Topics

I am prety sure that OpnSense did not have an auto-update feature so far. *However* it seems to do this now. I was away and just checked back on OpnSense after two weeks and to my suprise it claims to be on 25.1.5_5. A hotfix that just came out this monday, after an update that came out last week.

Being *very* sure that I did not install either update, I still checked to "check for updated". And then all that came was "System is rebooting Rebooting".


After a while, it goes back to the dashboard. As it did not boot I tried to reboot from the energy menu - no effect.

Also, my *av services do not start and "intrusion detection" regularily breaks down.

I am very confused. Is there a new autoupdate feature? Does it update itself now?

And why can't I reboot? What is the problem? I tried many things short from pulling the plug.

Hi
I have a confusing problem which I cannot figure out:
- I have a number of Samsung A9+ tablets configured in the LAN
- The tablets can access the internet and internal zones and download the *Play Services* Updates without problem
- They cannot download the Samsung Update (Software/Firmware Update)
- If I plug them into our Guest Network, all works fine
- When I do a live inspection of the Firewall protocol with the source of the corresponding IP I only get "pass to router, "Anti Lockout Rule"" no other message.

I really do not understand where it stalls. Any idea?

I am using unbound as DNS with some standard ad-blockers, but as I can access the internet fine, this is not an issue, isn't it?

Any help for understanding how to trace the problem would be apreaciated.

Hi
I installed quite a while ago a Rocket.chat server (snap) behind my OPNSense firewall and used a turourial for getting this done (it is done via automations, took a bit but works well).
Now I try the same with a postfix/cyrus setup I have behind my firewall. Opening a port 80 to this host is out of question.

The reason I want to do this is, that currently a few anti-spam engines (may they rot in hell) decline our emails due to "non verifiable certificate chain". We are forwarding all our email to a relay of our uplink and download everything via fetchmail (all on a server behind the firewall).

With a let's encrypt SSL certificate for our postfix host I hope to be able to solve the problem.

Anybody knowing where to find or having maybe written such a tutorial will be sure of my never ending thanks for pointing me to it.

I honestly did not look into the postfix service of OPNsense so I do not know if that would solve my issues easier. Any suggestions welcome.

And: Happy New Year!

Hi
I try to get Wireguard running with a few clients (currently I run mostly on OpenVPN and IPSec, both are working fine, smoothly and easy to setup). I followed

https://docs.opnsense.org/manual/how-tos/wireguard-client.html

In multiple attempts, religiously so far. With variations that are due to my setup. However, I always get the message "handshake timed out" at the client after 5 sec when trying to connect.

On server side I do not get any messages, assuming that the client is somehow not reaching the right endpoint.

To make things a bit more spicy, I have for technical reasons (thank you DEUTSCHE TELEKOM) to run two Fritz!Boxes as endpoints in my network for two DSL lines. Both make the connection but forward everything to the OPNSENSE Firewall on two different ports (input ports).

So, basically:

- The firewall is in two different non-routing networks (192.168.178.0/24 and 192.168.179.0/24), while the Fritz!boxes have fixed external IP Adresses

I have setup accoring to the example an nistance on port 51820 and a tunnel address of 192.168.22.0/24.
Then I have setup a peer with the same public key as the instance and a preshared key. Allowed IP is one single (192.168.22.100/32). Endpoint is the public IP of one of the Fritz!Boxes, port 51820. The Instance to use the (only) instance I have generated.

I then went to the peer generator and generated a configuartion that I imported in a client (S7FE Tablet, wireguard software).

I am now unable to connect from there, but also I no idea what the problem might be.

I also included in the Firewall settings on each of the WANS a route for the UDP port:

    IPv4 UDP    *    *    WAN1DSL Adresse    51820    *    *       Wiregard Inbound WAN1DSL

I am utterly confused and run into walls here. What am I doing wrong?

Amazing as everybody says "Wireguard is the easiest to setup" and I spent more time trying to get it to work than a number of IPSEC and OPENVPN setups together.

