Topics

1

General Discussion / SSH root password not working

« on: June 23, 2022, 01:43:36 am »

I can log into OPNsense via the console of GUI just fine, but I cannot use that same password in WinSCP. It says 'incorrect password'.
What do I need to do to get SFTP access?

2

22.1 Legacy Series / Multiple Gateway issues

« on: June 17, 2022, 11:35:29 pm »

Didn't receive any help on my Outbound NAT questions so I am taking a different approach to not do a group gateway.
I have a working OPNsense firewall with web and email servers. My goal is to add another WAN for use only by the LAN interface on the firewall.
So what I did was change the LAN gateway to the new WAN service and add the corresponding Outbound NAT. I have connectivity to the new WAN on the LAN now, but now there is no access to the servers on the firewall. Not sure what rules to add to gain access to the servers from the LAN now that both are running on different gateways. The servers run on different interfaces on the same firewall.

I am not trying to do Multi-WAN. Just want the LAN to use it's own gateway.

Can anyone help with this?

3

22.1 Legacy Series / Outbound NAT with dual wan

« on: June 16, 2022, 08:34:36 pm »

I am trying to setup load balancing with two WAN's for my LAN network. I followed the guide, but have issues with connectivity and I think it may be because of the outbound NAT settings. I have Outbound NAT set to manual and have a rule that sets the LAN network to one WAN interface and NAT'ing to a virtual IP on one of the primary WAN interface.

One WAN (primary) has static virtual IP's, the other WAN is DHCP.

Do I need to add another Outbound NAT rule for the DHCP WAN?

The other option is to not use multi-WAN group gateways and put the DHCP WAN as the LAN gateway, but how would The Outbound NAT be configured?

To complicated matters, two computers on the LAN must have some ports accessible on the primary WAN.

4

22.1 Legacy Series / Can't access local websites

« on: May 14, 2022, 12:22:08 am »

I can't access local websites anymore. I know I use to do it, but there have been many updates since then.
Websites are all accessible externally, just not within my local LAN network.
I have NAT 1:1, reflection enabled, and Port Forwards enabled.
Local subnet is 192.168.100.1/24. For example, one webserver is @ 192.168.20.34 and the other 192.168.1.101
Can't use one rule because there are different webservers on different IP's. Can't get to any of them from the local network. All the webservers are on different external IP's via IP alias'es.
All webservers do have a second NIC going to the 192.168.100 subnet so I can access the files. But IIS is not tied to those IP's
Any assistance is helpful. Thanks

5

22.1 Legacy Series / Default deny / state violation rule

« on: April 16, 2022, 11:33:42 pm »

I am setting up a new OPNsense box using 22.1.6. My old box is @ 21.7.8. I have all the settings rules in place and appears to be working ok so far.

I noticed that when looking at the Firewall Live View it now shows 'Default deny / state violation rule'.

Is this 'state violation rule' message something new for version 22, or do I have a settings to fix?

Thanks to all for a great firewall. Been using for 5 years now.

6

Hardware and Performance / Chelsio T520 unsupported in 22.1

« on: April 15, 2022, 12:30:08 am »

Chelsio T520 driver shows as unsupported in tunables. I can manually load driver with 'kldload if_cxgbe' in the shell, but 'if_cxgbe_load' shows unsupported in the tunables. I cannot use the T520 unless I manually load the driver after I boot. Was there a change?

7

22.1 Legacy Series / Update to v 22 kills internet after 45 seconds

« on: April 13, 2022, 08:59:52 pm »

I tried to update to v22, but had to revert back to 21.7.8. I have two LAN interfaces on different subnets. One was fine but the other keep crashing after about 45 seconds. Tried to update to 22.1.6 with same issue.

Is there something I need to do before I update? What info is needed to help the community. I have a simple install with one WAN and two LANS. the only plugins I use are Suricata and Monit.

Please help

8

Virtual private networks / 2FA for specific ports

« on: October 15, 2021, 01:23:36 am »

I am running remote desktop software that I am now required to use 2FA. Is there a way to tunnel specific ports using 2FA via OpenVPN or other method? This is a new area for me, so be gentle. These ports are now NAT'ed to the specific IP's. I am told they now need 2FA. Is this even possible?
Thanks all.

