Topics

Hello all,

So I'm following this guide here:  https://forum.opnsense.org/index.php?topic=8783.0  and I've tried a few others that just had some settings differences from the guide above.

So any of the external scans just show the port as being blocked or filtered and my internal app never gets the port forward requests.  To isolate the issue I dusted off my Unifi USG and Palo Alto PA-220 and after a bit of updating and configuration plugging them in allows the port forward to work (scans show it to be open and my application gets the requests). 

Looking at the firewall logs are a bit hard to understand but I don't clearly see what/where it's being blocked.  If I filter it to show port 32400 I see traffic being allowed (second screenshot) but it's not on the WAN side.  Any help figuring this out will be greatly appreciated.  Thank you!

So I've been back on OPNsense for while but since the move I have changed ISP's from Comcast to AT&T.  The main reason is that the Comcast gigabit service is only 1G/40mb while the AT&T service is 1G/1G.  When everyone was home that 40mb (at best) was starting to be a PITA bottleneck.  AT&T does do some things I'm not crazy about (no true bridge mode) but the ip-passthrough works well enough and I did not detect a double NAT.

My problem is that since I made the move to AT&T my PLEX server is unable to maintain it's external connection.  You basically have to port forward or UPNP to port 32400.  Back on Comcast this would work with UPNP or any port to 32400.  This could drop occasionally but it would come back up.  Now I can't get this to work for typically more then a few minutes although occasionally it will work for a few hours or more.

I was working on this being an AT&T issue except just about everyone on the AT&T forums was getting PLEX remote access to work.  Someone suggested getting static IP's to see if that helped.  It did not.  But that gave me an idea and since I still have my Unifi switch and USG I plugged them into the BGW-320 and assigned them a static IP (public) and now I have to "paths" out to the internet. 

When I connect my PLEX server to go out through the USG PLEX can maintain it's external connections.  I've tested this with some friends and it's been up solid for just over a week.  When i move it to the Cisco SG350 switch (which is where the OPNsense LAN port connects to), it will drop within a few mins or less.  Just to make sure I eliminate everything I broke out my Juniper EX3300 and took turns connecting each router to this switch and then the PLEX box and I got the same results. 

Just as an extra test for my Sanity I dusted off the PA220 and after some updates and settings tweaks I connected this to the EX3300 and the PLEX server to this and it so far has maintain remote access for almost 3 days.  I've attached the PF rule that I'm using.

If I don online port checkers whatever port I set for the port for PLEX is open on my USG IP but not the OPNsense IP.

I've tried looking through the logs but I really can't see anything that would pin point what my issue is with this.  Thank you ahead of time.

For a number of reasons I now have 5 useable public IPs from AT&T giga service.  My current config is this:  LAN devices on the 10.0.0.0/22 network and Public IP's 50.x.x.x. 

internet >> AT&T ONT >> ip-passthrough mode >> OPNsense WAN (50.x.x.150)>> OPNSense LAN (10.0.0.1)>> cisco managed switch

All my LAN devices connect to the cisco switch.  I may be off base here but I think if I have a server that is connected to the cisco switch with an IP of 50.x.x.145 do I need to put in a static route in OPNsense so that it knows where to send this traffic (out the WAN port)?  If I have this correctly how would I do that or am I just completely off base here?

Hello all,

I've noticed a problem whenever anyone goes to a website for the first time.  It's fairly slow opening a webpage for the first time (browsers sit on "resolving host" for 10-20 secs or so).  I am currently using unbound with TLS going to Cloudflare.  Any guidance on this issue would be appreciated!

Thank you

Hello,

I have my DNS TLS working as per: https://sahlitech.com/opnsense-setup-unbound-dns/

In those instructions (and other places) tell you to NOT put in DNS in the System > Settings > General area.  BUT when I attempt to set up my DDNS I see this:

You must configure a DNS server in System: General setup or allow the DNS server list to be overridden by DHCP/PPP on WAN for dynamic DNS updates to work.

Looks like my option is to enable the "allow DNS Server list to be overridden..." but I'm not exactly sure that this does/how it works/will impact the DoT setup?  Do I need to exclude an interface?

Hello,

I"m not exactly sure if this is the best forum but I just recently moved from Comcast to AT&T gigabit service (1000/1000 vs 1000/50) and while I can put the AT&T gateway into a close approximation of bridge mode (took a while to get rid of the double NAT issue). I can't seem to figure out how to stop AT&T from using the gateway DNS.  I've been checking but doing a nslookup for a fake domain.  AT&T answers back with a non-authoritative fake IP.

I've tried unbound, DNSmasq and DNSCrypt-Proxy to no avail (unless I'm just missing a specific setup).  Not sure if this is even possible but I thought I would ask here.

