

Not sure if OPNsense automatically adjusts the default LAN address if it detects conflicting network on the WAN side, otherwise you have 192.168.1.x on both WAN and LAN; I assume the default LAN has default 192.168.1.1?

Besides that, are you on your current 192.168.1.x (the WAN side of your new box) or on the LAN side of the new box? I assume by no internet you meant you're on a computer or whatever in the same network, or you mean on the Web GUI of the new box?
If on the WAN side of the new box (i.e. the LAN side of your current network), then no internet means something wrong in your current network's router, nothing to do with the new box I guess. Check IP address etc?

If on the LAN of the new box, same check IP address, make sure not conflicting with existing..
And then think about the LAN address...if you make it the same as your current one , it won't work; if not the same, then you might not be able to pre-configure unless you will be using different numbers 

If no internet on the new box itself, guessing some sort of address conflict, will need more info to determine.

If the new box's WAN interface is connected to your current network's LAN, then getting a local address from the current LAN is as expected. Should have internet access, if not, something else not known. Would be much easier to determine the issue if you can draw or explain the topology a little more.

12

General Discussion / Host range in alias doesn't seem to work

« on: March 07, 2023, 02:34:15 am »

So I'm trying to use an alias that includes 192.168.1.180-190.
The setup page accepted it without error,
but if I create a rule with that alias the rule will have no effect (the firewall just skips that rule and goes to the next as if that alias didn't hit 192.168.1.181 for example).

Looks like there had been an old report about this issue:
https://github.com/opnsense/core/issues/1738
Any update on this?

If I just enter 10 individual addresses for that alias, the rule will work.
From the above old and closed report, perhaps I should just go with the type Network instead of host?

Thanks

=====
edited:
never mind, from that commit turns out 192.168.1.180-192.168.1.190 will work but not 192.168.1.180-190
Could perhaps be a future polishing job if any dev bothers to spend time on this.
=====
edited 2:
the 192.168.1.180-192.168.1.190 format seem to work just fine for rules, but the alias's content doesn't show up correctly under the Diagnostic page. Missing some addresses, having random network mask numbers, etc.. It's just very strange even though rules are working as expected.

13

23.1 Legacy Series / Re: Fresh install of the latest 23.1, auto dhcp6 gateway but no auto dhcpv4

« on: March 05, 2023, 03:37:40 am »

Just a follow up to answer my own question...
IPv4 gateway automatically shows up once I plug in a cable for the interface.
Before that, the firewall just won't auto generate IPv4 gateway (perhaps it will if the interface has a pre-defined static address instead of DHCP).

Unsure if this is assumed; kind of inconvenient while trying to populate all the settings beforehand (thinking to duplicate the existing network's setting, then I can just switch over all cables).

14

23.1 Legacy Series / Fresh install of the latest 23.1, auto dhcp6 gateway but no auto dhcpv4

« on: March 04, 2023, 12:03:52 pm »

Hi there,
I'm setting up a C3758 box with the latest 23.1 OPNsense planning to replace an older pfsense box.
the OPNsense box has no WAN cable hooked up at the moment, just a LAN cable to computer for initial settings (thinking to complete the setup as much as possible before I hook it up.)
After interface assignments, some port-forwarding, and firewall rules, I suddenly realized that the firewall automatically generated two DHCPv6 gateways (I assigned 2 WANs and 2 LANs), but very strangely no auto DHCPv4 gateway.
WAN1 interface has DHCP for both v4 and v6  (again the ports are empty atm, no cable hooked up yet);
WAN2 interface has HDCPv4, and NONE for IPv6.

I'm not sure why the firewall generated two DHVPv6 gateways for the two WANs, even if I choose NONE for IPv6 (I didn't disable IPv6 function though)

Besides, looks like quite a few other posts reporting gateway dropped / disappeared or the like, I'm not sure if the firewall didn't create the DHCPv4 at the beginning, or it created the gateways but later vanished.

Not a huge deal if I need to manually add the two IPv4 gateways but just very strange; not sure if I'm missing something.
Any idea what can be the cause?
Perhaps just factory reset, and check if any IPv4 gateway created right after initialization?

Thanks