Messages

Hi meyergru,

I had a port-forward rule for IPv4 from WAN (123/UDP) to localhost (127.0.0.1/32) in place which worked...
With hindsight this was a mistake. I have created an extra IPv4 virtual LAN address to forward all this traffic to.
No access to localhost from WAN. Solved.

In the standard chrony documentation it is mentioned that chrony only responds to control connections to localhost (127.0.0.1 or ::1).
However, this is exactly the address that i forward NTP requests from WAN to.
Any advice? Am i overly cautious?

[Situation]

Hi all,

Been very happy using Opnsense for the past few months, but i have a question which i cant find the answer to in the forum.

Situation
I am a server owner in the NTP Pool Project and have a few hardware NTP servers running behind Opnsense.
Port 123 is forwarded to these appliances. These all use NTPD and are set-up with decent security settings (e.g. preventing mode 6 / 7) and some rate limitation.

However I also have set-up Opnsense itself as a time source using Chrony (NTPD is not useable for me because of clock drift, does it use a different hardware timer than chrony???).
Now I have forwarded part of this WAN traffic to an existing virtual IP-address on LAN, which the chrony client binds to. This works great.

Question
I am wondering about security concerns for this setup, for example remote control connections (mode 6/7).
Is my current setup vulnerable?
In the chrony documentation is see several possibly interesting config options, which i am not sure are set in the standard chrony config for opensense:
- cmdport 0 (disables remote control connections)
- set "user" to disable root
- bindcmdaddress and cmdallow (limits control connections to a certain IP range)

Upgrade from 25.1.12 worked great on my machine aswell.

i see active connections on igc0 and igc5.
However, igc5 is not to a member of "bridge".

@thomasE

Great that you finally got to the bottom of this.
Did you return the dec4280 to Deciso or did you find a job it can handle?

Kind reminder/bump

Hi, just wanted to share that i am having issues establishing IPSec connections with Globalprotect hosts under 25.1.7_4.
This appears to be very similar to an earlier problem early March with 25.1.1 and 25.1.2, which was fixed in 25.1.2_nd and 25.1.3.
If i can recall correctly the problem was due to opnsense fragmenting packets resulting in the hosts not accepting the connection.

If i use snapshot to revet back to 25.1.6 the issue goes away.
Under 25.1.7_4 i can ping these hosts fine, jst not establish an IPSec connection.

Can someone please look into this?

Hi,

I currently have a few local virtual IPv6 addresses created under 'interfaces', namely: fd07::1/128 and fd08::1/128 that i use to serve NTP time to WAN users.
This is instead of forwarding the WAN NTP requests to my physical LAN NTP servers.

However, even though i have put NAT and FW rules in place to route this traffic to these addresses as well as update chrony config i still need to include ::/0 as client address range in the chrony config to get them to work. What am i missing here?

I can confirm upgrade works flawlessly

Great!
Indeed "Track Interface" is also required.
Only then IPv6 address is assigned to LAN interface.

If you could do a few checks, dont think they atter much:
- Interfaces -> I have created separate interfaces for VLAN and Physical to be able to correctly set the MTU's for both. Physical WAN MTU =1512, VLAN MTU=1508, PPPoE WAN=1508
- Interfaces -> I have have "Send Prefix Hint" as "enabled"

Looking in Interfaces -> overview i also see a few interfaces working (green plug sign): Physical WAN and LAN. I see that the Physical WAN interface does not receive a IPv6 address, this is assigned to the LAN interface...

Hi Rene,

I'm also on KPN FttH and 25.1.5_5 and running well.
I'll take a look at my config and hopefully provide you with some ideas.

Just updated the BIOS on my dec3840 to latest.
Appears to be working sofar.
Thanks!

Thanks!
Will DEC800, DEC3800 & DEC4000 series also get an update soon?
Last update was mid-2024...

Current bios of dec3860 (with EPYC Embedded 3101) only seems to suport C2 as highest C-state as per sysctl.
Would like to have C3 enabled if possible to fursther lower power consumption.
Can this be enabled by an updated bios?