Thank you!

I have a new deployment that I need to install an inline firewall/url blocker with no NAT, traffic shaping or routing of any type (Transparent Firewall/bridge/???).  I would like to use OPNSense and after doing some research believe I need to follow this guide:

https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

I don't want to make any changes to the clients if I can, I need to use the current device as the gateway/router/dhcp/etc...  and only want to add an additional layer of protection.  Thank you all in advance and any help will be greatly appreciated.

Hello all, a little while back I had to reinstall OPNSense after a power strike where my backed up settings would restore.  I had pretty good notes on the changes I made so I think I'm back to where I was before the power strike except one thing.  I'm getting constant connection attempts to my PLEX box and a few other things.  2-3K a week.  I notice these b/c I have a Cujo and Rattrap security appliances as a "sanity check" and an additional layer of protection (typically I just run Rattrap inline from the OPNSense LAN port that goes to my HP Switch).   

Prior to reinstalling I was getting zero notifications of these types b/c they were being blocked by OPNSense.  I have gone over everything ten times and I can't figure out what I'm missing (didn't enable or setup) to have OPNSense automatically block these connection attempts.  I have IPS/IDS turned on, UPnP turned off, etc...

Anyway, if anyone has some suggestions I would greatly appreciate it.  Thank you in advance!

hello, just had a long power outage while I was out of the house, of course, the UPS decided to die in the middle of it bringing down my OPNSense box. When I rebooted it was booting up in LIVE CD mode and even after I restored the last backup it would just boot in LIVE CD Mode.  I know I can just run the installer but I would prefer to not have to loose all my settings.  Any help will be greatly appreciated.

I'm not exactly sure when this started but sometime recently I have been unable to access HTTPS websites if I browse using Wifi on my home network.  They work fine if I'm on a wired PC and I know for sure that about a month ago this was working fine.  Other then updating the FW I haven't made any changes (and I typically log those changes in my log book so I can revert them if needed).

Just thought I would post here to see if anyone had any advice.  Thank you

Hello all,

anyone have a good updated guide on how to configure a VPN services (in my case AirVPN) with OPNsense?  I tried something like this when I was on pfSense/PIA but I made a hash of it since the UI had been updated but the guide had not been.

Thank you in advance

I'm hoping someone can help with this.  Every now and then I will get on one of my PC's and a certain number of websites will fail to load.  I get the ERR_CONNECTION_TIMED_OUT message.  It seems random and it's not just PC or browser based b/c it will occur across multiple browsers and PCs.  I'm thinking it has something to do with the network/firewall.  I saw this behavior in pfSense also.  It almost seems like if I wait and reload long enough most if not all the websites will start loading.  Much more rarely a page will partially load.

I've looked at the logs but since I don't know what I'm supposed to be looking for I didn't see anything that stood out as a possible culprit. 

EDIT:  I do get DNS resolution to the websites and most do reply back to pings.  Flushing the DNS on the PC's doesn't do anything and for whatever reasons rebooting OPNsense doesn't seem to help at all.  BUT If I shut it down and leave it off for a few minutes and turn it back on the websites will either connect by themselves or after a few seconds on a refresh.

Anyone here have an Nvidia Shield that they have PLEX working on?  I have PLEX server working on my PC (after entering a NAT Port forward) but when I put it up on Nvidia Shield it can't be found by anything on the network the outside world.  I even enabled UPNP to no avail.

Hello,

I need to setup my dynu ddns so I can update my IP.  I searched around and did not see anything mentioned.  Is the a UI way to manage your dynamic DNS in the GUI?

Thank you

Hello,

I'm not sure WTF happened but I thought I had installed OPNsense but it turns out I'm running in LiveCD mode.  I have everything setup and working and I just want to confirm that there is no way to get this installed using the current settings.  I took a backup and I figured worst case i'll have to reinstall and get it running on SSD then restore the settings unless there is a better way .

Thank you

Hello everyone,

I had this big post about how I had upgraded from 16.7 to 17.1 but OPNSense still showed 16.7 installed on a Jessie minimal installed on ESXi 6.0u2 VM.  But before I posted I had a cup of coffee and ran through the process again and this time properly read the instructions (type "17.1" not just "yes" at the install prompt).

Well it's amazing the results you get when you follow the instructions properly.  16.7.3 upgraded to 17.1 with no issues so far.

Whitebox ESXi 6.0U2 Server
Supermicro MBD-X8DT6-F-ISO18 Motherboard
Dual L5640 CPU
96GB of ECC RAM
4 Cores
4GB RAM (will reprovision with 8GB)
16GB of 40GB SSD space Thin Provisioned
2 E1000 NICS (figuring it out how to change this but it upgraded just fine)