For some reasons I want to be able to use Wireguard additionally to the OpenVPN Roadwarrier configurations for some clients, but I am totally failing at it. Please help!

Merry Christmas!

Hi
I am using OpenVPN with OPNSense since many years. For some reasons we have multiple OpnVPN Servers running ("legacy mode"). The config is

WAN1: 1194 UDP
WAN2: 1195 UDP
WAN1: 443 TCP
WAN2: 443 TCP

The latter two servers are in the (from time to time happening case) that UDP connections are blocked by a firewall e.g. in a hotel.

Now, the fun part is: Depending on which server to connect, sometimes we cannot acces certain webservers in the company, and other times we can. Sometimes it happens on the UDP ports and sometimes on the 443. To be honest, I do not understand what the problem is - the firewall actually does not block it.

Maybe someone has an idea to debug this? Is it mandatory to move to the new "instances"  or can I continue to use the "old" setup?
Thanks

Hi
I am trying to setup wireguard as alternate VPN to the existing and running vpn. However, even if I religously follow the instruction in the documentation, i get an immediate connect (well, both linux and android claim to have connected), but nothing is accessible. i do not see anything from the inside network, not the ouside network.

Protocoll is set to "debugging" but does not even show entries (no new entries when somebody tries to connect I mean):

2024-09-01T10:21:54   Notice   wireguard   wireguard instance RoadWarrior (wg0) started   
2024-09-01T10:21:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (execute task : dpinger_configure_do(,WireGuard))   
2024-09-01T10:21:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (,WireGuard)   
2024-09-01T10:21:54   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid opt4 interface gateway address: 'missing'   
2024-09-01T10:21:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: entering configure using 'opt4'

I have no idea where to set the "gateway address" as I have set it under "Peers" with the correct IP of the outside address. However, the address is tested either to be the external IP to the internet (which is the IP of a router forwarding everything to the firewall) OR the IP of the firewall. Both do not make any difference.

I really do not understand what the problem is or how to debug it. There is literally no traffic via the wireguard interface.

Thank you for your help.

Hi
since the latest update, I cannot access from my VPN services that are available at ports 8000, 8080, 8100 etc.
On hosts, providing those services, I cannot even get a ping (either direction) through or login.

This worked right before the last update (24.1.9_hf4).

I did not change anyhting a the firewall rules. I tried to loosen the rules, but no effect.

Specifically one virtual machine running in the main net 192.168.1.33 is not accessible. On any port.
My VPN runs (openVPN) at 192.168.21.x
I cannot ping in either direction or connect.

The Firewall seems to accept the cooection  ("pass") from the VPN - after that it is silence.

Within the main main net, the hosts in question (192.168.1.33) is reachable on any port, ping, ssh etc.

It seems as the packages send are just eaten up from the firewall.

I am runnign out of ideas how to find the problem. The hosts in question is a VM, but on that machine a number of identically configured VMs are present and all work.

Any idea where that comes from and how to solve?
Thanks.

Hi
I recently have discovered blacklisting with unbound (yes, yes, I am slow sometimes), and now want to WHITELIST some pages, e.g. web.whatsapp.com
However, the whitelisting does not work at all

- *.whatsapp.com (despite the help below that field) is not accepted, according to protocol "invalid"
- (.*)?(\.)?whatsapp.com is accepted

However, none of them allow access to web.whatsapp.com

It seems as the Whitelisting is broken? I am on the current 24.1 version with todays updates (OPNsense 24.1.1-amd64).

Hi
Right after the last update I see that the memory consuption is very high on my system (>>90%).
Most of it is made up by "inactive processes". They form like a stepwise ladder during the day and are killed somewhere late in the evening.
The strange thing is, that if I look at a long term overview, this only.
It started around Jan 20 this year right after an update.
Since then it seems to get worse.

Hi
I tried to install the webproxy with TLS inspection and ICAP. However, this does not work on all pages.

