Messages

1

24.7 Production Series / HA and 2FA

« on: October 10, 2024, 10:19:22 am »

Hi,
I would like to enable 2FA to login to the WebUI. But if I see this correctly, HA uses just a normal WebUI-password to synchronize which is not compatible with 2FA.
So is there a way to enable 2FA for everything but HA?
Creating a separate user for HA with a decent password and without 2FA would be reasonable. But I don't see how you could do that.
Any recommendations/ideas on how to get this working?

Thanksalot,
qj

2

24.7 Production Series / KEA DHCP delete all reservations

« on: August 27, 2024, 01:50:24 pm »

Hi,
How can I remove all the reservations from the KEA-DHCP(4) table? In the GUI I can delete individual entries but this is a lot of effort if you want to overhaul your whole subnet.
Deleting the reservation entries in

Code: [Select]

/usr/local/etc/kea/kea-dhcp4.conf is being overwritten with the next restart of KEA.

Thanks for your help!

3

24.1 Legacy Series / Re: Kea DHCP - High Availability/HA Setup/Migration

« on: August 07, 2024, 10:28:43 am »

Thank you for the instructions, very helpful.

Despite that I was struggling to get this to work because I did not correctly follow step 7):

"Trigger a full sync" is an obscure little button in the form of a cloud. I somehow presumed that by pressing "Perform Synchronization" in System/High Availability/Settings the Sync would be triggered. But no, you need to click this little cloud.

After that the sync worked and everything else suddenly made sense. Hope that helps other people

4

24.1 Legacy Series / Re: No WAN connection unless activating Far Gateway option

« on: July 17, 2024, 11:10:53 am »

Nothing there. No bridges or other interfaces. Anything fancy should also show up in the routing table, though.

After the n-th reboot it now works even without the "Far Gateway" option enabled. I did not change anything aside from that option. Will see how it develops.

Anyway, would you have a hint on how to debug a failing route when the routing table seems correct?

I'll update this if anything new pops up.

5

24.1 Legacy Series / Re: No WAN connection unless activating Far Gateway option

« on: July 17, 2024, 10:09:34 am »

This only ever happens when the attached subnet / netmask disagrees about it for a valid (but sometimes obscure) reason.

Fully agree that it appears that way. But I don't see anywhere that this is the case. And it is rather strange considering I did not change much of the defaults here. Any idea where I can dig deeper?

6

24.1 Legacy Series / Re: No WAN connection unless activating Far Gateway option

« on: July 17, 2024, 09:47:44 am »

Sorry I just wanted to obscure the subnet. That is 192.168.178.0/24. But shouldn't matter. So everything here was from that subnet. Fixed in the original post.

7

24.1 Legacy Series / No WAN connection unless activating Far Gateway option

« on: July 17, 2024, 09:34:12 am »

Hi,

I set up a pretty standard OPNsense config behind a router from my ISP.
WAN interface (igb3) points to the router and gets IP via DHCP. IP is optained as 192.168.1.3, Router is set as Gateway at 192.168.1.1
LAN interface (igb2) has my laptop and assigns IPs via Kea DHCP (10.0.1.0/24) subnet.

From my laptop I can access the OPNsense host nicely, everything on the LAN side seems to work.

However, from the OPNsense host I have no access towards the router (I still believe that it was working nicely until recently, so maybe the upgrade to 24.1.10 changed something).

So I could not ping my ISP router (192.168.1.1), getting

Code: [Select]

PING 192.168.1.1 (192.168.1.1): 56 data bytes                                                                                                                                                                                             
ping: sendto: Invalid argument

Anything outside my local net (LAN) cannot be pinged. Unbound also didnt work (unsurprisingly). The only somewhat unhelpful message I found in the logs was:

Code: [Select]

arpresolve: can't allocate llinfo for 192.168.1.1 on igb3

With the above error I came to set the gateway to "Far Gateway" which is supposed to be for This will allow the gateway to exist outside of the interface subnet.
But my Gateway at 192.168.1.1 is in the WAN subnet of 192.168.1.3/24 ?

From the setup of routes and gateway everything looks fine as far as I can tell.
ifconfig

Code: [Select]

igb2: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN (lan)
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
        ether 00:0d:b9:61:ad:f6
        inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
igb3: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN (wan)
        options=4802028<VLAN_MTU,JUMBO_MTU,WOL_MAGIC,NOMAP>
        ether 00:0d:b9:61:ad:f7
        inet 192.168.1.3 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

netstat -rn

Code: [Select]

Destination        Gateway            Flags     Netif Expire
default            192.168.1.1      UGS        igb3
10.0.1.0/24        link#3             U          igb2
10.0.1.1           link#3             UHS         lo0
127.0.0.1          link#6             UH          lo0
192.168.1.3      link#4             UHS         lo0

Setting the "Far Gateway" option for the configured gateway adds one entry to the above routes:

Code: [Select]

192.168.1.1      link#4             UHS        igb3

I am at a loss why this is happening and why I have to set the "Far Gateway" option when my Gateway appears to be in the same subnet as the WAN interface.

Related:
https://forum.opnsense.org/index.php?topic=11991.0
But for me manually saving the WAN interface configuration did not change anything.

Possibly related:
https://forum.opnsense.org/index.php?topic=34340.0