Messages

1

24.7 Production Series / Re: WireGuard VPN - Can access OPNsense but no resources on LAN

« on: October 03, 2024, 06:08:09 pm »

You should be able to access other resources as long as allowed IPs are set to 192.168.2.0/24 and 192.168.1.0/24.  Now you also might want to consider altering your subnets on your home network.  Most coffee shops and hotels use 192.168.1.0/24 as their wifi network.  This has caused me issues in the past with routing to my home network when using OpenVPN so, I switched my networks to use a /24 in the middle of the 10.0.0.0 range.  For example, 10.130.1.0/24 and 10.130.2.0/24 and I no-longer have the routing issues while out and about.  With that said though, I've since switched from using OpenVPN to wireguard.  Since wireguard uses tunneling and routes the allowed IP's via the tunnel, the subnet routing may not really be an issue.  Just thought I'd mention it though.

2

24.7 Production Series / Re: After the update to 24.7 maxmind GeoIP no longer works.

« on: August 19, 2024, 03:42:38 pm »

I'm on 24.7.1 and have two GeoIP aliases that are working fine.  I created the aliases while on 24.1 though and upgraded to 24.7.  Are you trying to create a new alias now that you're on 24.7 and that's failing?

3

24.7 Production Series / Re: Multiple hostname in native-ddclient

« on: August 18, 2024, 05:11:14 pm »

Eisai, my hostnames are all DNS A records and no CNAME's.  Also, I had to manually create the A records beforehand as ddclient will not create them.

4

24.7 Production Series / Re: Multiple hostname in native-ddclient

« on: August 18, 2024, 02:37:00 pm »

I'm on OPNsense 24.7.1 and I have os-ddclient 1.23 installed.  I only have two hostnames that I'm checking with dd-client.

5

24.7 Production Series / Re: Multiple hostname in native-ddclient

« on: August 18, 2024, 06:41:16 am »

Never mind the JSON strings, mine looks the same with multiple hostnames.  Yeah, I'm using ddclient also with cloudflare and mine are working fine.  I have multiple hostnames as well and it looks like yours.

6

24.7 Production Series / Re: Multiple hostname in native-ddclient

« on: August 18, 2024, 06:32:37 am »

That hostnames looks like a JSON string.  Shouldn't it be an array of strings?

7

24.7 Production Series / Re: Traffic when NAT "Reflection for port forwards" is enabled locks up opnsense

« on: August 16, 2024, 05:27:45 am »

I'm running 24.7 with port forwarding to my internal apache WebDAV server.  My MacOS laptop users use the WebDAV server to mount a NAS share and they need to do that from wherever they are, on the local lan or when they're out and about.  The port forwarding from the public IP works fine and I have the NAT reflection with hairpin NAT working as well, it never causes my OPNsense server to lock up, it works fine.

Now with all that said, I've found that I really don't need the NAT reflection if I use split horizon DNS.  I'm with Cloudflare and I'm using DDNS to register my public IP with the CloudFlare DNS servers using www.mydomain.com.  Internally, I run unbound on my OPNsense box and I register www.mydomain.com there using the Internal private IP.  The OPNsense DHCP server tells everyone on the LAN to use the unbound DNS.  So, when the laptop users are on the LAN, www.mydomain.com points directly to the internal WeBDAV servers IP.  When they are out and about, www.mydomain.com points to the public IP which gets port forwarded to the internal WebDAV server.  This works fine and I really don't need the NAT reflection. 

8

24.7 Production Series / Re: DDNS - Cloudflare Not working

« on: August 13, 2024, 06:17:37 am »

My mistake, I checked the OPNsense documentation and the hostname setting is supposed to be the fully qualified hostname, I missed that.  Anyway, I have it working now, that's the main thing

9

24.7 Production Series / Re: DDNS - Cloudflare Not working

« on: August 13, 2024, 05:20:15 am »

Ok, I got it debugged and now have it working.  I saw in the ddclient latest.log, that it queried using query parameters to specify the particular A and AAAA record.  So I ran the query manually using curl

curl --request GET \
  --url https://api.cloudflare.com/client/v4/zones/REDACTED ZONE_ID/dns_records?type=A&name=www\
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer REDACTED API TOKEN"

Note the query parameters, ?type=A&name=www.  When I ran the query no A record was returned in the JSON.  When I left out the query parameters, I saw that my A record name was the FQDN, ie hostname.domainname.  I updated the ddclient settings in the OPNsense UI and changed my 'www' hostname to the FQDN, and now it's working.

