Messages

1

24.7 Production Series / Re: PHP Errors

« on: September 15, 2024, 09:51:20 am »

Hi @Franco
this makes absolutely sense, I forget it after test something with home assistant.
It works for a while, now after you explain the situation, I check my home assistant config and there are also errors, which I fixed today.

I use it also for checking on updates, not only for opnsense (there is much more ).
for me it's not necessary more a nice to have.

So thank you for the explaination, it would help me to sort such issues on opnsense.

Cheers and have a nice weekend.

0zzy

2

24.7 Production Series / Re: PHP Errors

« on: September 15, 2024, 08:50:01 am »

Hey @Franco,

where do you see in the log that home assistant is the problem?
Could you explain it  for me that I'm able to comprehend the error?

Cheers,
0zzy

3

24.7 Production Series / PHP Errors

« on: September 14, 2024, 01:46:57 pm »

Is anybody able to help me out with a fix for this problem:
(it occurs every few seconds):

Code: [Select]

[14-Sep-2024 13:43:49 Europe/Berlin] PHP Fatal error:  Uncaught Error: Failed opening required '/usr/local/www/widgets/api/plugins/system.inc' (include_path='/usr/local/etc/inc:/usr/local/www:/usr/local/opnsense/mvc:/usr/local/opnsense/contrib:/usr/local/share/pear:/usr/local/share') in /usr/local/etc/inc/xmlrpc/hass.inc(12) : eval()'d code:5
Stack trace:
#0 /usr/local/etc/inc/xmlrpc/hass.inc(12): eval()
#1 /usr/local/opnsense/contrib/IXR/IXR_Library.php(446): exec_php_xmlrpc('\nini_set('displ...')
#2 /usr/local/opnsense/contrib/IXR/IXR_Library.php(384): IXR_Server->call('opnsense.exec_p...', '\nini_set('displ...')
#3 /usr/local/opnsense/contrib/IXR/IXR_Library.php(357): IXR_Server->serve('<?xml version='...')
#4 /usr/local/etc/inc/xmlrpc.inc(67): IXR_Server->__construct(Array)
#5 /usr/local/www/xmlrpc.php(104): XMLRPCServer->start()
#6 {main}
  thrown in /usr/local/etc/inc/xmlrpc/hass.inc(12) : eval()'d code on line 5
[14-Sep-2024 13:45:10 Europe/Berlin] PHP Fatal error:  Uncaught Error: Failed opening required '/usr/local/www/widgets/api/plugins/system.inc' (include_path='/usr/local/etc/inc:/usr/local/www:/usr/local/opnsense/mvc:/usr/local/opnsense/contrib:/usr/local/share/pear:/usr/local/share') in /usr/local/etc/inc/xmlrpc/hass.inc(12) : eval()'d code:5
Stack trace:
#0 /usr/local/etc/inc/xmlrpc/hass.inc(12): eval()
#1 /usr/local/opnsense/contrib/IXR/IXR_Library.php(446): exec_php_xmlrpc('\nini_set('displ...')
#2 /usr/local/opnsense/contrib/IXR/IXR_Library.php(384): IXR_Server->call('opnsense.exec_p...', '\nini_set('displ...')
#3 /usr/local/opnsense/contrib/IXR/IXR_Library.php(357): IXR_Server->serve('<?xml version='...')
#4 /usr/local/etc/inc/xmlrpc.inc(67): IXR_Server->__construct(Array)
#5 /usr/local/www/xmlrpc.php(104): XMLRPCServer->start()
#6 {main}
  thrown in /usr/local/etc/inc/xmlrpc/hass.inc(12) : eval()'d code on line 5

4

24.1 Legacy Series / No wazuh-agent update?

« on: June 29, 2024, 02:41:54 pm »

Hey together,

I have running a wazuh Siem Server and use it also to block ips in realtime.
What I see too far is, that there is not a newer package on my Sense than v4.7.4. The newest ist 4.8.
Isn't it possible to get a newer Version from the repos or something?

5

German - Deutsch / Re: OPNsense Neueinsteiger 2024

« on: May 31, 2024, 12:20:54 am »

Meine Meinung ist, nutze einen anderen Hypervisor. Hyper-V ist m.E. eher ein versuch von MS denn eine saubere Virtualisations Lösung.
Du müsstest einen VSwitch halt direkt per Lan an das WAN bringen. -->darüber zieht sich die Sense die Public IP nicht über Lan.
Da du wahrscheinlich nur eine NIC am Notebook hast wird das nicht klappen.

Mindestvoraussetzung sind zwei NICs 1*LAN (Local Area) --> internes Netz und 1* WAN (Wide Area) --> public Netz

Nutze keine Virtuellen Switche die zicken bloss dauernd.

