Topics

1

19.1 Legacy Series / BUG: Ubound DNS crashes when assign DHCP client to static IP

« on: March 21, 2019, 02:12:28 pm »

OPNsense 19.1.4-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
OpenSSL 1.0.2r 26 Feb 2019

it seems when you assign a DHCP client to a static IP and save,  Unbound DNS crashes and have to be started.
See attachments.

By the way, in general I rather often have to reload Unbound DNS because new DHCP assigned IP's are not always registered in Unbound from DHCP. I do admit I add/remove clients often and change hostnames etc (KVM test setup). In it might have been better in the few last updates.
I don't have any specific details yet, but just for common info that the sync between DHCP and Unbound doesn't seem to be rock solid.

2

General Discussion / Create cron job "run custom script"

« on: February 25, 2019, 10:37:13 pm »

Been looking at this guide to make a cron job:
https://docs.opnsense.org/development/backend/configd.html

I would like to make a job that run the script specified in the parameter field in the gui.
I've tried to create this configd file:

Code: [Select]

[start]
command:/bin/csh
parameters:-c '%s'
type:script
description:run custom script
message:run script

Restarted configd:

Code: [Select]

service configd restart
Created the job in the gui:


But it seems not to run :-( ?

3

19.1 Legacy Series / There seems to be a bug in the Client export

« on: February 03, 2019, 07:04:46 pm »

Error from the OpenVPN client log:
"Options error: remote: bad protocol associated with host vpn.wit.dk: 'UDP'"

In 19.1 the Client export write in the ovpn file: "remote xxx.domain.com 1194 UDP"
This must be specified in small cap letters "udp"

4

Web Proxy Filtering and Caching / Proxy user autentifikation doesnøt seem to apply for FTP proxy

« on: November 22, 2018, 01:36:32 pm »

I've setup Web Proxy with user autentifikation enabled and it work great.
But the FTP proxy  seem to be open and doesn't require the user to authenticate to the proxy which i expect it to do.

Is this by design or a bug?

5

Web Proxy Filtering and Caching / Which group-privileges are needed for Web Proxy access when using auth.?

« on: November 16, 2018, 03:15:01 pm »

Using OPNsense 18.7.7

I've enable user authentication in Web Proxy (local db) and assign my test-user to a group with privileges to:
Proxy: Login
Services: Proxy

But that doesn't seem to be enough.

I can only get it to work if I assign all the privileges :-(
Which ones do you need for Web proxy access?

Another question:
-How can I "clear"  the authentication timeout (TTL)...the minimum is 1 hour?
Trie to restart the proxy service, but it didn't "clear" it.

-In the Proxy authentication form there is something called "Authentication processes" (The total number of authenticator processes to spawn.).....can someone explain this parameter?

6

18.1 Legacy Series / Unique user-certificate is not unique on my box

« on: June 14, 2018, 01:30:52 am »

My OpenVPN server config is set to "Server Mode = Remote Access (SSL/TLS + User Auth )".
I've created user-certificate for every user and made a Client Export for every user (Archive file with 3 files .key,.p12 & config file).
Each user also have a unique password. I'm not using TOTP.
But I can switch the .p12 file between the users on the clients and they can still establish a VPN connection to the server using another users .p12 file.
I thought the file was "paired" to the specific user?

7

18.1 Legacy Series / How to start the installer script from the DVD iso image?

« on: June 12, 2018, 08:26:25 pm »

I'm installing OPNsense as virtual on KVM and want to use "OPNsense-18.1.6-OpenSSL-dvd-amd64.iso" as install media, but it boot into live :-(
How can I start the installer script if possible from this ISO?

8

Hardware and Performance / I guess Intel Chipset H110 is still a little to new! Solved in FreeBSD 11

« on: August 25, 2016, 09:16:49 pm »

Just bought an Asus H110T (H110 chipset). Slim-ITX, 2xLAN (1xIntel & 1xRealtek), DC power and support for the newest gen. 6 CPU (socket 1151)....price around 75$.
CPU:Celeron G3900T or Pentium G4400T (both 35W and AES-NI)..42$/64$.
Seem to be a nice kit for OPNsense for a good price.

