Messages

Edit: Was curious, what encryption protocol does this use between OPNsense and the ODoH relay?

This is explained here: ODoH Message Flow

ODoH creates and end-to-end encryption (EEE) from client to target using Hybrid Public Key Encryption (HPKE). The transport encryption between client and relay and between relay and target is regular TLS/HTTPS. So even after the relay decrypts the transport encryption the query will still be encrypted. And the target doesn't know the real source IP. So the EEE protects the query from the relay and the relay protects the source IP from the target (under the premise that relay and target don't collude).

Your second question is answered here: Anonymized DNS vs. ODOH? #2617

Prompt: Does the AMD PSP have access to the NIC?

GGAI: The AMD Platform Security Processor (PSP) is an integrated security coprocessor in AMD CPUs. It does not have direct access to the network interface card (NIC) or the ability to control network traffic in the way that some other management engines do. Instead, the PSP primarily handles tasks like DRAM initialization, HDCP handling, boot process supervision, and firmware updates.
While the PSP's firmware runs before the main CPU and has unrestricted access to memory, it is not designed to interact with the network. Its access is primarily focused on the CPU itself and the hardware it manages. This means that a malicious actor with access to the PSP would be limited to manipulating the CPU and its related hardware, rather than being able to directly interfere with network traffic.

Prompt: Does a CPU have access to a NIC?

GGAI: Yes, a CPU (Central Processing Unit) has access to a NIC (Network Interface Card) through a PCIe (Peripheral Component Interconnect Express) link. The CPU uses this link to communicate with the NIC, allowing data to be sent and received across the network.

Prompt: Answer these 2 questions separately: "Does the AMD PSP have access to the NIC?" and "Does a CPU have access to a NIC?" and analyze if its outputs are contradictory.

GGAI: The answers to the two questions are generally not contradictory, but they can be nuanced depending on the specific context.

Question 1: Does the AMD PSP have access to the NIC?
The AMD Platform Security Processor (PSP) is primarily responsible for hardware-level security and trust. It does not typically have direct access to the Network Interface Card (NIC) for general network operations. The PSP primarily focuses on functions like security, encryption, and authentication, and its role is more about securing the system as a whole rather than interacting with network devices directly.

Question 2: Does a CPU have access to a NIC?
Yes, a CPU (Central Processing Unit) absolutely does have access to the NIC. The NIC, as a peripheral device, is connected to the CPU through various buses or interfaces. The CPU uses these connections to send and receive data to and from the NIC, allowing it to manage network traffic, control the connection, and interact with the network.
Analysis: Are the answers contradictory?
No, the answers are not contradictory. They describe different aspects of the hardware and their roles. The PSP has access to the system and its components for security purposes, but its access to the NIC is not a primary function. The CPU, on the other hand, is the main controller and has direct access to the NIC to manage network operations.
In essence:

PSP:
Focused on security and trust, with a secondary role in managing specific hardware access.
CPU:
The primary processing unit that has direct control and access to all peripherals, including the NIC.

Mir ist gerade eingefallen, dass der Benutzer den ich im Verbindungsstatus gesehen hatte, gar nicht in der Gruppe war, habe mich testweise hinzugefügt und man sieht tatsächlich nur die interne Pool-IP.

Ich meine das OpenVPN-Interface in der Firewall, es funktioniert ja in der Praxis mit manuell gepflegten Hosts (öffentliche IPs), nur halt nicht benutzerbasiert über die OpenVPN-Benutzer.

Ja, erstmal blockiere ich z. B. für OpenVPN per GeoIP alle Länder außer Deutschland. Jetzt will ich alle OpenVPN-Benutzer in der Gruppe "external" zusätzlich über ihre öffentliche IP freigeben. Das funktioniert aber nicht, deshalb müssen mir die Benutzer im Ausland ihre IP mitteilen und ich trage sie manuell ein.

Das könnte ja automatisch und benutzerbasiert passieren, da OPNsense ja die externe IP des OpenVPN-Benutzers bekannt ist, wie man im Dashboard sieht.

When I look at the tutorial again I see why I did the mistake with the bind address.

https://docs.opnsense.org/manual/how-tos/sslvpn_instance_roadwarrior.html

The bind address is 10.10.8.1 (WAN), which is very similar to the VPN pool network address 10.1.8.0, so I misread that as 10.1.8.1.

By the way there is a mistake in the schema, the road warrior IP shows 10.2.8.2 when it should read 10.0.8.2.

I think I also understand now why there is not a migration assistant because the encryption algorithm (--cipher) is deprecated since server version 2.4.0. It's probably hidden to discourage its use.

If you want to do a 1:1 migration to save distributing the configs to the clients again you have to activate the "advanced mode" in the new instance and change "Auth" and "Data Ciphers" to match the legacy configuration.

Also according to the OpenVPN reference manual the default auth digest algorithm is SHA1 which differs from the old legacy tutorial where it is SHA512, isn't that contradicting the own recommendations from the previous tutorial? Or is "OpenVPN default" in OPNsense an own definition?

Yeah, I got that now. But isn't it a step backwards. Before you could provide multiple system aliases like LAN1, WAN2 etc.

Now you can only provide a single IP which is not dynamically updated like the previous system aliases.

