Messages

[Closed as not planned]

It's been requested before here -> https://github.com/opnsense/core/issues/7592

Unfortunately that issue is "Closed as not planned".  Since I don't have a github login, I am officially making my request here for that feature.  LOL

We're using Kea DHCP server.  The Valid Lifetime set on the Settings tab is sufficient for most of our subnets.  However, there are a couple subnets that require a shorter lease time.

Which Option code, if any, overrides the value set on the Settings tab?  There isn't a code that says "valid lifetime".  The closest I found is "renewal time [58]", but because this is a production router, I cannot do trial and error.  Is "renewal time [58]" the correct code to overrride default valid lifetime?

UPDATE:
The code I mentioned above is for IPv4.  I also need the correct code for IPv6.  Please and thanks.

3: Use "dmesg | fgrep microcode" on the CLI to see if an update was applied.

Apparently no microcode updates applied.  Output from that command:
[1] CPU microcode: no matching update found

I have some questions about the "Intel CPU microcode updates" plugin.

First, I'd like to say that it would have been nice if the pre-install description stated that the package is no longer being maintained.  It was only mention post-installation.

Second, I would consider this package to be very important with respect to security, so why is it not being maintained?  Further, why isn't it included as part of the core installation?

Third, I am using an HP server with the "Intel Xeon CPU E5-2620 v4" CPU.  How can I determine if my system will benefit from the microcode?

Anyways, I disabled the auto-generated rules.  Then created the correct "Pass" rules and placed them after the GeoIP block.  In theory, the GeoIP block should take place when applicable before allowing the Port Forwarding.

In any case the order of the rules you show here should be working.  Are you sure you are testing from the outside?

Yeah, of course I was testing from the internet.

Do you have any other NAT rules set to "Pass" maybe?  Those would override and would not show here.

I do not see any rules elsewhere that would affect the desired behavior.

What is the meaning of "!" by itself in the Source field of your NAT rules?

I have no idea the meaning of the "!" by itself and am also wondering its meaning.  It is part of auto-generated rules.

Screenshot of the rules for the WAN interface:

I have port forwarding working.  Internet can hit the WAN interface and both HTTP and HTTPS forward to the internal web server.

However, I am concerned that the port forwarding might take precedent over my manual rules including GeoIP blocking.  So I created a manual rule temporarily to see if it would block port forwarding.  It does not.  The docs say that the automatic port forward rules are to be applied last.  That does not appear to be the case.

Ideas?

Maybe they are using RA to distribute ULA ...

Static IPv6 ULA addresses for servers, DHCP ULA via RA for workstations.

Although I am using an SSD for storage opposed to a flash drive, I would still like to minimize writes to storage to extend its life.

Any suggestions on what settings I could/should change to accomplish this?

Is RRD written to storage?

Feedback on this matter is appreciated.

I believe I have it working with IPinfo and I can see it got an initial database update from IPinfo.

Do I have to manually schedule database updates via cron or something similar?  If not, at what interval do updates automatically occur?

You do not need IDS/IPS for that, nor a special plugin. GeoIP aliases are supported in standard firewall rules.

Set up a free account with MaxMind or IPinfo, navigate to Firewall: Aliases: GeoIP settings, follow the documentation:

https://docs.opnsense.org/manual/aliases.html#geoip

Thank you for the fast and thorough response.  I will definitely check it out.

We are using private IPv6 addresses along with IPv4 addresses on our local network.  I noticed that the IPv6 range "fc00::0/7" is not included in the default Home Networks list.  Why?  Does "Home Networks" not apply to IPv6?  Are there any special considerations when adding "fc00::0/7" to the Home Networks list?

In advance, thanks for guidance on this matter.

Running OPNsense 26.1.2.  Does the built-in IDS/IPS system allow blocking traffic to/from the internet by geographical region?  For example, blocking traffic from IP blocks allocated to Russia, China or Iran?  Or inversely, allow only traffic with IP blocks allocated to just north America?  If yes, what rulesets (if that is the correct term; I'm new to this) or configuration would I need?

If not, is there a plugin that can add the traffic blocking by geographical region functionality?

Help and guidance is much appreciated.  Thank you.