Woher ich das weiss? Ich bin MS Consultant

6

German - Deutsch / Re: mehrere (3) VLANs auf 1 Port möglich?

« on: May 19, 2024, 08:40:12 pm »

Danke für die fixe und verständliche Antwort. Mache mich morgen mal ans Werk.

7

German - Deutsch / mehrere (3) VLANs auf 1 Port möglich?

« on: May 19, 2024, 12:59:34 pm »

Hallo zusammen,

ich suche gerade eine Möglichkeit auf einen Port an der protectli mehrere VLANs zu nutzen.
Hintergrund ist das ich meine Fritzbox endlich durch eine Unifi U6+ abgelöst habe.
Wifi verrichtet bereits seinen Dienst.
Allerdings komme ich nicht ganz dahinter wie ich nun die Netze so in OPNSense konfiguriere das VLANs am AP möglich sind.

Bisher habe ich mich an den Dokumentationen Orientiert, Unifi beschreibt ja wie das eingerichtet werden kann.

Wifi ist aktuell bei mir auf opt1 konfiguriert hängt an einem Netgear Switch, der Port ist hier Tagged.

Ich meine mal gelesen zu haben das Untagged hier besser wäre?

Wie wäre daher das beste vorgehen um folgende Konfiguration durch zu führen:

WIFI --> opt1 --> WIFI für alle geräte die dauerhaft hier rein dürfen,
IOT ---> ---> nur für devices die nachher nicht mehr NACH HAUSE Telefonieren dürfen,
GUEST --> ---> Gäste WIFI extra abgesichert über entsprechende Firewall Regeln.

Wäre für die eine oder andere intuitive Eingebung eurerseits dankbar.

8

24.1 Legacy Series / KEA DHCP v6

« on: April 21, 2024, 10:46:30 am »

Hey together,
is there any date when kea DHCP would be fully integrated?
At the moment there is only v4 but no v6 config.

When would the ISC DHCP be removed from OPNSense?

Thanks in advance
0zzy

9

German - Deutsch / Re: OPNsense 24.1.3_1 weird struggling with Wireguard and WEBUI

« on: March 09, 2024, 08:59:37 pm »

Hab es nun. Sehr komisch. Ich gebe den peers immer 32er Adressen hatte nie Probleme. Selbst in der aktuellen FreeBSD Version klappt das aber mit WireGuard unter opnsense muss man einen etwas anderen Weg gehen.
Der Fehler war ich habe gedacht das ich für den Peer und den Client die selbe Adresse benötige.
Peer hat ein /32 und Client ein /24 damit funktioniert es.

Ich sage ja es ist weird!

10

24.1 Legacy Series / Re: OPNsense 24.1.3_1 weird struggling with Wireguard and WEBUI

« on: March 09, 2024, 06:33:34 pm »

OK fuck damn shit I got it.
Doesn't really know why I need cidr /24 net on my device. normally I give on my client /32, why I need a /24 as @xpendable said, I didn't really understand, never done that before and it was working?

@xpendable forget what I talk about

11

24.1 Legacy Series / Re: OPNsense 24.1.3_1 weird struggling with Wireguard and WEBUI

« on: March 09, 2024, 05:15:51 pm »

ok I tested out everything I could do.
There isn't any way to get a Handshake.
On a newly installed freebsd on my home server I get it working without any issues, it appears to anything wrong in the implementation of wireguard on opnsense.

I check my config against https://www.wireguardconfig.com
changed the IPs on both the Interface and the Peer, also on the Peer Client.

When I do the same thing on freebsd everything is working fine.
Also on Debian and ubuntu aren't any problems.


My Config looks as follows (the keys aren't my own ones I changed them):

IP Address   10.10.10.1/24
Listen Port   51820
Private Key   QIV5wu64Glh3/Syt0U0NdTu7MbVvzUZyJBteh4Q8tmE=
Public Key   rtt+4VUSAWTIrrK7AUnmNd2ZNEXJprEuoKwMK9VLxAk=
[Interface]
Address = 10.10.10.1/24
ListenPort = 51820
PrivateKey = QIV5wu64Glh3/Syt0U0NdTu7MbVvzUZyJBteh4Q8tmE=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = VSGoFG/UE+Ugm8gp2hD7z0tVwGzRiRXBZfZqon7Wlgg=
PresharedKey = Kq6uGyzyRkwky6hBVW3U3V1A527x23Rofg4zcpsY8WE=
AllowedIPs = 10.10.10.2/32

[Peer]
PublicKey = Ebfe34PwJoCCr+JzuUmG9vy2e92ztLwxeQqQLzQe8w4=
PresharedKey = elKugATBxLtju/iRZmcvE8uw/OA9/w4c5PrJNE7Mjec=
AllowedIPs = 10.10.10.3/32

