Topics

1

23.7 Legacy Series / Alder Lake & FreeBSD 13.1 Issues Solved?

« on: July 24, 2023, 11:05:07 pm »

From what I understand FreeBSD 13.1 currently has issues with Alder Lake platforms and data corruption issues (https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261169). From what I understand it's supposed to be fixed in FreeBSD 13.2. By chance does anyone have confirmation those fixes made it into the 23.7 RC for OPNSense?

2

21.7 Legacy Series / Dumb Question re: DNS Config

« on: September 16, 2021, 07:48:12 pm »

I know this is a dumb question but I need a hand here. What I need some help with is understanding how my current config is handling DNS requests at all and where it's sending them. I presently have Unbound DNS enabled with Forwarding Mode not enabled. However in System/General the only DNS server I have configured is the LAN IP of the firewall itself and I have un-checked the option to allow my DNS list to be overridden by WAN DHCP (no I do not want to use Comcast DNS servers). In DHCP the only DNS server configured is also the LAN IP of the firewall itself. Besides dynamic DNS none of the other DNS services on the firewall are enabled.

So with that in mind everything seems to be pointing at the firewall but I don't see anywhere the firewall or its services are configured to point elsewhere. DNS queries are unquestionably being fulfilled but I'm not sure where in my configuration it's being defined. I looked at live firewall logs for destination port 53 on the WAN interface and I see a number of different IPs, some owned by Microsoft, others to random other destinations.

I totally get that what I should do here is just add some DNS servers in the System/General area. I just want to try and understand how things are working presently before I go and change it.

Thanks in advance for your help!

3

Intrusion Detection and Prevention / Alias for public IP to add to home networks?

« on: June 12, 2020, 05:51:52 pm »

Per https://homenetworkguy.com/how-to/configure-intrusion-detection-opnsense/#:~:text=To%20configure%20intrusion%20detection%20in,click%20the%20%E2%80%9CApply%E2%80%9D%20button. I'm adding my public IP to the Home Networks settings area. My concern, though, is that I don't want to have to manually update that address if it changes. Is there some kind of alias or variable I can put into that field that will update when my public IP updates?

4

20.1 Legacy Series / ALL physical interfaces no longer detected by OS on reboot

« on: February 16, 2020, 07:40:01 am »

Preface: this situation is very likely less bug and more my own fault. I am not laying blame on anyone but myself. I wanted to bring this up, though, as it does seem like odd behavior.

I am making my first foray into virtualization (ESXi 6.7) and I'm working to virtualize my Opnsense install. I did a fresh install, imported my configuration just fine from my former physical install, and was up and running. I had an extraneous interface that I wanted to remove and so I powered off the VM and removed the extra virtual NIC, then powered back on.

Lo and behold, when it booted I was greeted with a message that no interfaces were assigned. I could not log in as root and my normal admin credentials got me in but the familiar console/SSH menu did not come up and I couldn't figure out how to bring it up. My prompt was just a dollar sign and I couldn't sudo either. I was completely locked out and had no means to reassign my interfaces and get up and running again. Even the password reset tool on the install image threw errors and failed to run.

So I get that maybe I missed steps and didn't cleanly remove the interface in Opnsense. But I find it exceedingly odd that the aforementioned actions would affect ALL interfaces and cause them to become unassigned, their configurations wiped from existence. Like I said this is all very likely my fault but it still seems quite bizarre.

EDIT: WOW. This happened again except this time I'm fairly sure I did things right. I went into Interfaces / Assignments and deleted the interface there. I did not remove it from the VM. On the next reboot BAM, no interfaces assigned. In fact it flat-out doesn't even look list my interfaces like the VM thinks the hardware isn't there at all. Restoring from one of Opnsense's backups (menu option 13) doesn't help (this time I gave myself SSH/Console access). Time to revert to a snapshot. Thank God for virtual machines.

5

19.7 Legacy Series / System Reboots Itself!

« on: September 20, 2019, 03:27:49 pm »

Thanks in advance for your help. Newly-built system that looks to be rebooting itself randomly. I'm really not sure how to troubleshoot this. I don't see much in logs but one of the problem/crash reports comes up every time after this happens. Below is what at first looks to me like the possible cause. Help!!!

EDIT: From what I see there are some known issues with Apollo-lake-based chipsets. Do I need to do anything to get Opnsense working reliably with those or does the current software release (19.7) already incorporate those fixes?