But current stable FreeBSD 10.3 it VEEEEERY slow booting from install USB. I tried the 11 and that's boot just fine.
Current version of pfsense and OPNsense, same problem, very slow (as expected as the problem seem to be related to FreeBSD 10.3).

Maybe I should play around with VMware ESXi until 11 is implemented in OPNsense?

*UPDATE*
Problem solved....on my board the bootloader is failing unless using UEFI. And to make UEFI work I had to disable the Win10-secure-bios-boot-whatever-stuff.
Now I can boot FreeBSD 10.3 :-)
No work-around needed anyway :-P

9

General Discussion / [HOW-TO] Using TOTP? Forced renegotiation every hour (disconnect)

« on: August 19, 2016, 12:21:45 pm »

It had some problems with all my VPN clients disconnecting every one hour.
It seems the default is to forces a renegotiation every 3600 seconds.
This option control this: reneg-sec N
I assume this is especially a problem when using Timebased-One-Time-Password (e.g. Google Authenticator) as this renegotiation cannot be done automatically as a new TOTP pin-code needs to be applied.

It seems this option has to be set on both server and client, and it cannot be pushed by the server!

VPN Server:
Add this in the advance option box:

Code: [Select]

reneg-sec 36000;
VPN client:
Add this option to the config file:

Code: [Select]

reneg-sec 36000
This will force a renegotiation  every 10 hour

10

16.7 Legacy Series / OpenVPN deamon crashes easily setting a wrong option

« on: August 19, 2016, 09:37:39 am »

In OpenVPN Server configuration, if you add an option in the Advance box and you make a typo, the OpenVPN doesn't give you an error, it just crashes :-(

That's especially sad when you do this remotely connected by VPN - no way to reconnect :-(

11

General Discussion / [SOLVED] DNS

« on: August 09, 2016, 09:03:42 am »

I have some general questions about DNS setup that I was not able to find in the documentation or in the help-tips in the web-gui:

1: When using DNS Resolver I get an "Server: Unknow" in my reply, why is that? Using the DNS Forwarder I get the name of the router:

Code: [Select]

c:\>nslookup opnsense.org
Server:  UnKnown
Address:  192.168.1.1

Non-authoritative answer:
Name:    opnsense.org
Address:  37.48.77.141
2: In DNS Resolver/General there is an option called DNS Query Forwarding (unfortunately no help-tip)...what does this option actually do?
If it is disabled it seems some DNS queries are still being forwarded to the external DNS servers from WAN DHCP?

12

16.7 Legacy Series / OpenVPN: VPN clients no access to LAN network

« on: July 29, 2016, 10:03:12 pm »

I've followed the guide "Setup SSL VPN Road Warrior" but my VPN client don't have access to the LAN network.
Well, it does have access to the router's LAN interface, which is on the LAN network of course.

I did have the exact same problem using OpenVPN on OpenWRT...to make it work I had to create a so called "Source NAT" rule.
Do I need something similar in OPNsense?

Can someone confirm that using the above guide will work in regards to access to the LAN network or do I need some additional configuration? I'm surprised to see the guide do not enable "topology subnet"...I thought that was necessary to get LAN network access.

The VPN client do get a route to the LAN network from the VPN server.
 
Route table from VPN client (Win  7):

Code: [Select]

Network Destination        Netmask          Gateway       Interface  Metric
         10.0.0.0    255.255.255.0      192.168.2.1      192.168.2.2     20
         10.0.1.0    255.255.255.0         On-link          10.0.1.2    266
         10.0.1.2  255.255.255.255         On-link          10.0.1.2    266
       10.0.1.255  255.255.255.255         On-link          10.0.1.2    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.2.0    255.255.255.0         On-link       192.168.2.2    276
      192.168.2.2  255.255.255.255         On-link       192.168.2.2    276
    192.168.2.255  255.255.255.255         On-link       192.168.2.2    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link          10.0.1.2    266
        224.0.0.0        240.0.0.0         On-link       192.168.2.2    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link          10.0.1.2    266
  255.255.255.255  255.255.255.255         On-link       192.168.2.2    276

