Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - xofer

#1
After upgrade 25.1.5_5 -> 25.1.6_4 we noticed that Dnsmasq now tries to load /usr/local/etc/dnsmasq.conf.d/* while previously it loaded only *.conf

If there are files it cannot parse in this folder, Dnsmasq service fails to start.

I am not sure if it is an intentional change as /usr/local/etc/dnsmasq.conf.d/README still talks about .conf files:
# Dnsmasq plugin directory:
# Add your *.conf files here, read in alphabetical order
#2
22.1 Legacy Series / Idea: Reporting: Traffic
July 21, 2022, 02:13:58 PM
Hi,

currently, in Reporting > Traffic my opnsense seems to show traffic from the interface'is point of view. I.e. if you select LAN and WAN, LAN IN and WAN IN are shown on the same graph as well as LAN OUT and WAN OUT:


At least for me, it would make much more sense to compare the used bandwitdh from the opnsense's point of view, ie:
put LAN IN on the same graph as WAN OUT and vice versa.
#3
I would like to define a firewall rule from a wildcard DNS entry. This can be achieved in linux iptables.

Lets consider the scenario where I would like to block all outgoing traffic from a host, but allow only *.update.microsoft.com. I do not know the ip addresses, i do not even know the host name, only wildcard match. The ip address<>host name may change in time.

In linux this can be achieved in the following way:
1) client asks for somerandomstring.update.microsoft.com from dnsmasq
2) dnsmasq looks up the name, returns it to the client and adds it to an ipset list according to its whitelist
3) firewall iptables rule is configured to allow traffic according to the ipset list

ipset lists can be updated "behind the scenes" without any firewall reload.

Can something similar be achieved in opnsense pf?
#4
I would like to define a firewall rule from a wildcard DNS entry. This can be achieved in linux iptables.

Lets consider the scenario where I would like to block all outgoing traffic from a host, but allow only *.update.microsoft.com

In linux this can be achieved in the following way:
1) client asks for somerandomstring.update.microsoft.com from dnsmasq
2) dnsmasq looks up the name, returns it to the client and adds it to an ipset list according to its whitelist
3) firewall iptables rule is configured to allow traffic according to the ipset list

ipset lists can be updated "behind the scenes" without any firewall reload.

Can something similar be achieved in opnsense pf?
#5
22.1 Legacy Series / zabbix agent not working
March 03, 2022, 04:45:46 PM
I feel stupid, but I cannot get zabbix agent to function on a particular opnsense machine. It works fine on several of them, but not at all in one.

Opnsense 22.1.2_1
os-zabbix-agent 1.11

I have also tried to install other zabbix version (os-zabbix54-agent), same behaviour
Zabbix agent conf is pretty basic:


Zabbix agent starts up with no errors, seems to listen to port 10050:
# sockstat | grep 10050
zabbix   zabbix_age 39652 4  tcp4   127.0.0.1:10050       *:*
zabbix   zabbix_age 39642 4  tcp4   127.0.0.1:10050       *:*
zabbix   zabbix_age 39623 4  tcp4   127.0.0.1:10050       *:*
zabbix   zabbix_age 39546 4  tcp4   127.0.0.1:10050       *:*
zabbix   zabbix_age 39464 4  tcp4   127.0.0.1:10050       *:*


However, when i run (it should immediately return zabbix agent version), it just lags until a timeout:
root@mono:~ # zabbix_get -s 127.0.0.1 -p 10050 -k agent.version
zabbix_get [93235]: Timeout while executing operation


it just hangs. Tcpdump on lo0 shows only packets going to port 10050, nothing returns:
17:08:08.858071 IP 127.0.0.1.27937 > 127.0.0.1.10050: Flags [S], seq 2348730218, win 65228, options [mss 16344,nop,wscale 7,sackOK,TS val 1000361919 ecr 0], length 0
17:08:09.868097 IP 127.0.0.1.27937 > 127.0.0.1.10050: Flags [S], seq 2348730218, win 65228, options [mss 16344,nop,wscale 7,sackOK,TS val 1000362929 ecr 0], length 0
17:08:12.095885 IP 127.0.0.1.27937 > 127.0.0.1.10050: Flags [S], seq 2348730218, win 65228, options [mss 16344,nop,wscale 7,sackOK,TS val 1000365157 ecr 0], length 0


