Messages

1

Virtual private networks / Re: LDAP user import not working with multiple LDAP servers

« on: April 28, 2022, 05:33:35 pm »

You don't need to import users nowadays, just make sure to properly configure "Automatic user creation" and "Synchronize groups" to pull in users and group assignments then check "User OTP seed" in System->Settings->Administration for self-service (in which case you will need to configure you're ldap service twice, one without totp for self-service, one with totp for vpn).

When using the business edition, non existing users will also be removed periodically (https://docs.opnsense.org/manual/how-tos/user-ldap.html#step-4-import-users)

Best regards,

Ad

2

22.1 Production Series / Re: Creating VLAN

« on: March 29, 2022, 02:45:00 pm »

https://github.com/opnsense/core/commit/64fb551caa35f83f2c8d47d43d5544cb7590ace6

3

22.1 Production Series / Re: Creating VLAN

« on: March 29, 2022, 01:19:44 pm »

Why not just use/pick the tagged ID that the user enters as the deviceId? I do understand the silly naming convention but coming from the networking and coding side you never want to use something and call it something else.

Because vlan tags aren't unique, multiple interfaces can share the same one, which is where unique sequences come into play. Further more it's easier to cope with changes when "anchors" are fixed.

When it comes to naming and preventing inconsistencies in "data" it might help to take a look at how databases are being designed (https://en.wikipedia.org/wiki/Third_normal_form) as these cope with the same type of problem where changing a name shouldn't lead to changes in related records for example.

4

22.1 Production Series / Re: I've beat my head against the wall: How do I do NO-NAT but HAVE FW rules?

« on: March 28, 2022, 07:55:46 pm »

first try to disable reply-to : Firewall: Settings: Advanced --> Disable reply-to

If that doesn't work, try not to comment in capitals (shouting unlikely brings you closer to a solution    ) and do as @pmhausen suggested, collect relevant details using live log. Traffic capture is usually also a good tool to see where traffic is heading (download the pcap in wireshark for more details)

Best regards,

Ad

5

22.1 Production Series / Re: os-ddclient

« on: March 12, 2022, 10:33:29 am »

@jpieren thank you for your valuable contribution. You can easily inspect the written configuration in /usr/local/etc/ddclient.conf ,which in case of freedns doesn't write a login field (https://github.com/opnsense/plugins/pull/2837)

6

General Discussion / Re: Opnsense / Deciso DEC firmware updates for CVEs?

« on: March 08, 2022, 08:38:23 am »

@gfeiner We plan to keep the updates and documentation on the OPNsense docs (https://docs.opnsense.org/hardware/bios.html), previously we published them on our Deciso website, but the website is under construction. Other notification types aren't planned, without (shell) access to the firewall most CVE's likely won't apply anyway, but I haven't read all the details to be very honest.

7

General Discussion / Re: PHP Memory exhaustion errors

« on: March 07, 2022, 08:48:42 am »

Not yet, usually we keep these on the development branch for at least one release, maybe since this is a relative small fix we can release it earlier, but if that's not the case you can still use patch after an update in the meantime.

Thanks for letting us know this fixes your issue, certainly helps in the release cycle.

Best regards,

Ad

8

General Discussion / Re: Opnsense / Deciso DEC firmware updates for CVEs?

« on: March 06, 2022, 02:18:19 pm »

I don't think Insyde's tool offers additional validations, we also don't know if that would have prevented your issue, I'm sure my colleagues will check your device when it comes in and improve the procedure if needed.

Best regards,

Ad

9

General Discussion / Re: Opnsense / Deciso DEC firmware updates for CVEs?

« on: March 06, 2022, 01:17:39 pm »

Ouch. Has anyone at Deciso successfully updated the BIOS on the DEC850 using the linux image provided?  Since I have a DEC850, I'm wondering if this is a problem with the provided BIOS updater.  I don't want to take the chance updating my DEC850 until confirmation where is no issue with the update.

Yes, I did yesterday,  but I'm quite sure my colleagues tested the image as well before handing over the windows installer and dd image.

I'm personally always a bit cautious with bios updates after similar trauma in the 90's wrecking a mainboard after an unsuccessful flash. There's always some risk involved unfortunately (power failure during the operation being one of the most famous issues), without firmware there's nothing to recover too and to program the flash chip externally, you need specialised equipment.

10

General Discussion / Re: Opnsense / Deciso DEC firmware updates for CVEs?

« on: March 06, 2022, 11:23:54 am »

@meyergru

Code: [Select]

Another question: I think that the DEC700 series uses Insyde as well - however the BIOS page does not say that the BIOS update is applicable.

So will there be an update for those devices as well?

I think there's an update underway for the 700 series as well, I'm not sure if the same CVE's apply to be honest.

11

General Discussion / Re: Opnsense / Deciso DEC firmware updates for CVEs?

« on: March 06, 2022, 11:19:25 am »

Might be caused by a broken usb stick or a malfunction of the flash chip. To be very sure it's not an issue with the instructions or the binaries I went to the office yesterday and tested both procedures myself on the same device type, which didn't cause any issues.

Whatever the cause of the issue is, the devices do come with warranty, so just contact our office and let my colleagues handle it as suggested.

Best regards,

Ad

12

General Discussion / Re: PHP Memory exhaustion errors

« on: March 05, 2022, 03:57:55 pm »

Sounds like a large log file, this https://github.com/opnsense/core/commit/71a8da452cca02412aab8906c2df0140cc434b28 might help, although the prefixes action will likely still take quite some time due to the size it needs to parse.


To apply the patch, the following command should do the trick:

Code: [Select]

opnsense-patch 71a8da4

Best regards,

Ad

13

General Discussion / Re: Opnsense / Deciso DEC firmware updates for CVEs?

« on: March 05, 2022, 03:30:48 pm »

Just drop us an email (sales@opnsense.com) with the serial number of the device included, my colleague should answer you Monday with a repair form so you can return it for repair under warranty.

14

General Discussion / Re: Opnsense / Deciso DEC firmware updates for CVEs?

« on: March 05, 2022, 02:36:54 pm »

Doesn't it boot at all anymore? or are you still receiving some serial output? If it's the latter I can ask Monday at the office if there's anything else worth trying before returning the unit, without any output, best contact support for an RMA form and return the unit for repair.

Best regards,

Ad

15

General Discussion / Re: Opnsense / Deciso DEC firmware updates for CVEs?

« on: March 04, 2022, 05:46:22 pm »

We just received a firmware update from Insyde, check our docs for details https://docs.opnsense.org/hardware/bios.html