Code: [Select]

(KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
FreeBSD 11.2-RELEASE-p14-HBSD  07680caafe9(stable/19.7) amd64
OPNsense 19.7.4_1 2da6de42b
Plugins os-dyndns-1.17 os-upnp-1.3
Time Fri, 20 Sep 2019 06:22:57 -0700
OpenSSL 1.0.2s  28 May 2019
PHP 7.2.22
dmesg.boot:
arp: 172.20.0.150 moved from 38:8b:59:24:9e:13 to 3c:28:6d:31:e1:7b on igb1


Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 06
fault virtual address = 0x100000000
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff8300b260
stack pointer         = 0x28:0xfffffe01da5537c0
frame pointer         = 0x28:0xfffffe01da553810
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (swi4: clock (0))
My hardware:
ASRock J3455B-ITX (Intel J3455-based)
2x4GB DDR3-1600
120GB SATA SSD
PicoPSU 90W
Intel 82576-based 2x1GB NIC

EDIT: A bit more info from a more recent crash. I just wiped my SSD, reinstalled and then restored my prior config. It crashed again but got a bit more in the logs:

Code: [Select]

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address = 0x7f00000000
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff83006260
stack pointer         = 0x28:0xfffffe01da5537c0
frame pointer         = 0x28:0xfffffe01da553810
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 12 (swi4: clock (0))

6

General Discussion / Xbox One: How I got open NAT without UPnP

« on: September 20, 2019, 07:24:35 am »

I hope this post helps someone else out there having trouble achieving open NAT; I know it can be a bear for some people and it's a potentially frustrating technical issue for many users.

This is with both an XB1 console as well as the Xbox Console Companion app on my PC running. If you don't care about the Xbox Console Companion then you can omit those portions of the setup (personal computer alias, forwarding and firewall rules for TCP/UDP 60200). I didn't want to use upnp due to the security risks it poses (letting any LAN client open inbound ports automatically). I get that I'm effectively doing the same thing here but the difference is this approach limits the scope to just the Xbox and to specific ports. I did a bit of Google searching so some of the below suggestions (like the NAT reflection and the outbound NAT rule) were from what I found there. The rest was just following guides on port forwarding and the necessary ports to open. My selection of ports is based on https://www.bungie.net/en/Help/Troubleshoot?oid=13610#PortForwarding. Really when thinking about this what I mostly did was manually set up what upnp does automatically. I did note that when adding/changing just about any of the above rules I had to reset firewall states for the change to fully take effect (Firewall/Diagnostics/States Reset/check both boxes). I've attached screenshots of some of the relevant rules on my box for your own reference.

Here's what I did:

1. Aliases
XboxOneXPortForwardTCP: port 3074
XboxOneXPortForwardUDP: ports 88,500,3074,3544,4500,1200
XBoxOneX_Ports_TCP: ports 53,80,3074,7500:7509,30000:30009,443
XBoxOneX_Ports_UDP: ports 53,88,500,1001,3074,3544,4500,1200:1299
XboxOneX_IP: <private IP for my XB1X>
Manetheren: <private IP for my computer running Xbox Console Companion; sub it for yours>
TeredoPortForwardingGroup: port 60200

2. Port Forwarding Rules
I created a few port forwarding rules (see attached image) for the necessary TCP and UDP ports. Not mentioned on the Bungie Support page I linked above were those Teredo ports (TCP and UDP 60200) used by the Xbox Console Companion app. Important here was to ensure that NAT Reflection was enabled for those forwarding rules; that's an option in the NAT rule settings. I also chose the option to automatically create associated firewall rules for the forwarding rules.

3. Firewall Rules
I created rules (see attached image) to open all XB1X TCP and UDP ports for the XB1X IP address only. The rest of the necessary rules were auto-created.

4. Outbound NAT Rule
An outbound NAT rule (see attached image) was required for the XB1X. The key setting there is to check the "Static Port" box.


What you have to do to get this working for you:
--You must assign a static IP address to your Xbox One and if you want to use Xbox Console Companion a static IP to your PC. I chose to do that with DHCP reservations.
--Substitute the alias IP addresses "Manetheren" and "XboxOneX_IP" above for the respective IPs of your devices.
--Set up the above things. As a reminder you will not need to create WAN firewall rules for any of the port forwarding rules that are set to auto-create associated firewall rules.

7

19.7 Legacy Series / NIC detected in setup but not after install

« on: September 13, 2019, 07:21:23 am »

Thanks in advance for your help.

Not quite sure what to make of this; when I went through the setup process and the live installer (19.7 VGA image) it had no problem detecting a PCIE NIC I have (based on the Intel 82576 chipset; yes it's on the HCL). However once I installed OPNSense it lost track of the NIC and no longer detects it at all. Based on https://www.freebsd.org/cgi/man.cgi?query=igb&sektion=4&manpath=freebsd-release-ports I'm not sure if this driver is auto-loaded or if I have to load it myself somehow. If the latter I have no idea whatsoever how and I don't see anything about it in documentation. I can see some lines about the devices in logfiles so I know they're being detected, I just don't understand why they don't show up. If I get into shell as root and do an ifconfig this NIC isn't listed (unsurprisingly).

I'll freely admit now that I know next to nothing about Linux, in case you couldn't tell already. Also in case it helps I have an Intel J3455 board (ASRock J3455B-ITX).

