Messages

Hello,
Until now i use a certificate for each service which has a cname record.
I registered mydomain.tld and myservices have a cname record: service1.mydomain.tld CNAME mydomain.tld.

So i have as many certificates as i have services. Some are publicly accessibles some are not. I use caddy and private services are restricted in caddy to lan ips.

I want to simplify that with a wildcard certificate.
But i certainly need to modify parts of my setup as :
- i use mydomain.tld as my domain in opnsense (dns and dhcp are configured as per the recommandations : unbound on port 53 and dnsmasq on 53053). I have query forwarding for mydomain.tld to dnsmasq
- i have to other services which i setup recently which are hosted elsewhere: external_service1 A another_public_ip1
For those 2 services i have a query forwarding  from unbound to 1.1.1.1
- i have host override for externally accessible services: caddy.mydomain.tld -> lan_ip_of_opnsense and an alias for each service

So i need advice on:
- what domain should i use on opnsense ? lan.mydomain.tld or keep mydomain.tld
- should i use one domain per vlan ? lan.mydomain.tld, iot.mydomain.tld, ...
- should i change domain of external services (also used as endpoints for wireguard or openvpn tunnels) ?
- what domain should i use for publicly facing services ?

 

What is your LAN address? 10.10.1.0/24.
If so you can't assign @ip outside of your lan. 10.10.0.x is outside of your lan.
 Do you have any vlan defined?

yes. I run query log until i finish my setup. I'm moving some apps to dmz and need that logs until all is running fine including acccess from wan, lan with a single hostname for apps using authentik provider or having their own auth.
It's not straight forward as i have apps accessed only from lan others from both wan and lan. Some are using authentik others don't.
And i'm still wondering which apps to put in dmz. 

For those following this topic.
On the 8th i was at the airport  going to holidays and was checking if didn't forgot to enable security cams.
I had no connection.
Once again and exactly 1 week after the first connection loss the isp changed my password.
Arrived at my destination and after the week end i could contact them and they could put back the password i had in my config.
But it was almost useless as my router had its disk full. during the loss of connection resolver logged 2Gb a day against around 300M on a normal day.
Once again they didn't believe me when i told them the password has been changed. I had to say it very loud to be heard.
They have open an investigation but no news until now.

i've rebooted in single user mode and could delete resolver log which were around 40Gig large.
after a reboot to normal mode all went back to normal

I'll do that when I come back.

Code Select Expand

su - doesn't work either.

Hello,

My opnsense instance is sick.
My disk space (zfs) is full and webui doesn't work anymore (php errors).
I'm away from home. I can ssh into opnsense with regular credentials.
I can't use sudo (php error thrown) so can't do much.
From what i can see /var/log could be full but as i can't sudo, i can't delete anything nor reboot.
Can i do something or should i reinstall it when i come home ?

And thak you very much for your help. it's very appreciated.
I'll ask for closing the issue on github.

I have still unifi plugin to restore and after finally go for 25.7 upgrade.... or leave it to after holidays.

To put an end to this trouble.

A tehcnician finally came to my house.
And guess what the isp changed my credentials without telling me and worse they confirmed me the old one.

As soon as i put the correct one the link came up.

i had a good will technician on the phone (my 10th phone call) and could confirm that i have the right credentials.
The only thing that didn't match is the serial number registered in their crm which afaik isn't used in pppoe/chap.
For the serial they entered my router mac address with a mistake on the last character. It has been changed to match the real address but didn't change anything.
So they were not bullshitting me.
The last possibility i see is a change made by post which is the isp which owns the line and provides the ont.

i'm still waiting for my credentials. They told me they have a failure on their cms and can't send messages or mail to clients.
I deeply regret to have a contract with this provider.
In the end i'll probably go with a fritzbox (i hope they have one with 2,5Gbs lan port)

But i'm still a very angry at this provider. The technician who came to setup the line gave some wrong info (fqdn of voip proxy which doesn't exist).
And today after 9 calls, 1 chat and 2 tickets in their system i still couldn't have my credentials.
I had shitty providers in the past but nothing like that.
The only good thing a very stable 2Gbs/750Mbs connexion but only ipv4. They don't know ipv6.

Small step.
I installed a live openwrt on my router.
I have the same result: chap authentication failure.
I called support once again and i am waiting for my pppoe credentials, password and router mac address registered.
25 min to have them send a message and it's not even here.
I don't know if openwrt and opnsense use the same libraries for pppoe connexion.
But i'm quite certain the isp is bullshitting me. They only want fritzbox on their network.

