Topics

1

21.1 Production Series / IPv6 not working

« on: May 18, 2021, 01:50:59 am »

I have no IPv6 connectivity. Had it before the last update, but not sure if that had anything to do with it.
Dashboard shows dhcpv6 and a WAN_DHCP6 gateway running
LAN has iPv6 Configuration Type as track interface with prefix ID 0
WAN has IPv6 Configuration Type set to DHCPv6 and Prefix delegation size=64
There are no VLANs
Unbound has DNS64 Support Disabled
Custom options are

server:
do-not-query-localhost: no

forward-zone:
   name: "."
   forward-addr: 127.0.0.1@5353
   forward-addr: ::1@5353

On the client side, IPv6 is enabled DHCP. ipconfig shows a Link-local IPv6 Address.
Any help appreciated to get IPv6 working again.

2

21.1 Production Series / Redelivey of spam by backup email servers

« on: April 20, 2021, 12:43:15 am »

Here is an issue I just came across and not sure how to handle.
I have a floating rule that blocks certain countries from sending email on port 25.
The issue is, I use a backup email service which accepts email when my primary MX Record is not available, then forwards the email when it is available.

What I think is happening is by blocking the port it is forcing the email to use the next level MX server. Should I be rejecting these connections instead of blocking? Not sure how to handle this? Maybe I should not be blocking port 25 at all and let the email server handle the spam, which does not have very good GeoIP blocking capabilities.

3

General Discussion / IPv6 issue one one LAN interface

« on: April 13, 2021, 12:49:39 am »

Hi,
I have two LAN interfaces, LAN1:192.168.100.1/24 and LAN2:192.168.200.1/24.
I installed DNSCrypt-Proxy using the online tutorial, IPv6 works fine in LAN2, but LAN1 does not have IPv6 connectivity. I changed both LAN's IPv6 to Track Interface to WAN with different Prefix ID's.
An ipconfig shows IPv6 IP's and DNS for both LAN's. IPv4 works fine on both LAN's.
I am using DHCP on both LAN's

What am I missing? What other info can I share to help solve this mystery?

Thanks

4

21.1 Production Series / Need DNS help

« on: April 03, 2021, 11:31:42 pm »

Hi,
I followed the tutorial on DNS Security to the letter and it just opened up a bunch of issues.

All I want is to have IPv4 and IPv6 available using DNSSEC. After I setup using the tutorial I had a bunch of DNS issues. Everything started resolving to IPv6 and then I had access issues. Outlook not working on the LAN. No access to Socks proxies. Seems all my IPv6 custom locations don't work because everything resolves to IPv6. I use static IP's from my ISP and they do not have IPv6 IP's available yet.

I don't know where to start. Is there a way to set overrides so certain domains are forced to resolve to IPv4? Or a way to always use IPv4, then use/fallback to IPv6 if no IPv4 DNS record exists?

As an example, if I tracert my email server domain, it returns an IPv6 address, but there is no IPv6 address on that server so I cannot get to it. Same with external proxies I access.

I did resort to disabling IPv6 on my NIC to access things, but I don't want all my users to have to do that. I do want to have access to IPv6 only sites. And I did set prefer IPv4 over IPv6.

Any help is appreciated.

5

21.1 Production Series / ntopng not working

« on: March 31, 2021, 05:54:15 pm »

Hi all,
I thought I would give ntopng a go and can not get the ntopng or redis server to start.
Also errors during reboot with connection errors.
2021-03-31T08:48:15   ntopng[86560]   [Redis.cpp:150] ERROR: to specify a redis server other than the default   
2021-03-31T08:48:15   ntopng[86560]   [Redis.cpp:149] ERROR: Please start it and try again or use -r   
2021-03-31T08:48:15   ntopng[86560]   [Redis.cpp:148] ERROR: ntopng requires redis server to be up and running   
2021-03-31T08:48:14   ntopng[86560]   [Redis.cpp:99] ERROR: Connection error [Operation timed out]

Searched posts and could not find and answers. Did not set a password and used all the default settings.
Also noticed there is no /var/redis/db file

Do I need a Firewall Rule to make this work?

6

21.1 Production Series / Revisiting NordVPN setup

« on: February 13, 2021, 07:40:26 pm »

Hi all,
I have looked at archived posts on setting up NordVPN from here
https://support.nordvpn.com/Connectivity/Router/1292598142/OPNsense-18-7-setup-with-NordVPN.htm

Two questions:
1. Has anything notably changed in the installation pertaining to usage on 21.1?
2. What changes need to be made to the setup if I am using a NordVPN dedicated IP?

Thanks to all for a great product for years!

7

20.7 Legacy Series / Question after lighttpd patch

« on: January 06, 2021, 09:46:40 pm »

I applied the patch to fix unbound and noticed these messages. How do I know if I should remove these items?
I know I am using unbound, but do not know what lighttpd is.