Zabbix agent log with extended debugging seems normal, seems to loop on its own stuff, nothing "extra" gets added when i run zabbix_get:
99440:20220303:172553.024 In update_cpustats()
99440:20220303:172553.024 End of update_cpustats()
99440:20220303:172553.024 zbx_setproctitle() title:'collector [idle 1 sec]'
99440:20220303:172554.074 zbx_setproctitle() title:'collector [processing data]'
99440:20220303:172554.074 In update_cpustats()
99440:20220303:172554.074 End of update_cpustats()
99440:20220303:172554.074 zbx_setproctitle() title:'collector [idle 1 sec]'
99440:20220303:172555.085 zbx_setproctitle() title:'collector [processing data]'
99440:20220303:172555.085 In update_cpustats()
99440:20220303:172555.085 End of update_cpustats()
99440:20220303:172555.085 zbx_setproctitle() title:'collector [idle 1 sec]'
99440:20220303:172556.149 zbx_setproctitle() title:'collector [processing data]'
99440:20220303:172556.149 In update_cpustats()
99440:20220303:172556.149 End of update_cpustats()
99440:20220303:172556.150 zbx_setproctitle() title:'collector [idle 1 sec]'
99440:20220303:172557.159 zbx_setproctitle() title:'collector [processing data]'
99440:20220303:172557.159 In update_cpustats()
99440:20220303:172557.159 End of update_cpustats()
99440:20220303:172557.159 zbx_setproctitle() title:'collector [idle 1 sec]'


I am totally at a loss what to try next.

On another host, same settings, same software versions, all works well:
# zabbix_get -s 127.0.0.1 -p 10050 -k agent.version
5.0.19

#6
I have stumbled upon the fact that dash character (-) is not accepted in a cron job description field. Is this intentional? Have not tried on 22.1 yet, but on 21.7:



Works fine without a dash.
#7
Hi,

for reasons I would rather not go at the moment, I would like to bind dnsmasq to specific interfaces. However no matter what i do, according to netstat it binds additionally to:
udp6       0      0 ::1.53
udp4       0      0 127.0.0.1.53

I have selected two interfaces on my system and enabled Strict Interface Binding which says: If this option is set, Dnsmasq will only bind to the interfaces containing the IP addresses selected above, rather than binding to all interfaces and discarding queries to other addresses. This option does not work with IPv6. If set, Dnsmasq will not bind to IPv6 addresses.
#8
20.7 Legacy Series / [Solved] Ipsec does not log anything
September 21, 2020, 03:46:58 PM
Hi,

I feel completely stupid, but I cannot get ipsec to log anything on a certain opnsense machine. I have turned everything to Raw under VPN->IpSec->Advanced Settings->IPsec Debug and still nothing - /var/log/ipsec.log remains empty.
#9
20.1 Legacy Series / Private network traffic on WAN
April 21, 2020, 04:49:42 PM
I have disabled private networks on my wan and yet I still get traffic from 192.168.1. subnet.

I guess it is from my ISP router - they serve NATted network as well as public ip on the same port. But why does opnsense let this traffic in?

"Block private networks" on WAN (re1) is switched on, but yet:
# ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254): 56 data bytes
64 bytes from 192.168.1.254: icmp_seq=0 ttl=64 time=0.580 ms
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=0.366 ms



The packets definitely seem to go out and back on the re1 interface:
[quote]# tcpdump -nn -i re1 host 192.168.1.254
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:36:51.814864 IP 195.50.196.206 > 192.168.1.254: ICMP echo request, id 19307, seq 0, length 64
14:36:51.815392 IP 192.168.1.254 > 195.50.196.206: ICMP echo reply, id 19307, seq 0, length 64
14:36:52.818861 IP 195.50.196.206 > 192.168.1.254: ICMP echo request, id 19307, seq 1, length 64
14:36:52.819747 IP 192.168.1.254 > 195.50.196.206: ICMP echo reply, id 19307, seq 1, length 64
[/quote]


I checked that the address is not amoung configured addresses (ifconfig | grep 192.168), not routed (netstat -nr | grep 192.168) and not directly connected to the switch (arp -an | grep 192.168).

