Messages

1

18.1 Legacy Series / Re: Unbound crashed

« on: April 23, 2018, 01:20:02 pm »

Hmm.. ok, so it's not an isolated incident.
Well, I don't know what's next. Maybe opening a bug on Github. I'll do this later today.

Thanks!

2

18.1 Legacy Series / Re: Unbound crashed

« on: April 20, 2018, 02:16:56 pm »

So am I the only one with this problem?
I disabled IDPS, curious if it will crash again...

3

18.1 Legacy Series / Re: Unbound crashed

« on: April 17, 2018, 06:22:01 pm »

So... crashed again... also while RDP-ing

This time, I found this in the logs:

Code: [Select]

Apr 17 19:11:18 gateway unbound: [90027:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Apr 17 19:11:18 gateway unbound: [90027:1] info: error sending query to auth server 9.9.9.9 port 853
Apr 17 19:11:18 gateway unbound: [90027:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Apr 17 19:11:18 gateway unbound: [90027:1] info: error sending query to auth server 9.9.9.9 port 853
Apr 17 19:11:18 gateway unbound: [90027:1] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
Apr 17 19:11:18 gateway unbound: [90027:1] info: error sending query to auth server 9.9.9.9 port 853

And the same error as before in system:
Apr 17 19:11:18 gateway kernel: pid 90027 (unbound), uid 59: exited on signal 11

4

18.1 Legacy Series / Re: Use floating rule to allow dns query on OPNsense

« on: April 11, 2018, 07:38:01 pm »

It can contain whatever IP addresses you want to use and also FQDNs which will get resolved periodically (every 1 min if I'm not mistaken). You can type in any of these two and as many as you need

5

Hardware and Performance / Re: OpenVPN performance differential (openWRT, pfSense & OPNsense)

« on: April 10, 2018, 07:05:46 am »

PS: Never would have occurred to me to look in the intrusion section for performance improvements 

dcol wrote those with IDPS performance enhancement in mind, but from my tests, had a significant impact on OpenVPN as well. I since deleted any custom OpenVPN settings, because:
1. They didn't help much (if at all)
2. I don't need them, since dcol's settings, OpenVPN works brilliantly, with or without IDPS enabled (better if IDPS is disabled, of course, which is absolutely normal)

6

Hardware and Performance / Re: OpenVPN performance differential (openWRT, pfSense & OPNsense)

« on: April 09, 2018, 10:07:14 pm »

I'm often maxing out my upload (~500MB) over OpenVPN if i connect from another 1GB link.

This might help: https://forum.opnsense.org/index.php?topic=6590.0

7

18.1 Legacy Series / Re: Unbound crashed

« on: April 09, 2018, 07:34:44 pm »

Unlikely, unless something is leaking, crashed and freed up the mem, but you never know.. i did check the Unbound logs, found nothing, but i was in a hurry, so maybe i missed something.

I'll get back to this if it happens again with more details.

Thanks!

8

18.1 Legacy Series / Re: Use floating rule to allow dns query on OPNsense

« on: April 09, 2018, 05:08:56 pm »

You can use one host(s) alias and add all these IPs. Then use the alias for your fw rules.

9

18.1 Legacy Series / Re: /usr/local/etc/bogonsv6 too big

« on: April 09, 2018, 09:11:19 am »

There you go, this is what i call support
Thank you Franco!

10

18.1 Legacy Series / Unbound crashed

« on: April 08, 2018, 10:02:58 pm »

I wasn't doing anything spectacular, i was working via a rdp connection when everything went dark, suddenly no more internet (apparently). When logging into the WebGUI, i noticed Unbound wasn't running anymore.

I found these in the logs:

Code: [Select]

Apr  8 21:35:04 gateway configd.py: [23ab9b35-a78b-4362-9cc8-d36317cc3d9d] Reloading filter
Apr  8 21:35:05 gateway configd.py: [d871e2ee-e679-4c7e-8d69-c522201e12b3] generate template OPNsense/Filter
Apr  8 21:35:05 gateway configd.py: generate template container OPNsense/Filter
Apr  8 21:35:05 gateway configd.py: [c640a92f-1db9-4516-b542-a8806bd48fc3] refresh url table aliases
Apr  8 21:35:16 gateway kernel: pid 19657 (unbound), uid 59: exited on signal 11
Apr  8 21:39:29 gateway configd.py: [eb29b026-4b4a-436b-b35a-81b9f13bd71e] updating dyndns WAN2_DHCP

What just happened? Did anybody notice anything similar?
First time i ever noticed this. Restarting Unbound got things working again.

11

18.1 Legacy Series / Re: /usr/local/etc/bogonsv6 too big

« on: April 08, 2018, 12:17:47 am »

It's not a bug, it's a feature It's just missing, so the actual bug would be that it is missing this feature

12

Hardware and Performance / Re: Intel Wifi 8265 / 8275

« on: April 07, 2018, 01:38:44 pm »

Yes, FreeBSD is best for the wired stuff
My old WRT54GL is still running at one of my clients, powered by dd-wrt

13

Hardware and Performance / Re: Intel Wifi 8265 / 8275

« on: April 07, 2018, 10:05:17 am »

So sorry to hear this.
Better use an AP with another ethernet interface. That works, you could even create fw rules for that, and because an AP can handle more WIFI clients you will get much better performance as well.

14

18.1 Legacy Series / Re: ***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

« on: April 07, 2018, 09:57:27 am »

Very nice summary, thank you!
Indeed, you're right. There's much to be done generally in order to get true security.
The only true security based on encryption is where you (to encrypt) and the decrypting party know the key. There is no other method. If you are not allowed to use your own key/password in any form and the decrypting party is not allowed to add that exact key to decrypt the communication, that's not true security.

For regular people, this is not an issue of course, most of the times.

Welcome to OPNsense!

15

18.1 Legacy Series / Re: ***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

« on: April 06, 2018, 01:12:45 pm »

For fallback cases, yes. If you delete these custom options (tls forwards) and re-enable forwarding mode, the DNS servers configured under "General" will be used.