Edit: Sorry, I just checked again and the old "Interface" field was just a single-select field, not a multi-select field.

So every night I shut down my PC, then I shut down OPNsense via a single press on the power button, then I turn of my switched power strips of the PC and my hi-fi system and at last I turn off the PSU switches off my cable router and the OPNsense box.

But once in a blue moon OPNsense doesn't shut down but reboots.

Here are the general logs of two shutdowns, the second one (Jan. 14th) had that behavior, the other one (Jan. 13th) didn't have it.

Code Select Expand

2025-01-14T16:47:21 Notice kernel Copyright (c) 1992-2023 The FreeBSD Project.
2025-01-14T16:47:21 Notice kernel ---<<BOOT>>---
2025-01-14T16:47:21 Notice syslog-ng syslog-ng starting up; version='4.8.1'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking stop script 'config'
2025-01-13T22:46:46 Notice syslog-ng syslog-ng shutting down; version='4.8.1'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking backup script 'rrd'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking backup script 'netflow'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking backup script 'duid'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking backup script 'dhcpleases'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking backup script 'captiveportal'
2025-01-13T22:46:46 Notice kernel <118>>>> Invoking stop script 'backup'
2025-01-13T22:46:45 Notice kernel <118>Waiting for PIDS: 9752.
2025-01-13T22:46:45 Notice kernel <118>Stopping dnscrypt_proxy.
2025-01-13T22:46:44 Notice kernel <118>>>> Invoking stop script 'freebsd'
2025-01-13T22:46:43 Notice kernel <118>>>> Invoking stop script 'beep'


2025-01-15T17:16:45 Notice kernel Copyright (c) 1992-2023 The FreeBSD Project.
2025-01-15T17:16:45 Notice kernel ---<<BOOT>>---
2025-01-15T17:16:45 Notice syslog-ng syslog-ng starting up; version='4.8.1'
2025-01-14T22:52:39 Notice syslog-ng syslog-ng shutting down; version='4.8.1'
2025-01-14T22:52:39 Notice kernel <118>>>> Invoking stop script 'config'
2025-01-14T22:52:39 Notice kernel <118>>>> Invoking backup script 'rrd'
2025-01-14T22:52:39 Notice kernel <118>>>> Invoking backup script 'netflow'
2025-01-14T22:52:39 Notice kernel <118>>>> Invoking backup script 'duid'
2025-01-14T22:52:39 Notice kernel <118>>>> Invoking backup script 'dhcpleases'
2025-01-14T22:52:38 Notice kernel <118>>>> Invoking backup script 'captiveportal'
2025-01-14T22:52:38 Notice kernel <118>>>> Invoking stop script 'backup'
2025-01-14T22:52:37 Notice kernel <118>Waiting for PIDS: 37745.
2025-01-14T22:52:37 Notice kernel <118>Stopping dnscrypt_proxy.
2025-01-14T22:52:36 Notice kernel <118>>>> Invoking stop script 'freebsd'
2025-01-14T22:52:35 Notice kernel <118>>>> Invoking stop script 'beep'
But the strange thing is there is nothing in the general log between 22:52:39 and 17:16:45 when I heard the boot sound of OPNsense.

A normal shutdown is no more possible then. I then have to do a hard shutdown of the OPNsense box (holding down the power button for some seconds).

So how can I find the issue here? And by the way why is the boot log only starting from the last boot?

Thanks, after updating my OPNsense I noticed this bug too. My clock was running 22 seconds in advance. Was fixed after updating the time.

Anybody else noticed weird behaviour of Windows 11 23H2 after the KB5048685 update?

After the login screen I get a black screen for some seconds and the loading of the taskbar is very delayed.

Also high CPU from "Service host DCOM server process launcher" and wsappx. I locked my Windows 11 to 23H2 because of all the AI crap in 24H2 like Copilot and Recall but maybe I have to switch to FreeBSD sooner than I planned. :)

The installed transceiver supports 1 Gbps, while the motherboard supports 10 Gbps. Could this be a problem?

Yes, that could be the problem, see here: https://www.reddit.com/r/PFSENSE/comments/t317nv/no_link_on_sfps_with_supermicro_server_ubiquiti/

Ah, thank you, that makes sense, maybe I should RTFM, I thought 'm' was for mega, i.e. millions.  ;D

That would have been in the realm of a 100 GBit/s NIC.

The plugin also has to be updated for the new dashboard, it can't be selected in the widgets list.

Wie alt sind denn deine gebrauchten Fujitsu FUTROs? Die Datenblätter die ich finde sind von 2017. War der Arbeitsspeicher den du probiert hattest neu oder auch gebraucht? Neueste Firmware drauf (V4.6.5.4 - R1.16.0 (13.08.2018))?

Did you try the tunable

Code Select Expand

hw.ix.unsupported_sfp=1

as mentioned in this thread?

https://forums.freebsd.org/threads/intel-sfp-card-not-compatible.85348/#post-569703

You can also add it via GUI.

You would have to download the package and transfer it to your OPNsense via a USB stick or similar because you also won't have internet to download the package locally.

https://forum.opnsense.org/index.php?topic=35915.msg174791#msg174791

https://pkg.opnsense.org/FreeBSD:13:amd64/24.1/latest/Latest/