Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - eblot

#1
Hi,

I'm using Let's Encrypt to install a certificate for the HTTPS connection to the OpnSense webui.
From what I understand, the "Restart OPNsense Web UI" (enabled) automation is supposed to restart the web server once the new certificate is successfully installed, so that the HTTPS resumes with the new certificate.

It does not happen on my opnsense firewall. The Web UI keeps using the old, now expired, certificate. Forcing a manual execution of this automation does not help. Is there a way to restart the web UI w/o rebooting the whole system? How can I troubleshoot this issue?

I logged in with an ssh session on the firewall and run:

$ sudo /usr/local/etc/rc.restart_webgui
Password:
Starting web GUI...done.
Generating RRD graphs...done.


but again, the web UI did not restart, and the expired certificate is still used.

Thanks
#2
20.7 Legacy Series / Huawei modem in NCM mode
November 11, 2020, 02:52:09 PM
Hi,

Is there any guide to set up an LTE fallback gateway using a cheap Huawei USB modem key (12d1:1f01 Huawei Technologies Co., Ltd. E353/E3131)?

I've successfully switched it to NCM mode (12d1:155e) or ECM mode (12d1:14db), but I do not know what to do to move forward:

* in NCM mode, ue0 interface is successfully detected:
   
   ue0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether 00:1e:10:1f:00:00
   nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
   

   however I do not know how to configure such an interface with opnsense;

* in ECM mode, the network interface does not show up in opnsense UI (nor via CLI/SSH).

In this later mode, Linux automatically assigned a local IP to the interface from the integrated DHCP server on the USB modem key (192.168.8.0/24), but I did not find how to do something akin to Linux with opnsense/freebsd.

Thanks.
#3
General Discussion / Wireguard status
June 08, 2020, 11:01:30 PM
Hi,

What is the wireguard status with latest OpnSense release?
I'm using OPNsense 20.1.7-amd64

I've been using wireguard for a while (opnsense w/ macOS and iOS endpoints), and for some reason it seems it does not work anymore, although I cannot trace back when it actually stopped working, but I do not remember changing anything related to Wireguard or the FW rules.

I'm a bit lost about the packages for Wireguard. There are:

* os-wireguard   1.1
* wireguard   1.0.20200513
* wireguard-go   0.0.20200320

which one(s) is/are required ?

I think when I've initially setup wireguard and when it used to work, there was a < 1.0 release.
Maybe the config format has changed and I need to reinstall it from scratch?

Another question: where are the logs associated with Wireguard support?

The list configuration and handshake panes are empty. They were reporting some info when the setup used to work.
It seems Wireguard is more or less idle, but I really do not know where to look to get logs or debug info.

Thanks.
#4
19.7 Legacy Series / Default deny rule question
August 29, 2019, 11:07:22 AM
Hi,

I was looking at the firewall logs, and there are not deny packets I fail to understand, e.g.:


    LAN      Aug 29 10:48:09   192.168.83.173:50928   17.252.76.99:5223   tcp   Default deny rule


192.168.83.0/24 is my LAN, the WAN net is 192.168.29.0/24
If I get it right, the deny comes from the floating, automatically generated rules, that applies if no other rule match.


    IPv4+6 *   *   *   *   *   *   *   Default deny rule  (last match)


However, one of the (default) LAN rules is:


    IPv4 *   LAN net   *   *   *   *   *   Default allow LAN to any rule  (first match)


Devices on LAN seems to be able to access the Internet (through the WAN). I'm posting this very message from this configuration.

Why could cause the "Default deny rule" to apply on these packets and how to troubleshoot this issue?
I do not get why these packets seem to be blocked and I'm still able to access the Internet... Do I misinterpret these log entries?

Thanks.
#5
Hi,

After upgrading to 19.1.7, the UPS (NUT) monitoring on my amd64-based OPNsense installation broke.

The UPS can no longer be contacted. I tried the usual stuff: unplug/plug back USB connection to the UPS, then uninstall/reinstall the NUT plugin, w/o luck.

I should say that I understand little-to-none on how NUT works and even less, if possible, about the NUT plugin and its UI in OPNsense. I've installed it quite a long time ago and I kind of forgot what I actually did to make it work by that time. I should have written it down.

Anyway the UPS is not an exotic model (EATON Ellipse)
The log file reports (since I plug-cycled the UPS):

   kernel: ugen0.5: <EATON Ellipse ECO> at usbus0 (disconnected)
   kernel: ugen0.5: <EATON Ellipse ECO> at usbus0
   upsmon[55902]: UPS [ups]: connect failed: Connection failure: Operation timed out
   upsmon[55902]: UPS ups is unavailable
   upsmon[55902]: UPS [ups]: connect failed: Connection failure: Operation timed out
   ...