[Peer]
PublicKey = JYrJilAF+rIwCzXyBNtoSBEsMwk9/s2/gYG1jrrp0CM=
PresharedKey = yl+uZskags/LhP84HJdGEbPyBrQufSw1EzbQeAUWH+Q=
AllowedIPs = 10.10.10.4/32
Client 1
IP Address   10.10.10.2/24
Listen Port   51820
Private Key   oHAYuOvZoRhZm0OiF9ppi+MR7bW7BRCjvKQe0PsgcU8=
Public Key   VSGoFG/UE+Ugm8gp2hD7z0tVwGzRiRXBZfZqon7Wlgg=
[Interface]
Address = 10.10.10.2/24
ListenPort = 51820
PrivateKey = oHAYuOvZoRhZm0OiF9ppi+MR7bW7BRCjvKQe0PsgcU8=
DNS = 10.10.10.1

[Peer]
PublicKey = rtt+4VUSAWTIrrK7AUnmNd2ZNEXJprEuoKwMK9VLxAk=
PresharedKey = Kq6uGyzyRkwky6hBVW3U3V1A527x23Rofg4zcpsY8WE=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myserver.dyndns.org:51820

There's nothing wrong with it.


Also I tried different configurations in OPNSense it self, with an wgX Interface Assignment, and without.
With Hybrid NAT Outgoing Rules for the wgX Interface and also the Wireguard (Group) net Interface.
Also only one of them.
I added the necessary Firewall Rules for the Interfaces and also DNS.
I added ipv4 and ipv6 Normalisation Rules also only one of them and / or both equally.
I added the Unbound ACL Rules also for ipv4 and ipv6 and only one of them (tested without ipv6 and with).

Before I forget it, I tried also installing 24.1.3_1 from scratch, without suricate, crowdsec and any other security enhancements like Floatings Rules etc.
Also on a clean install there isn't a handshake.
 
I think there is something wrong with the Update, I also tried an older version 24.1 and there's no problem to get it running.
 

12

24.1 Legacy Series / Re: OPNsense 24.1.3_1 weird struggling with Wireguard and WEBUI

« on: March 09, 2024, 01:14:29 pm »

Perhaps this is the issue?

If address is supposed to be your "Tunnel Address", you need to use the CIDR of the network such as /24 for example.

Interesting, normally I configure this on *nix systems, also I have this on a dedicated linux wireguard server.
From my Documentation I wrote myself, this is a config use für create a client-server situation.

## create wg0.conf

nano /etc/wireguard/wg0.conf

[Interface]
PrivateKey = <site-1 private-key>
Address = 10.0.0.1/24
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = <site-2 public-key>
AllowedIPs = 10.0.0.0/24, 192.168.178.0/24
PersistentKeepalive = 25

--> site 2 (client)

## create wg0.conf

[Interface]
PrivateKey = <site-2 private-key>
Address = 10.0.0.3/32
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = <site-1 public-key>
Endpoint = <FQDN>:51820
AllowedIPs = 10.0.0.0/24
PersistentKeepalive = 25


As you can see, normally you use the address for the peer in this.

Never had any issues with that, also on my client-server situation I can reach everything (as far as configured) in my own network.

So no this couldn't be the issue.

CIDR Notation in /24 means at least you can use 254 Hosts in that Subnet,
/32 means that this is only one Host but it should work with that because this is the IP Adress for only the one peer host, not for the complete Subnet, the Subnet is Configured on the Interface.

13

German - Deutsch / Re: OPNsense 24.1.3_1 weird struggling with Wireguard and WEBUI

« on: March 08, 2024, 06:37:20 pm »

Wenn du magst. Aber morgen. Bin mittlerweile durch. Arbeite ja auch nebenbei 😉
Wenn das für dich okay ist. Ich wäre ab morgen späten Nachmittag wieder am Rechner.

14

German - Deutsch / Re: OPNsense 24.1.3_1 weird struggling with Wireguard and WEBUI

« on: March 08, 2024, 06:22:41 pm »

sonst machen wir das morgen, eilt nicht bei mir. wäre halt nur geil damit meinen dedicated ab zu lösen da hetzner die preise mal wieder angezogen hat im Bananenstaat.

15

German - Deutsch / Re: OPNsense 24.1.3_1 weird struggling with Wireguard and WEBUI

« on: March 08, 2024, 06:20:19 pm »

Sagen wir mal so die Sense ist weitestgehend durchkonfiguriert, floating rules, dnscrypt-proxy, tor ,ids/ips, CrowdSec und und und.

Insofern es sich auf das WG Setup konzentriert auch gern hier, falls du damit schmerzen hast zu telen o.ä.

Allerdings finde ich in den FW blocks keinen Eintrag der auf Wireguard hindeutet.