Messages

May be working fine, seems the "Last updated" field is only refreshed when there is an actual change to the retrieved list.

Hi,

how to make the firewall reload an Alias more often than every hour. I tried 0.25 for 15 Minutes, but it does not seem to work.

I only want to reload a single Alias, not all ones.

Hi,

where are the Unbound statistics saved? I want to have everything in /var/log which is a tmpfs.

What about RRD and Netflow data?

Seems squid is not listening on port 3129.

root@OPNsense:~ # sockstat -l | grep 312
squid    squid       6485 27  tcp4   192.168.100.1:3128    *:*
squid    squid       6485 28  tcp6   2003:a:XXXX:XXXX::XXXX:3128 *:*
squid    squid       6485 29  tcp6   fda6::1:3128          *:*

But SSL port 3129 is configured in the WebUI. What am I doing wrong?

Yes, I have configured my whole 192.168.100.0/24 as well as the complete ULA range fd00::/7 and my ULA range fda6::/64.

No matter if I use the IPv4 address of the router or the ULA address, my browser says:

The proxy server is refusing connections

Still struggling here. The documentation says:

Authenticators�

User authentication can be done using OPNsense standard and built-in authenticators. Currently these include:

    LDAP (incl. Microsoft Active Directory)

    Radius

    Local user manager

    No authentication

These options can be found in the Web Proxy -> Administration -> Forward Proxy -> Authentication Settings section.

Here, it's called

Code Select Expand

Squid Web Proxy and the only option is

Code Select Expand

Local database What am I doing wrong?

Hi,

I enabled the Squid web proxy, but it is refusing connections.

Under "Authentication method" the only options are "Local Database" or "Nothing selected". How can I disable the authentication?

Found it:

Code Select Expand

root@OPNsense:~ # pfctl -s memory
states        hard limit  6545000
src-nodes     hard limit  6545000
frags         hard limit     5000
table-entries hard limit  1000000
It's 5000. That should be mentioned in the GUI help text.

Hi,

what's the default value for

Code Select Expand

Firewall Maximum Fragments?

Hi,

I recently set up an OPNsense installation on x86/64 hardware (with an Intel Atom C3808), which handles the PPPoE dial-in for my VDSL connection and will later manage the Telekom fiber connection.

It is connected to my switch via a 10G DAC. One of the 2.5G ports is configured as a failover, meaning it has no active link during normal operation.

Since the processor was struggling with packet processing, I started experimenting with an MTU of 9000 (Jumbo Frames).

So far, this works well. Outbound (into the LAN), the device now achieves >8 Gbit/s, whereas previously, it was limited to ~3 Gbit/s.

I have manually configured the MTU on most devices. The remaining ones (printer, TV, IP Phone, etc.) seem to handle Path MTU Discovery just fine.

Additionally, I am advertising MTU 9000 via DHCP (v4|v6) (Option 26) and in the Router Advertisements using AdvLinkMTU.

However, I'm unsure if this works correctly for IPv6. When I send packets with an MTU >1500 to the OPNsense, they appear to be fragmented there:

Code Select Expand

19:21:00.689884 IP6 (flowlabel 0x64674, hlim 64, next-header ICMPv6 (58) payload length: 3008) fda6::3221:21ff:fe00:99e > OPNSense.home.arpa: [icmp6 sum ok] ICMP6, echo request, id 62758, seq 1
19:21:00.690083 IP6 (hlim 64, next-header Fragment (44) payload length: 1448) OPNSense.home.arpa > fda6::3221:21ff:fe00:99e: frag (0x6ad09c21:0|1440) ICMP6, echo reply, id 62758, seq 1
19:21:00.690091 IP6 (hlim 64, next-header Fragment (44) payload length: 1448) OPNSense.home.arpa > fda6::3221:21ff:fe00:99e: frag (0x6ad09c21:1440|1440)
19:21:00.690126 IP6 (hlim 64, next-header Fragment (44) payload length: 136) OPNSense.home.arpa > fda6::3221:21ff:fe00:99e: frag (0x6ad09c21:2880|128)
19:21:01.723259 IP6 (flowlabel 0x64674, hlim 64, next-header ICMPv6 (58) payload length: 3008) fda6::3221:21ff:fe00:99e > OPNSense.home.arpa: [icmp6 sum ok] ICMP6, echo request, id 62758, seq 2
19:21:01.723484 IP6 (hlim 64, next-header Fragment (44) payload length: 1448) OPNSense.home.arpa > fda6::3221:21ff:fe00:99e: frag (0x12234b6d:0|1440) ICMP6, echo reply, id 62758, seq 2
19:21:01.723518 IP6 (hlim 64, next-header Fragment (44) payload length: 1448) OPNSense.home.arpa > fda6::3221:21ff:fe00:99e: frag (0x12234b6d:1440|1440)
19:21:01.723525 IP6 (hlim 64, next-header Fragment (44) payload length: 136) OPNSense.home.arpa > fda6::3221:21ff:fe00:99e: frag (0x12234b6d:2880|128)

I have already disabled all hardware offloading functions (CRC, TSO, LRO) for testing, but this made no difference.

Is this behavior expected, or do I need to configure anything else for IPv6 specifically?

I just removed the tmp and var/log datasets.

Code Select Expand

zfs set canmount=noauto zroot/tmp
zfs set canmount=noauto zroot/var/log
reboot
zfs set mountpoint=none zroot/tmp
zfs set mountpoint=none zroot/var/log
zfs destroy zroot/tmp
zfs destroy zroot/var/log


Ah. Sure. These are blocking rules, missed that, sorry :)

Indeed, there are lockout rules on the "lan" interface which disappear when I check "Disable anti-lockout". No such rules on my opt1 interface.

So I can just keep everything like it is? No need to bother about the missing wan interface identifier?

No, I have a LAN interface. But this interface also has a global IPv6 address assigned.

There are auto-generated rules on my WAN (opt1) interface:

       IPv4+6 TCP    <sshlockout>    *    (self)    22 (SSH)    *    *    *    sshlockout    
      IPv4+6 TCP    <sshlockout>    *    (self)    80 (HTTP)    *    *    *    sshlockout

Shouldn't these only apply to the LAN interface?

I activated "Disable anti-lockout" but the rules are still present. How to remove them?

So there are no security implications?

Right now opt1 is assigned to my pppoe0 device.

Is there no difference in automatically generated rules for LAN and WAN interfaces?