After some Google searching I tried editing my /boot/loader.conf/local file to add the line "if_igb_load="YES"" per the above website but that didn't help. I've since removed that file (as it didn't exist before I created it).

A few lines of logfile I find when I search for the interface name ("igb"):

Sep 13 05:02:16   kernel: Module pci/igb failed to register: 17
Sep 13 05:02:16   kernel: module_register: cannot register pci/igb from kernel; already loaded from if_igb.ko
Sep 13 04:59:38   kernel: Module pci/igb failed to register: 17
Sep 13 04:59:38   kernel: module_register: cannot register pci/igb from kernel; already loaded from if_igb.ko
Sep 13 10:23:19   opnsense: /usr/local/etc/rc.bootup: Warning! dhcpd_radvd_configure(auto) found no suitable IPv6 address on igb1
Sep 13 10:23:13   opnsense: /usr/local/etc/rc.bootup: Accept router advertisements on interface igb0
Sep 13 10:23:13   opnsense: /usr/local/etc/rc.bootup: The command '/sbin/dhclient -c '/var/etc/dhclient_wan.conf' -p '/var/run/dhclient.igb0.pid' 'igb0'' returned exit code '1', the output was 'igb0: no link .............. giving up'
Sep 13 10:23:00   kernel: igb1: netmap queues/slots: TX 4/1024, RX 4/1024
Sep 13 10:23:00   kernel: igb1: Bound queue 3 to cpu 3
Sep 13 10:23:00   kernel: igb1: Bound queue 2 to cpu 2
Sep 13 10:23:00   kernel: igb1: Bound queue 1 to cpu 1
Sep 13 10:23:00   kernel: igb1: Bound queue 0 to cpu 0
Sep 13 10:23:00   kernel: igb1: Ethernet address: <MAC ADDR>
Sep 13 10:23:00   kernel: igb1: Using MSIX interrupts with 5 vectors
Sep 13 10:23:00   kernel: igb1: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k> port 0xe000-0xe01f mem 0x92000000-0x9201ffff,0x91400000-0x917fffff,0x92040000-0x92043fff at device 0.1 on pci1
Sep 13 10:23:00   kernel: igb0: netmap queues/slots: TX 4/1024, RX 4/1024
Sep 13 10:23:00   kernel: igb0: Bound queue 3 to cpu 3
Sep 13 10:23:00   kernel: igb0: Bound queue 2 to cpu 2
Sep 13 10:23:00   kernel: igb0: Bound queue 1 to cpu 1
Sep 13 10:23:00   kernel: igb0: Bound queue 0 to cpu 0
Sep 13 10:23:00   kernel: igb0: Ethernet address: <MAC ADDR>
Sep 13 10:23:00   kernel: igb0: Using MSIX interrupts with 5 vectors
Sep 13 10:23:00   kernel: igb0: <Intel(R) PRO/1000 Network Connection, Version - 2.5.3-k> port 0xe020-0xe03f mem 0x92020000-0x9203ffff,0x91c00000-0x91ffffff,0x92044000-0x92047fff at device 0.0 on pci1

8

Hardware and Performance / H/W Recommend for small, energy-efficient?

« on: September 08, 2019, 10:55:46 pm »

First and foremost apologies for what I'm sure is an often-asked question. I don't see any consolidated source of hardware info around here like a sticky post.

I'm looking to build a new OPNSense box for home use in the spectrum between the Reasonable and Recommended spec (https://docs.opnsense.org/manual/hardware.html, probably tending towards Recommended. Low energy use is preferred, otherwise I'd be using an old PC. Like everyone I want to eat my cake and have it too and want costs at a minimum.

Something like this appliance (https://www.amazon.com/Firewall-Micro-Appliance-Gigabit-Barebone/dp/B01KLECNDG/ref=sr_1_9?keywords=micro+firewall+appliance&qid=1567974011&s=gateway&sr=8-9) looks perfect. However despite reviews on that one I'm wary of no-name devices unless the community can vouch for them. Does anyone have a similar recommendation? The Zotac CI325 looks decent but it has extra bells and whistles and a higher electrical footprint as a result.

Thanks for your help.

9

Hardware and Performance / T5740 Performance?

« on: August 04, 2016, 01:16:45 am »

I'm looking to moving to OPNSense from M0n0wall and need to purchase some updated hardware. I've heard great things about the ability of the HP t5740 to run pfSense. However I don't see much about it running OPNSense. Do any of you use the t5740 for your hardware and, if so, how does it treat you?

My reason for caution is that the CPU meets the requirements in terms of frequency (1.6Ghz) but it's single-core. This device would be used in a home environment with just a few users on a ~50mbps connection so it's not a super-demanding situation. Otherwise this device fits my needs perfectly for an electricity-saving, relatively small and quiet appliance. Obviously I would have to buy the expansion module and add a dual-port Intel NIC. All together I hope to only spend around $100 on the whole setup.

Thanks for the help.