Topics

Hey,

I'm looking into migrating my IKEv2 ipsec tunnels from the legacy setup to the new setup.
However, it seems like several fields from the "classic" setup is missing, like the phase1 certificate and identifier.

Is there a guide somewhere that tells what from the old setup maps to what in the new setup?
Also, I would expect it to be on feature parity before being deprecated, but that doesn't seem to be the case right now (Unless I'm missing something)

I'm trying to limit my IOT network, to only talk to what it needs to.

I have a hostname that one of my devices needs to talk to, and if I use an online dns resolver, I can see it resolves to 3 A records (with different IP's).

The problem is, it seems that only one of these gets added to the pfTable for the alias.
So it seems like it only uses the first response it gets, instead of looking up the entire record for the host.

Is there a way to fix this, or am I back to having to allow HTTPS traffic for this device to all IP's?

I'm trying to configure IPSec for both Windows 10 and Android clients.

The problem is, that the proposals needed for Windows 10 is incompatible with the strongSwan app for Android, and vice versa.

Would it be possible to add a text field for people to override the "ike" and "esp" lines that gets put into ipsec.conf ?

I've been playing with the Sonicwall firewalls we have, and one thing I like about it is the concept of Address Objects.

Think of them like aliases for subnets, specific addresses ect.

Would it be an idea to add the same feature to OPNsense, so people can create objects for their subnets, servers etc., and then just select them from a list (like currently where you have LAN Subnet, LAN IP), instead of typing them manually.
This could also be extended to the rest of the system, like DHCP Relay, where the target DHCP servers could be selected from a list of objects (or written manually still).

If it makes sense, I would suggest 4 different types of Address Objects (IPv4 address, IPv4 subnet, IPv6 address, IPv6 subnet).

What do you guys think?

Just tried installing 17.1 on a new Hyper-V virtual machine, but it does not see the IDE disk.

Installing 16.7 works fine - I'll be testing if it works after upgrading in a few minutes.

I've been reading about the plugin system, and have gotten to this page: https://docs.opnsense.org/development/examples/helloworld.html#create-an-installable-plugin

Might just be me, but I cannot find the info on how the binaries for the service the plugin is about should be built and added to the package?

And can the plugin be installed using the normal pkg tool, or does it have to be integrated into the backend and installed from there somehow?

I have two OPNsense VM's configured, but for some reason, on none of them does miniupnpd start automatically.

In the config file, the only mention of it is this section:

Code Select Expand

  <installedpackages>
    <miniupnpd>
      <config>
        <enable>1</enable>
        <enable_upnp>1</enable_upnp>
        <enable_natpmp>1</enable_natpmp>
        <ext_iface>wan</ext_iface>
        <download/>
        <upload/>
        <overridewanip/>
        <permuser1/>
        <permuser2/>
        <permuser3/>
        <permuser4/>
        <iface_array>lan</iface_array>
      </config>
    </miniupnpd>
  </installedpackages>

Am I missing something, or how do I get it to autostart?

Hey,

I have been playing around with a test setup of opnsense, but noticed that it is not currently possible to use EAP-RADIUS.

So, I went ahead and implemented it.
It is split across two pull requests:

https://github.com/opnsense/tools/pull/43
https://github.com/opnsense/core/pull/1342

I have tested it on my own setup, and it seems to be working just fine (Windows 10 clients connecting in).
Please note, that it has been several years since I have touched anything PHP related (moved to C#, since that is my day job).

The following text strings has been added, but I'm not sure how add the to the gettext dictionary for translation - if someone can tell me how to do that, I'll do it and add another commit/pullrequest for that.

Is it possible to get it into 17.1, or are we too close to release for that?

Thanks :)

Note to self, the text strings to translate is:

"You must enter both RADIUS server and secret to use EAP-RADIUS."
"RADIUS Server"
"Input your RADIUS server IP."
"RADIUS Secret"
"Input your RADIUS secret."

Moved to https://forum.opnsense.org/index.php?topic=4323.0 , since I placed it in the wrong forum.