The dashboard shows 2 NUT related services: nut_upsmon (reported as working, green status) and nut_daemon (reported as failed, red status).

The NUT configuration shows the USBHID driver is enabled, but the UPS Status in the Diagnostic pane is always empty, so it is hard to tell what is actually going wrong.

I have not change the configuration (as it used to work even with previous 19.1.6) since I've upgraded to the very latest OPNsense release.

Note that uninstalling/re-installing the NUT plugin reported a slight difference:


  May 7 23:03:42   pkg: os-nut-devel-1.4 deinstalled
  May 7 23:04:26   pkg: os-nut-1.4 installed


Any idea of what went wrong, and most importantly where to start to trouble shoot this issue?

Thanks.
#6
Hi,

Is there a way to get an automated notification when (VPN) SSL certificates are about to expire?
I got caught being abroad and unable to connect to my VPN as the server certificate had just expired :-(

Is there such a feature, or an easy way to implement it?

Thanks.
#7
Hi,

I noticed that the unbound server (using the default setting) where not resolving DNS requests issued from my OpenVPN client.

nslookup ran on the VPN client site reports

** server can't find <host.domain>: REFUSED

The log file on OpnSense shows:

debug: refused query from ip4 10.0.83.6 port 56092 (len 16)

The access list shows that the physical IPv4 networks have been automatically added (2 WAN, 1 LAN, 1 local), but the VPN network (10.0.83.0/24 here) has not been added...

Adding this network to the access list solved this issue, but is this what is expected? The "Network Interfaces" was defined to "All", so I would have expected the VPN subnet to be part of theses interfaces.

Thanks.
#8
18.7 Legacy Series / usb_modeswitch package
August 12, 2018, 01:50:02 PM
Hi,

I'm trying to setup a Huawei 4G/LTE modem as a fallback WAN interface w/ my OpnSense router.

It seems it requires to use the usb_modeswitch tool to enable the modem interface.

I read from here: https://forum.opnsense.org/index.php?PHPSESSID=or3em205tfimrihiklo1rjora0&topic=6771.msg29415#msg29415 that Franco is the maintainer of this package for FreeBSD, so ... is this tool/package available for OpnSense somehow? - or am I looking at the wrong direction to get this device work?

Thanks!
#9
Hardware and Performance / Best WiFi USB adapter
September 08, 2017, 09:02:30 AM
Hi,

I'm (desperately) looking for a good USB WiFi n adapter that works **seamlessly** and without system hacks with OPNSense. It's definitely NOT for creating an access point, but as a simple WiFi client to access a remote 4G gateway. A 150 Mbps or 300 MBps would be fine, as long as it runs on 5GHz channel.

I have tried a couple of adaptors I already owned, but they are either not recognized by the Kernel, or have proved to be very unstable (the interface goes UP and DOWN with one of them, or half the packets are lost with the other).

A perfect match would be a mini PCIe card so I can replace the (crappy) Realtek-based integrated card within my Qotom box, while still relying on the integrated WiFi antennas. A regular external USB-A adapter could fit as a second choice.

Unfortunately Qotom has not routed the PCIe express lane to the mini PCIe card connector, so WiFi adapter that uses PCIe cannot work  :-( Only the USB bus signal is available on the card slot.

I've looked at the various pages that document which versions of which WiFi chips are supported on whatever BSD kernel, but it's quite difficult to figure out if it actually works seamlessly and which WiFi adapter manufacturer/product actually uses the selected chip.

Any advice / feedback would be great!
#10
16.7 Legacy Series / Cannot complete boot from USB key
November 15, 2016, 12:24:27 PM
Hi,

I'm trying to install OPNsense from a USB key on an Atom-based computer (x64).

The initial bootloader works as expected, kernel boot messages are printed on the HDMI console, but the kernel (I guess) finally deadlocks without a clear reason after:

"ppc0: cannot reserve I/O port range".

I've edited the bootloader configuration file to disable the PPC, but it does not really go any further.
Booting in single user, verbose mode, the last traces are:

...
atkbd0: [GIANT-LOCKED]
psm0: unable to allocate IRQ
pcib0: allocate type 4 (0x3f0-0x3f5) for rid 0 of fdc0
pcib0: allocate type 4 (0x3f7-0x3f7) for rid 1 of fdc0
fdc0 failed to probe at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0
ppc0: not probed (disabled)
pcib0: allocated type 4 (0x2f8-0x2ff) for rid 0 or uart1

There is no other message, and I do not know how to investigate from this point.

The same USB key boots fine within VmWare Fusion 8.5.1

How can I debug this issue?

Thanks.