Messages

Good news!  When flush the cache on the client with Netskope VPN, I am able to get to the server with or without "www" in front.  This is with the overrides disabled.

When the overrides are enabled (I just made sure to have two overrides, with and without "www", versus using *), flushing the dns and pinging would timeout.

[update]

When I add the override, a local machine cannot get to the server (ping says could not find the host ..., please check the name and try again).

With Netskope VPN, it does not work either. However, when I disabled/deleted the override, I was able to get to the server without "www" in front with Netskope VPN.  It still does not work with www.<mysever...>.com

When I ping with  the client that has Netskope VPN, it shows the external IP for for the host name without "www", and it shows the "local" IP for the host name with the "www".

Did I set up something wrong somewhere?

Let me try to flush the client DNS cache and see how it goes.

Thank you.  I had something like that before.  I am doing it again, but with the flush DNS cache.  I am not sure the correct way, but I checked the box for "Flush DNS Cache during reload" in General setting, Apply, and Restart the server.  That didn't work though.

Locally, I still have this message:

"A potential DNS Rebind attack has been detected.
Try to access the router by IP address instead of by hostname. You can disable this check if needed under System: Settings: Administration"

And the SSL certificate is still the generated one from OPNSense.

Accessing via Netskope still does not work (site can't be reached).  It still points to local address, not the external address.

Accessing via Phone's mobile network still works fine.

For a local host port forwarding to be both accessible inside and outside, I have some issue.

If I use my mobile phone mobile network, I can access the server without issue, with correct SSL certificate.
This server has a certificate and using DDNS for domain name lookup.

However, things don't work from here.

1. From Interfaces->Diagnostics->Trace Route, the server host name return the local address (192.168.x.x), versus the external address.
2. From a local client machine, I pint the server, and I got domain name not found.
3. When I edit local client's network settings to use Google's DNS 8.8.8.8, I see the machine, but I got "rebinding DNS attack message", and the certificate is an OpnSense generated, not my host's certificate
4. I played with port forwarding reflection->enabled, or override, etc., without much success, either getting to see OpnSense WEB GUI config vs. my server, or re-binding attack notice, or not working (I enable OpnSense GUI only for LAN in the System settings).
5. Restarts does not help
6. When using Netskope VPN on one client machine, I tried to access the DMZ server, without success.  When I ping it, it shows the "local" 192.168.x.x address instead.  However, I was able to use the IP (numeric) address and see the site with security warning due to the SSL certificate issue.

If I change "hosts" file to use local address, everything would work.  But this is not a good option (just for testing), because I don't have access to this file, such as android devices, etc.

The configuration is somewhat similar to PFSense.  With PFSense, I managed to get "outside" to work property, but internal, I have to use the raw IP, which is fine.

Somehow with OPNSense, external network appears to work with mobile phone network, but not Netskope.  PFSense works externally.

Thanks.

I can confirm that once I log in and get into Shell, appending the /boot/loader.conf file as mentioned above works when restarted.  This is mentioned here.

https://forums.freebsd.org/threads/booting-from-usb-error-19.57429/#post-327585

So, I stumbled on the first boot after installation, and using "?" command to find out various partitions, and using it to manually enter: ufs:/dev/<partition name>

helps moving forward.

After successful installation, I got the following error when rebooted:

Code Select Expand

Mounting from ufs:/dev/da1p2 failed with error 19.

Loader variables:
  vfs.root.mountfrom=ufs:/dev/da1p2

Manual root filesystem specification:
  <fstype>:<device> [options]
      Mount <device> using filesystem <fstype>
      and with the specified (optional) option list.

    eg. ufs:/dev/da0s1a
        zfs:zroot/ROOT/default
        cd9660:/dev/cd0 ro
          (which is equivalent to: mount -t cd9660 -o ro /dev/cd0 /)

  ?               List valid disk boot devices
  .               Yield 1 second (for background tasks)
  <empty line>    Abort manual input

I typed in ? and press enter, the following (among many others) are shown:

ada0p2
ada0p1
ada0


da0p2
da0p1
da0

I typed in: ufs:/dev/da0p2 and press enter and it started up.

It would be nice if this is fixed so I don't have to do this.  I am not sure if adding to /boot/loader.conf would work, but I can give it a try.

vfs.root.mountfrom="ufs:/dev/da0p2"

This does not happen with PfSense, but I would like to move my devices to OPNSense.