So I guess it is accessible through the WAN upstream gateway...

But shouldn't the "block private networks" switch make opnsense drop these packets?
#10
Hi,

it seems I have botched this up somehow. New opnsense install, config imported from old.

When I click Check updates, it is checking forever, system.log shows:
Apr 21 10:10:39 mono api[86132]: uri /api/core/firmware/status authentication failed for api key kk
Apr 21 10:10:39 mono api[86132]: uri /api/core/firmware/info authentication failed for api key kk
Apr 21 10:10:39 mono api[86132]: uri /api/core/firmware/upgradestatus authentication failed for api key kk


Also, cannot install plugins/packages.
#11
Hi,

I have several troubles with zerotier now.

1) after upgrading from 20.1.3 -> 20.1.4 I discovered that zerotier was offline. Investigating the issue, found out that the zerotier address (sort of a unique id that identifies a host) of the opnsense machine has changed. Is that designed behaviour?

2) no biggie, went to ZeroTier central and added the new address. Went to look/configure zerotier in opnsense web gui and suddenly lost all LAN connectivity to opnsense. Totally baffled, power cycle, try again. Same result. It seems that when zerotier is enabled I now lose LAN connectivity to opnsense.

Any ideas?
#12
20.1 Legacy Series / Cron weekdays ambiguousness
March 01, 2020, 11:19:28 AM
How are the weekdays numbered in the cron jobs?

0-6 or 1-7 (is Sunday the first or last day of the week)?
or 0-7 (where 0 and 7 is understood as Sunday) like in the system?

It would make my mind at ease if there was an explanation in the GUI help. Currently it says "Enter the days of the week for the job to act, can also be a comma-separated list, * (each) or a range (ex. 1,2,3 or 1-3)"
#13
19.1 Legacy Series / CRL management for OpenVPN
June 04, 2019, 05:24:32 PM
We are signing our VPN user certificates outside OPNsense box.

Where does OPNsense save the CRL that is imported through the web gui?

Can I upload the CRL to OPNSense box without importing it through the web GUI? For instance with scp. Or have OPNsense pull the CRL from another server at an interval? Or upload it through an URL call?
#14
17.1 Legacy Series / 17.1.1 ipsec reneg delays
February 22, 2017, 01:44:53 PM
I have configured site to site ipsec from one opnsense to another and clients have intermittent connection issues through the connection. At some point the tunnel drops and renegotiation is not successful for several minutes.

Going through the log, i stumbled upon this:
peer A:
Feb 22 14:30:02 peerA charon: 06[IKE] sending cert request for -----cert information deleted as this is a public forum----
Feb 22 14:30:02 peerA charon: 06[IKE] sending cert request for -----cert information deleted as this is a public forum----


peer B:
Feb 22 14:30:02 peerB charon: 12[IKE] received 2 cert requests for an unknown ca



Ipsec negotiation succeeds 2 minutes(!) later.

The strange thing is that ipsec is configured to use Mutual PSK, not certificates. The certificates in question are used for OpenVPN clients on peer A.


Why does ipsec use these certificates at all?
Am I right to suspect that this is the cause for the delay that one peer tries to authenticate using these CAs?
#15
16.7 Legacy Series / OpenVPN certificate CRL automation
January 05, 2017, 05:19:58 PM
We are signing our VPN user certificates outside OPNsense box.

Where does OPNsense save the CRL that is imported through the web gui?

Can I upload the CRL to OPNSense box without importing it through the web GUI? For instance with scp. Or have OPNsense pull the CRL from another server at an interval?
#16
Hi,

i'm testing the opnsense for the first time. I noticed the LAN goes down (no ping, etc) even on the most minute changes.
For instance when creating a new DNS Forwarder host override and applying settings results in the router being offline for ~20 seconds. Same when adding a static DHCP mapping.

Is this normal for opnsense? Does it always take the interface down in addition to restarting dnsmasq on those changes.