Messages

For my understanding: Is this issue something that has to be solved on the crowdsec side or on the OPNsense side?
Is there an open issue on either side? I could not find any yet.

I can confirm the issue. It happend to me again while updating from 24.7.5 to 24.7.8
The first part of the update ran fine and firewall rebooted, it got stuck while updating the plugins
Trying to stop or disable crowdsec from the GUI doesn't do it. had to use

Code Select Expand

kill -9

I downgraded to 23.7.7 Web GUI works again over WireGuard VPN.

I downgraded from OPNsense 23.10_2 (business) to 23.7.7_3 (community). Now the WireGuard tunnels come up automatically again on reboot.

If I can help with finding the underlying issue, let me know how.

[PR_CONNECT_RESET_ERROR]

Yesterday, probably since the Update to OPNsense 23.10_2 b9c704d69 (Business Edition), I started getting PR_CONNECT_RESET_ERRORn in the browser when accessing the Web GUI through VPN.

The Web GUI works properly when accessed localy.

The Web GUI Log ist full of

Code Select Expand

2023-11-07T12:13:30 Error lighttpd (/usr/obj/usr/ports/www/lighttpd/work/lighttpd-1.4.71/src/mod_openssl.c.3310) SSL: -1 5 40: Message too long


I use a WireGuard Tunnels to manage OPNsense Firewalls.

No sure it's connected to the update, but I don't see that behavior on systems with OPNsense 23.10

Any ideas?

For FQDN based endpoints there will be another fix for 23.7.8. WireGuard is plug and play like that :D

Nice! What about the business edition? I have the feeling that I didn't have this issue before switching to the business edition but currently don't have a quick way to verify.

In the Lobby->Dashboard under Interfaces does it show the correct IP for WAN_PORT?

yes, it does.

i monitore wireguard now via monit, works fine for me

Would you mind posting your Monit settings? I'm struggling setting it up correctly. Thanks in advance.

I still think the WAN_PORT_address should point to the address on that interface, no matter what the subnet is. This does not seem to be the case.

It's the DHCP from the ISP. Init7 to be precise.

The Firewall rule was created (automatically by the NAT Port Forwading rule).

But looking at the WAN Interface again, I might have found the reason. I get IPv4 address x.y.z.237/24 assigned. So it's not a /32  but a whole /24 subnet range. Still the IP address on the interface is clear and WAN_FIBER_Port address should point to it.

[WAN_FIBER_Port address]

I'm a recent immigrant from the pfSense World and the following situation drove me crazy. I suspect a possible bug (or at least an unexpected behavior) and would be happy to be enlightened by a OPNsense guru if it's not.

I set up a Port Forwarding from my main WAN Interface (WAN_FIBER_Port) to a local network IP. As destination address I had WAN_FIBER_Port address set. All the traffic hitting the Firewall was being rejected by the default deny / state violation rule. The Logs showed the Firewalls Public IP as destination. After a while I realized that the rule does not apply.

It started to work when I set the destination to any. Later I tried manually setting the public IP or WAN_FIBER_Port net and both worked as well.

I was - coming from pfSense - expecting that WAN_FIBER_Port address would be the public IP which the interface gets by DHCP in this case. Somehow this does not seem to be the case. Interestingly WAN_FIBER_Port net works.

Is this intended behavior?

I finally found the error. I had an DHCP Option 43 configured from an earlier attempt which I had totally forgotten about. :-[

Thanks for your reply! It works in my pfSense but not with OPNsense. I just can't find where the difference is. So I'm looking for what I might have missed in the config.

Hi, I'm an immigrant from the pfSense country and fairly new here. I got around with OPNsense very well so far, but I just can't get my head around why the host overrides are not working as expected. I tried everything, googling, searching this forum, chatgpt... to no avail.

I use Unifi network devices with a central Unifi Controller which is somewhere else and accessible through a WireGuard VPN. In order to register Unifi devices with the controller the lookup the hostname "unifi" in the local network which should resolve to the IP of the controller. I use the unbound default configuration (as far as I understand). The are their own network and there in a dedicated DHCP Pool.

I set the domain and search domain in the DHCP settings of the corresponding network. I created a host override for unifi.mydomain.tld.
I can resolve it as long as I use the FQDN, but not with the hostname only I get errors. Depending on how I query NXDOMAIN, SERVFAIL or No answer.
It seems like it is not using or respecting the search domain.

Has anyone an idea what I am missing to make this work? I can certainly post more details if required.