While https://www.spiegel.de loads fine, https://faz.net is not loading at all (access denied by proxy). Many other pages, e.g. this forum work.

I cannot find the reason for that acutally. Even if I specifically insert an exception in the SSL inspection, or in the access lists, it still does not load faz.net.

Is there any way to find out what is actually blocking the page?

BTW: Funny enough, the EICAR test file is loaded both with https and with http....

Hi
I found that it seems a number of external ACL blacklists do not work anymore. So I searched for new ones and I wonder if I can test if they are good and active. Some pages (e.g. www.spiegel.de or www.faz.net) manage to dump a lot of advertisement on the page - that is funny enough not displayed on a reload of the page.

So I wonder if the ACL is working correctly.

Any way to test this?

Hi
my proxy with 22.7.4 pops up regularly

FATAL: Bungled (null) line 3: sslproxy_cert_sign signTrusted all

as error message. I do not know where it comes from and it does not seem to have any effect. But I would like to sure it is not a problem and preferably get rid of this error message.
Any idea?

Hi
I am using ACME to update some Let's Encrypt certificates. However, despite claiming to have the new signed certificate, the certificate in the certificate store is 2 months old and invalid now.

When I try to use the test signing facility of Let's encrypt it is no problem to get the new one. But with the "real" one he just sends "all right" but neither stores the correct one in the certificate store nor (obivously) copies it to the server in question.
Any idea?

Hi
Since version 22 ACME plugin is not working anymore. No certificate can be verified or issued due to timeout finding the token (HTTP/TLS challenge). It seems to be a firewall problem.
Can anybody help?

Hi
I configured some time ago the ACME client for an internal rocket.chat server. Which worked well, but it seems to be broken at some time in the last 60 days (update to 22?). That means, that the cerficate is not renewed anymore.
The message is "timeout while retrieving token".
My configuration is that I have 2 DSL lines with 2 routers, and the exposed host ends up on the OPNSense. The routers have both external IP4 addresses.
I use HTTP challenge.
It worked well for quite some time (like 2 years) and not suddenly stopped (which I only noticed when the certificate was outdated).
Is there any change in the configuration? Is there anything broken with the update to 22?
I am using 22.1.6 as version.
Please, any hints?
THank you.

Hi
the update today from 22.1.4 -> 22.1.5 removes all Host-aliases in Unbound!
How can I reinstall them?
How can I unencrypt the cloud saved version?
Thank you.

Hi,
I asked this question quite a while ago and would like to reopen it (https://forum.opnsense.org/index.php?topic=16819.msg76586#msg76586).
My current Servers are all running on systemd. So I do not have a syslog facility anymore, meaning I cannot accept the remote logs from my firewall anymore.

I have installed rsyslog, which is able to open a connection at port 514. Hower, there it stops. The "snipped" given in the post above is unclear where to go. If I creeate an "frule" file with that contents, rsyslog just throws an error message.

Can anybody help me how to configure rsyslog to receive the messages from the firewall correctly?
Thank you.

Hi
I had the unbound plus plugin installed some time ago. Now it is unavailable and listed in the packages "red". But I cannot remove it...
How can I remove this annoying red message?
Thank you.

Hi,
I was trying to change an option with the ACME client and found that under "zertificates" the "save" does not have any funciton anymore.

Additonally, when I try to remove a (misconfigured) certificate in the "zertificate" list with the trashcan button I get this error message:

/usr/local/opnsense/mvc/app/models/OPNsense/Base/BaseModel.php:572: [OPNsense\AcmeClient\AcmeClient:validations.validation.3e06161a-7380-40a9-b49b-cfdc8f24e65d.tlsalpn_acme_interface] option not in list

Needless to say, that it is not removed.

What happened here and how can I fix it?

Hi
I have installed the unbound plus extension quite a while ago but it seems to have vanished. I get a "missing" message in the extension overview, but I am unable to remove it.
Is there any method to remove this irritating message?
Thank you.