Messages

1

24.7 Production Series / Re: New Dashboard cards issue

« on: August 27, 2024, 12:28:11 pm »

I was able to solve it.

Nginx was configured to buffer the responses from the upstream server. Therefore, the interfaces and CPU load values for the widgets where send only when the buffer size has been reached.
This caused the 3-second-delay for the interface values, and a 30-second-delay for the CPU load values which was too long for the graph to show anything.

I've disabled "Response Buffering" in the location settings in Nginx. 

2

24.7 Production Series / Re: New Dashboard cards issue

« on: August 26, 2024, 10:02:56 pm »

I've found out that the issue is caused by Nginx.

Nginx provides the OPNsense GUI for external and internal access. When I open the GUI directly all graphs/cards are fine.

Not sure if it is an configuration or plugin issue.

Does anybody use Nginx in combination with OPNsense? 

3

24.7 Production Series / Re: New Dashboard cards issue

« on: August 24, 2024, 12:04:39 pm »

@geekguy: Try to delete the browser cache for the site. I can remember that it helped in the past.

4

24.7 Production Series / Re: New Dashboard cards issue

« on: August 22, 2024, 06:04:17 pm »

Thank you for sharing.
I noticed the same when the tab with the gui goes to the background.

But my issues happen right after I've logged in and the tab has the focus.

5

24.7 Production Series / [SOLVED] New Dashboard cards issue

« on: August 22, 2024, 02:35:39 pm »

I've issues with the new dashboard cards in 24.7.

The traffic graph is not continuosly. It shows empty parts for 2-3 seconds at the end.
The CPU graph is completly empty.

I tried different browsers and users. Same issues.

I run a test version of OPNsense in Hyper-V, and the graphs are fine there.

Any ideas?

6

24.1 Legacy Series / [SOLVED] After reboot can't login anymore

« on: July 19, 2024, 08:01:59 am »

Try this

https://docs.opnsense.org/troubleshooting/password_reset.html

Worked! Thank you.

If you enabled TOTP, you cannot login without it and you are obviously relying on the correct time setting, so that is a risk.

If the internet access is gone, NTP may be running, but how do you know if the time is right? See?

You should either have an SSH login ready with an SSH key (this does not need TOTP) or have the console accessible without a login in order to be able to fix things in case the time goes wrong.

You were right. It seems that the BIOS battery has no power anymore, and the system lost the time after I disconnected the power supply.
And I was wrong with my root user. The user was configured for MFA, too. I've changed it immediatly. 

Internet didn't worked because I'm using DNS-over-TLS and due to the wrong time, the certificates didn't match = no DNS.
But I'm still wondering, why the NTP query was successfull.

Nice issue. I'm glad for your help and that I was able to understand the reasons for it.

7

24.1 Legacy Series / Re: After reboot can't login anymore

« on: July 18, 2024, 10:56:41 am »

That sounds good!
I will try and report the result.

8

24.1 Legacy Series / Re: After reboot can't login anymore

« on: July 18, 2024, 10:23:57 am »

Thank you for your reply. That was also my first thougt.

Therefore, I checked the NTP time by requesting an update via "w32tm /stripchart /computer:OPNSENSE".
The responsed time was fine.
And I also tried to login as root, which has no TOTP configured. Same error.

9

24.1 Legacy Series / [SOLVED] After reboot can't login anymore

« on: July 18, 2024, 09:24:16 am »

Hey,

I rebooted my OPNsense 24.1.10_3 after I've moved it to another location.
Now I can't login anymore via SSH and WebGUI (Wrong username or password). I tried it with three different users with and without TOTP and also with different clients. The times on the clients and on OPNsense are correct.

Next strange thing: the internal network and services are working fine (NTP, DHCP, DNS). But I've no Internet access. Tracerout dies after the default gateway (OPNsense). All DNS queries for external names run into a SERVER_FAIL.
The WAN interface is up and reachable via ICMP.

Any ideas? I guess I need to reinstall OPNsense because I can't login. Or is there another way to import the latest backup?

10

24.1 Legacy Series / Re: [Unbound DNS] Service failed to start after OPNsense upgrade

« on: May 18, 2024, 02:34:27 pm »

Maybe the listening interface is not up when Unbound tries to start?

Have you checked the system logs?

11

General Discussion / Re: Have Web GUI listen interface in dns

« on: May 18, 2024, 02:10:37 pm »

Check if Unbound resolves to the correct IP address: nslookup [OPNsense FQDN] [OPNsense MGMT Interface IP]
If yes, than the PiHole seems to have an (static) record which resolves to the wrong IP address.

I've enabled the "Do not register system A/AAAA records" under Services: Unbound DNS: General, and created a static record in Unbound for my OPNsense.

If "Do not register system A/AAAA records" is disabled, Unbound registers the configured name under "System: Settings: General" for all listening interfaces.

12

General Discussion / Re: How to handle Automation Rules that should allow WAN Access

« on: May 18, 2024, 01:38:29 pm »

Remove the "Quick" setting in the automation rule. Then the rule will match last.

Or create an Internet alias for all non-privat addresses and add it as destination in the rule:

IPv4

Code: [Select]

!192.0.2.0/24
!198.51.100.0/24
!203.0.113.0/24
!169.254.0.0/16
!10.0.0.0/8
!172.16.0.0/12
!192.168.0.0/16
!0.0.0.0/8
!100.64.0.0/10
!127.0.0.0/8
!192.0.0.0/24
!192.88.99.0/24
!198.18.0.0/15
!233.252.0.0/24
!224.0.0.0/4
!240.0.0.0/4
0.0.0.0/0
IPv6

Code: [Select]

!2001:db8::/32
!::/0
!::/128
!::1/128
!::ffff:0:0/96
!::ffff:0:0:0/96
!64:ff9b::/96
!64:ff9b:1::/48
!100::/64
!2001:0000::/32
!2001:20::/28
!2002::/16
!fc00::/7
!fe80::/64
2000::/3


13

23.7 Legacy Series / Re: Unbound Whitelist not working

« on: May 04, 2024, 05:47:38 pm »

Same issue.

It seems that whitelisting of a wildcard domain from the OISD list doesn't work.

I added different domains from the OISD list (https://big.oisd.nl/domainswild) to the whitelist as example. When I try to resolve them I'm still getting 0.0.0.0 for A records, and an empty response for CNAMEs from the server.

The Unbound Report shows the A query as blocked, but the button at the end of the line says "Block Domain" instead of "Whitelist Domain".
Whitelisted CNAME queries are not shown in the report.

Bug? Expected behaviour?

14

General Discussion / Re: What is the syntax for log filter queries

« on: October 01, 2023, 03:34:23 pm »

No one? 

15

Zenarmor (Sensei) / Re: Wireguard interface active, but Zenarmor not filtering/reporting data.

« on: September 02, 2023, 11:57:49 am »

YAY! It's working again! 

WG traffic is inspected and blocked as before the OPNsense update. Thanks a lot for your support!