My networks:

Code: [Select]

Local LAN network:    10.0.0.0/24       (router's LAN 10.0.0.15)
VPN network:          192.168.2.0/24    (router's TUN 192.168.2.1 / VPN client 192.168.2.2)
WAN network:          10.0.1.0/24       (router's WAN 10.0.1.1 / VPN client 10.0.1.2)


13

Hardware and Performance / Basic network performance test

« on: July 27, 2016, 03:34:59 pm »

OPNsense device:
OPNsense ver:  16.7.r2
CPU:       Atom D510 (1.6Ghz), DDR2 667Mhz
Chipset:  Intel ICH9R Chipset
NICs:      2 x Intel 82574L 1GBs
Disk:       OPNsense installed on USB flash key. But I created a 600MB ramdisk

I've  made some simple file transfers using plain FTP to test FreeBSD on the above board.
I'm using the native ftpd server. Files are read/write to/from the ramdisk.

On the LAN side I get these number:
Download: 75MB/s (CPU usage 50%)
Upload:      32MB/s (CPU usage 20%)

On the WAN side:
Download: 63MB/s (CPU usage 50%)
Upload:      15MB/s (CPU usage 20%)

I'm not happy about the CPU usage....this is unencrypted plain FTP!
Neither happy about the upload speed.

Upload have a big impact on the system even though the CPU usage is only "20%". The web-gui locks up. Even the SSH console freeze sometimes.

Maybe a driver problem? But the LAN download performance is rather ok, although again the CPU usage is to high.

Did anyone else made a plan data-transfer test like mine?

New test 2:
Installed a clean original FreeBSD 10.3
Download: 103MB/s
Update: 41MB/s
But still 20-50% cpu usage.

Using iperf3, now I get more than 100MB/s both ways...I guess it was a ftp-client-server issue then :-)

14

General Discussion / [HOWTO] Using WinSCP SSH (SCP)

« on: July 27, 2016, 11:31:31 am »

I had some trouble using WinSCP to connect to my OPNsense box (Ver. 16.7.r2).
I got the error from WinSCP: "Error detecting variable containing return code of last command"

Solution: Set shell manually to "/bin/sh" (see screen-dump)

15

General Discussion / Immortal ghosts from the past

« on: July 23, 2016, 05:10:42 pm »

Today, in the year 2016, I was going to update the BIOS of my SuperMicro motherboard and went to the download section of SM's homepage.
The guide and the attached README file explained how I should do this with a floppy disk...WTF



By some extra searching in their knowledge-base I found some words about doing this using a DOS bootable USB key....and a link to an external site with guides and tools. It was obvious SuperMicro didn't believe the vast majority of their customers would go down that path 



Installing OPNsense.....now I run into words like "CD-ROM" and "serial"?...was is that?...Wikileaks was my savior 




Are valuable developer time wasted which could be used for better things?

On top of that, having this serial option around, might give someone excuses for not enabling LAN access initially (telnet/ssh)?

Looking at the installation guide, one could almost get the impression that the USB-Key install path is the least likely method to be used, although I believe it is the opposite.

I believe the vast majority would prefer to just plug-in two things: LAN cable and USB-Key and then be happy 

No fooling around with a keyboard, monitor, video-cable and/or serial cable...which probably include USB-COM converter, drivers, and now - how was it with those evil serials, should it be Null Modem and Straight Through ??...I throw out my last one in 1997 and have had a more enjoyable life since...and I cannot remember when one of my laptops had a COM interface. And then not to mention tipping your cola while trying to connect your VGA cable to the back of your monitor....the sufferings just go on and on 

Maybe the installation and initial configuration could be optimized for the vast majority in the year of our Lord 2016

Extra note: I started with PFsense....but recently moved to OPNsense, and I just love OPNsense and the community more and more, I'm a huge fan and very grateful for work of the developers!
It just include some pleasure to sit on your ass and grumble about other people's work, when you don't have developer skills yourself, so it's my only way to contribute