9

21.7 Legacy Series / Listen queue overflow

« on: October 06, 2021, 11:32:45 pm »

System General log:
sonewconn: pcb 0xfffff800c816a000: Listen queue overflow: 193 already in queue awaiting acceptance

This error is recent since my updates to 21.7.3, maybe a coincidence.
Saw many references but no reasons or solutions to this error in the system logs. Did not make any recent changes to hardware. Most references mentioned a NIC overflow. If this is true, how can I tell which NIC, I have 6 in this system.
Tried adding kern.ipc.soacceptqueue value=1024 as some suggested. Made no difference.

Any suggestions on how to track this down?
And why is it always 193 in the queue? That seems strange to me. Is there a way to dump the queue?

10

21.7 Legacy Series / [Feature Request]

« on: August 17, 2021, 12:46:05 am »

Didn't see anywhere in the forums for feature requests. Which can be another feature request

I would like to be able to add a custom Cron job in the WebGUI. Just a simple run this command on this schedule. Maybe it's already there. I couldn't find it.

11

21.7 Legacy Series / Firewall requires reboot

« on: August 15, 2021, 08:31:37 pm »

I have an OPNsense appliance with Intel NIC's connected to a Westell G60 DSL Model using PPPoE on the WAN port. The modem is set to bridge mode.

Here is the issue. Every time the modem loses power or Internet connectivity, the firewall needs to be rebooted before the WAN works again. Is there something that I can do in the firewall to automatically reboot if the WAN or gateway is down?

I did see in another port the option for "Periodic reset". Where is this found?

12

21.7 Legacy Series / GeoIP2 questions

« on: August 05, 2021, 08:54:23 pm »

I now have a subscription to GeoIP2. I ran GeoLite2 previously and used the following URL:
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=<MY KEY>&suffix=zip

I assume I now use:
https://download.maxmind.com/app/geoip_download?edition_id=GeoIP2-Country-CSV&license_key=<MY KEY>&suffix=zip

I cannot tell if it is working since I do not know how to force an update, or know how to apply a twice weekly update. I also assume that the alias cron job does the GeoIP2 update.

Are my assumptions correct?

13

21.7 Legacy Series / Viewing CPU usage per service

« on: August 01, 2021, 11:16:29 pm »

Is there a way to view CPU usage per service? Maybe a shell command?

I am using 21.1.9 and I noticed the CPU was at 60-70% driving my CPU temps high. I did a restart and now the usage is where it should be at 0-10%

How can I tell what is causing this high CPU usage? I did try resetting the netflow data and that made no difference. Only a reboot brought the usage down. I also noticed when the CPU usage was high, the memory usage was also much higher than normal using 12-14GB when normally it is at 3-4GB

Specs:Intel  i7-6700, 32GB

Thanks

14

21.1 Legacy Series / IPv6 not working

« on: May 18, 2021, 01:50:59 am »

I have no IPv6 connectivity. Had it before the last update, but not sure if that had anything to do with it.
Dashboard shows dhcpv6 and a WAN_DHCP6 gateway running
LAN has iPv6 Configuration Type as track interface with prefix ID 0
WAN has IPv6 Configuration Type set to DHCPv6 and Prefix delegation size=64
There are no VLANs
Unbound has DNS64 Support Disabled
Custom options are

server:
do-not-query-localhost: no

forward-zone:
   name: "."
   forward-addr: 127.0.0.1@5353
   forward-addr: ::1@5353

On the client side, IPv6 is enabled DHCP. ipconfig shows a Link-local IPv6 Address.
Any help appreciated to get IPv6 working again.

15

21.1 Legacy Series / Redelivey of spam by backup email servers

« on: April 20, 2021, 12:43:15 am »

Here is an issue I just came across and not sure how to handle.
I have a floating rule that blocks certain countries from sending email on port 25.
The issue is, I use a backup email service which accepts email when my primary MX Record is not available, then forwards the email when it is available.

What I think is happening is by blocking the port it is forcing the email to use the next level MX server. Should I be rejecting these connections instead of blocking? Not sure how to handle this? Maybe I should not be blocking port 25 at all and let the email server handle the spam, which does not have very good GeoIP blocking capabilities.