This doesn't seem right to me or it's my misunderstanding.  Why would an A or AAAA record name need to be the specified using the entire FQDN?  Am I making a mistake in my A/AAAA record creation by using only the hostname?

10

24.7 Production Series / Re: DDNS - Cloudflare Not working

« on: August 13, 2024, 04:42:20 am »

I'm using the ddclient backend with the API token.  I believe there is a bug in the ddclient perl script. 

I haven't tracked it down yet but here is the API call to cloud flare using a curl script that I verified is returning
my A and AAAA records in the JSON response.

#!/usr/local/bin/bash

set -x
curl --request GET \
  --url https://api.cloudflare.com/client/v4/zones/REDACTED ZONE_ID/dns_records \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer REDACTED API TOKEN"

I've looked at the /var/log/ddclient/latest.log and I see the query being made, the URL looks correct and I see the Authorization header in the log is set correctly using my API token but when the script examines the decoded JSON, it fails to get the A and AAAA records from the response.  To be clear, ddclient is sending the exact same query as the curl above but when examining the response, it does not resolve the records from the JSON response.

I'm currently trying to debug the script.

11

24.7 Production Series / Re: DDNS - Cloudflare Not working ** RESOLVED **

« on: August 12, 2024, 08:56:56 pm »

I do not recall anything in the release notes stating that there were changes to this functionality. The complete configuration was identical to earlier versions (meaning I didn't modify anything), and it worked without issue. In fact, I brought up the prior version and verified that it worked correctly. So, something changed somewhere in the latest version of OPNsense. If Cloudflare is selected as the service, it seems to me that it should completely ignore the username field if it is indeed superfluous. (Or better still, do not display the field if it's not appropriate to the service selected.)

Thank you all for your suggestions.

I tried your suggestion and left the username blank and just populated the password with my API key.  I have my zone and hostname populated and am using the WAN interfaces as the IP lookup method.  I now get errors that say it's unable to update my IP addresses as the A and AAAA records do not exist in Cloudflare.  I created the A and AAAA records for my host at my Cloudflare DNS before I even configured os-ddclient and they still exist so, I do not understand why I'm getting these errors.  Any ideas?

12

24.7 Production Series / os-ddclient issue with Cloudflare

« on: August 12, 2024, 08:05:55 pm »

I have OPNsense 24.7_9 installed and am trying to get DDNS working using os-ddclient.  My provider is Cloudflare.
I've created the required API key in Cloudflare an am using that key as my password in the os-ddclient settings on OPNsense.  os-ddclient is reporting the following errors when it runs:

Account 22dfa802-939a-436c-b7a1-6bdbe6e03ac4 [cloudflare - Cloudflare ddns] error receiving ZoneID [[{"code": 6003, "message": "Invalid request headers", "error_chain": [{"code": 6103, "message": "Invalid format for X-Auth-Key header"}]}]]

Not sure what is wrong and hoping to get some help fixing this.

thanks
John

13

24.7 Production Series / Re: port forwarding with NAT reflection

« on: August 06, 2024, 02:34:51 am »

Thanks for your help!  I got it working by adding the outbound NAT rule on the LAN.

14

24.7 Production Series / Re: port forwarding with NAT reflection

« on: August 04, 2024, 05:23:59 pm »

Thanks for the link to the documentation.  I have a simple setup.  I just have a LAN and WAN interface with no DMZ.  On my LAN, I have a WebDAV server and port forwarding works fine when I'm away from my home network. However, I cannot get the port reflection to work.  I've tried the port reflection Method 1 configuration as described in the documentation precisely except I did not add a DMZ rule as I do not have a DMZ.  Method 1 is not working.  I'm new to OPNsense and firewall rules and am not sure how to troubleshoot/fix this.  Any ideas are greatly appreciated.

15

24.7 Production Series / port forwarding with NAT reflection

« on: July 29, 2024, 10:27:48 pm »

I recently replaced my Netgear router with OPNsense and am running the latest version.  I re-established my WebDAV port forward and it's working fine with the exception NAT reflection.  It is my understanding the with NATe reflection enabled that I should be able to use the port forward from the local LAN by using the WAN IP address/url.  I've found that I can only access the WebDAV port forward using the WAN URL only when I'm remote and I have to use the local URL when on the LAN.  I'm wondering if there are any additional requirements to get the NAT reflection to work?  Does it require some special firewall rule?  I have a rule in for just the port forward from the WAN.