the result of audit on current 25.1 system:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 25.1 (amd64) at Mon Aug  4 14:30:57 CEST 2025
>>> Root file system: zroot/ROOT/default
>>> Check installed kernel version
Version 25.1 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 25.1 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check installed repositories
OPNsense (Priority: 11)
>>> Check installed plugins
No plugins found.
>>> Check locked packages
No locks found.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" at 25.1 has 69 dependencies to check.
Checking packages: .
beep-1.0_2 has no upstream equivalent
Checking packages: .
ca_root_nss-3.104 has no upstream equivalent
Checking packages: .
choparp-20150613_1 has no upstream equivalent
Checking packages: .
cpustats-0.1 has no upstream equivalent
Checking packages: .
dhcp6c-20241008 has no upstream equivalent
Checking packages: .
dhcrelay-1.0 has no upstream equivalent
Checking packages: .
dnsmasq-2.90_4,1 has no upstream equivalent
Checking packages: .
dpinger-3.3 has no upstream equivalent
Checking packages: .
expiretable-0.6_3 has no upstream equivalent
Checking packages: .
filterlog-0.7_1 has no upstream equivalent
Checking packages: .
flock-2.37.2_1 has no upstream equivalent
Checking packages: .
flowd-0.9.1_5 has no upstream equivalent
Checking packages: .
hostapd-2.11_1 has no upstream equivalent
Checking packages: .
ifinfo-13.0_1 has no upstream equivalent
Checking packages: .
iftop-1.0.p4_1 has no upstream equivalent
Checking packages: .
isc-dhcp44-server-4.4.3P1_2 has no upstream equivalent
Checking packages: .
kea-2.6.1_2 has no upstream equivalent
Checking packages: .
lighttpd-1.4.77 has no upstream equivalent
Checking packages: .
monit-5.34.3 has no upstream equivalent
Checking packages: .
mpd5-5.9_18 has no upstream equivalent
Checking packages: .
ntp-4.2.8p18_1 has no upstream equivalent
Checking packages: .
openssh-portable-9.9.p1_1,1 has no upstream equivalent
Checking packages: .
openvpn-2.6.13 has no upstream equivalent
Checking packages: .
opnsense-25.1 has no upstream equivalent
Checking packages: .
opnsense-installer-25.1 has no upstream equivalent
Checking packages: .
opnsense-lang-25.1 has no upstream equivalent
Checking packages: .
opnsense-update-25.1 has no upstream equivalent
Checking packages: .
pam_opnsense-24.1 has no upstream equivalent
Checking packages: .
pftop-0.10_1 has no upstream equivalent
Checking packages: .
php83-ctype-8.3.15 has no upstream equivalent
Checking packages: .
php83-curl-8.3.15 has no upstream equivalent
Checking packages: .
php83-dom-8.3.15 has no upstream equivalent
Checking packages: .
php83-filter-8.3.15 has no upstream equivalent
Checking packages: .
php83-gettext-8.3.15 has no upstream equivalent
Checking packages: .
php83-google-api-php-client-2.4.0 has no upstream equivalent
Checking packages: .
php83-ldap-8.3.15 has no upstream equivalent
Checking packages: .
php83-pcntl-8.3.15 has no upstream equivalent
Checking packages: .
php83-pdo-8.3.15 has no upstream equivalent
Checking packages: .
php83-pear-Crypt_CHAP-1.5.0_1 has no upstream equivalent
Checking packages: .
php83-pecl-radius-1.4.0b1_2 has no upstream equivalent
Checking packages: .
php83-phalcon-5.8.0 has no upstream equivalent
Checking packages: .
php83-phpseclib-3.0.42 has no upstream equivalent
Checking packages: .
php83-session-8.3.15 has no upstream equivalent
Checking packages: .
php83-simplexml-8.3.15 has no upstream equivalent
Checking packages: .
php83-sockets-8.3.15 has no upstream equivalent
Checking packages: .
php83-sqlite3-8.3.15 has no upstream equivalent
Checking packages: .
php83-xml-8.3.15 has no upstream equivalent
Checking packages: .
php83-zlib-8.3.15 has no upstream equivalent
Checking packages: .
pkg-1.19.2_5 has no upstream equivalent
Checking packages: .
py311-Jinja2-3.1.4 has no upstream equivalent
Checking packages: .
py311-dnspython-2.7.0,1 has no upstream equivalent
Checking packages: .
py311-duckdb-1.1.3 has no upstream equivalent
Checking packages: .
py311-ldap3-2.9.1 has no upstream equivalent
Checking packages: .
py311-netaddr-1.3.0 has no upstream equivalent
Checking packages: .
py311-numpy-1.26.4_2,1 has no upstream equivalent
Checking packages: .
py311-pandas-2.1.4,1 has no upstream equivalent
Checking packages: .
py311-requests-2.32.3 has no upstream equivalent
Checking packages: .
py311-sqlite3-3.11.11_7 has no upstream equivalent
Checking packages: .
py311-ujson-5.10.0 has no upstream equivalent
Checking packages: .
py311-vici-5.9.11 has no upstream equivalent
Checking packages: .
radvd-2.20 has no upstream equivalent
Checking packages: .
rrdtool-1.9.0 has no upstream equivalent
Checking packages: .
samplicator-1.3.8.r1_1 has no upstream equivalent
Checking packages: .
strongswan-5.9.14 has no upstream equivalent
Checking packages: .
sudo-1.9.16p2_1 has no upstream equivalent
Checking packages: .
suricata-7.0.8 has no upstream equivalent
Checking packages: .
syslog-ng-4.8.1_3 has no upstream equivalent
Checking packages: .
unbound-1.22.0_1 has no upstream equivalent
Checking packages: .
wpa_supplicant-2.11_2 has no upstream equivalent
Checking packages: .
zip-3.0_4 has no upstream equivalent
***DONE***

based on the log:

Code Select Expand

FreeBSD 14.3-RELEASE-p1 stable/25.7-n271606-9af17f0102ca SMP amd64
My system isn't the same anymore. I reinstalled it with 25.1 image and still have the authentication problem.
Before upgrading to 25.7 i had 25.1.12 version.
I can post the full log of the upgrade process if necessary.
The previous pcap i posted were from fresh 25.1 with a restored config.
This morning i also tested a live 25.7 with same result.