You may need to manually remove /usr/local/etc/unbound/unbound.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/lighttpd.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/modules.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/access_log.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/auth.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/cgi.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/cml.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/debug.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/dirlisting.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/evhost.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/expire.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/fastcgi.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/magnet.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/mime.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/mysql_vhost.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/proxy.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/rrdtool.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/scgi.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/secdownload.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/simple_vhost.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/ssi.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/status.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/trigger_b4_dl.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/userdir.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/webdav.conf if it is no longer needed.

8

General Discussion / AP IP access from WAN

« on: October 14, 2020, 06:42:00 pm »

I have two subnets LAN (192.168.1.1/24) and Wifi (192.168.2.1/24)
The Access Point IP is 192.168.2.254 and the GUI port is 1080
I can get to the AP from the 192.168.2.x subnet but not from the WAN.

I setup a NAT rule (attached) to access the AP from the internet. I can access the OPNsense GUI but not the AP.

The other thing I would like to do is get to the AP from the LAN.
The second attachment is the firewall log.

9

20.7 Legacy Series / non existing rule seen in log

« on: October 06, 2020, 09:05:04 pm »

Here's one I cannot figure out. I have an IPv6 rule in the Live View (see pic) That does not exist in any of my rules.
The label 'Block All IPv6' does not exist in any of my rules.
If this is because I have the Advanced firewall setting set to IPv6 disable, then how can I stop the log entries.

10

20.7 Legacy Series / Bridging different MTU networks

« on: October 06, 2020, 05:13:24 pm »

It it ok to bridge different local subnets from different switches that have different MTU's?
I assume OPNsense would handle the fragmentation internally, but maybe not.

Please advise.

11

20.7 Legacy Series / Block subnets

« on: September 29, 2020, 08:14:29 pm »

I have a basic default setup with two LAN interfaces and one WAN gateway. Everything works fine, except LAN1 can ping and get to shares on LAN2 and vice versa. I do not want the LAN's to have any connection between them.

I have NAT outbound set from each subnet going to the same NAT address, which is the WAN IP address. I assume this is where the connection is since no LAN block rule works.

How do I block the subnets?

12

20.7 Legacy Series / Advice with bridge setup using two switches

« on: September 29, 2020, 02:07:28 am »

I would like to setup two networks from 2 switches and bridge them. One managed with SPF+ ports using 9000 MTU devices. The other unmanaged with 1GB Ethernet ports connected to devices using 1500 MTU.

Is the best option to just bridge the two switches in OPNsense using two interfaces? I need the systems on the SPF switch to handle large media files, which is why I need Jumbo Frames. But I know it is not wise to mix MTU, so I am looking for the best options here.

13

General Discussion / One computer - different subnet

« on: March 07, 2020, 07:14:44 pm »

I have one computer that has an address of 192.168.100.105 that I want to access from the 192.168.1.x subnet as 192.168.1.105. I cannot change any computer IP because of licensing issues. So I am forced to try and access this one computer as 192.168.1.105 while leaving its IP @ 192.168.100.105. Any changes to the network on this computer will kill the license, which cost thousands of dollars. I also need to use this computer as a file server to the 192.168.1.x subnet.

I do have an unused interface on the OPNsense box that I can set to 192.168.100.x. I can bridge them but the issue is I need to use 192.168.1.105 on the existing subnet to get to the 192.168.100.105 computer. Maybe NAT them?

What is the best way to do this? If even possible.

14

19.7 Legacy Series / VPN Help

« on: January 25, 2020, 12:19:48 am »

I need help configuring rules to allow my Windows 2016 VPN server to be able to be accessed on my LAN. Outside users can access via PPTP or L2TP just fine, The VPN server is on OPT1 interface and the local subnet is on LAN.

All the required ports are open for VPN PPTP and L2TP access. I just cannot get any local computers to connect.
The VPN server IP is 192.168.1.101 and I would like to connect to LAN 192.168.100.0/24
The OPT1 interface is 192.168.1.0/24.

I see no hits in the live logs to help me figure it out and I tried floating rules, OPT1 rules, and LAN rules to open the path between these IP's with no luck and I have NAT Reflection enabled. Maybe a NAT Reflection problem?
I am probably just missing something. It's been a while since I needed to change rules.
Attached is an example of an OPT1 rule I tried with no success.


Any help would be appreciated?

15

General Discussion / Blocking custom list of websites

« on: January 02, 2020, 09:04:52 pm »

At wits end. Read every post I could find and still cannot block a list (alias) of websites.
Tried a LAN and a floating rule, didn't work.
Tried Web proxy, didn't work.
Problem with the proxy approach is I could not get a custom blacklist to be recognized. The official ones work fine.
I even tried coping an official blacklists.tar.gz to my web server and no categories showed up. Didn't work.

So what is the best way to block just 10-15 websites with all the subdomains included?
By the way, some of these websites are HTTPS