Topics

1

General Discussion / WiFi: multiple SSIDs with different networks?

« on: February 18, 2019, 09:21:22 pm »

Hi,

did not find the docs on wireless lan nor could I look it up in my current configuration due to lack of wireless adapter:

Is it possible with OPNsense to span 3 wireless networks with different SSIDs and connect them to 3 different firewall zones (LAN, Guest, IoT) on the same one and only wireless network card?

Kind regards,
Boris

2

General Discussion / NFS server and/or syncthing under OPNsense

« on: February 18, 2019, 07:35:48 pm »

Hi,

has somebody already setup a NFS server and/or syncthing under OPNsense?

I know this is not actually the job of a firewall so here is why I'm asking: I would like to use OPNsense on APU 4C4 board in a second home mainly for caching and filtering out ads (and because it is fun). The APU 4C4 equipped with a 500 GB SSD could readily also be used as file storage for home directory and for synchronization with the NAS in the primary location.

In my opinion, the straightforward way would be a jail with NFS server and syncthing installed manually. But maybe there are other suggestions out or warnings to better drop that idea. Happy to know.

Best regards,
Boris

3

19.7 Production Series / Move to FreeBSD 12?

« on: February 17, 2019, 03:30:53 pm »

Hi,

what plans there are for moving OPNsense to FreeBSD 12?

I am asking because I consider buying a box with WLE900VX WLAN module which requires 802.11ac support.

Kind regards
Boris

4

18.7 Legacy Series / External IPv6 DNS Servers are sometimes passed to client but should not

« on: September 08, 2018, 11:23:15 pm »

Hi,

this is the relevant configuration of opnsense box:

OPNsense 18.7.1_3-amd64
DHCPv6 is off
DNSmasq DNS is off
Unbound DNS is on, in Forwarding Mode, local zone type= transparent
Settings | General | DNS servers: set to Google IPv4 and IPv6 webservers

My Ubuntu 18.04 workstation is set to static IPv4. IPv6 is autoconfigured (opnsense box internal network "home" tracks WAN).

During the last months I have seen the following behavior on my workstation:
- In normal operation, the IPv4 and IPv6 addresses of the opnsense box are passed as DNS servers to the workstation.
- From time to time, the IPv6 addresses of the Google DNS servers are passed to the workstation as well, thus bypassing the resolution of the hostnames in the internal network configured in Unbound DNS Server overrides. This happens spontaneously, i.e. the workstation boots up in the desired state and spontaneously transitions into the undesired state.

When the issue is present, systemd-resolve --status on the workstation gives (shortened):

Code: [Select]

Global
          DNS Domain: home.mydomain.de
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      ...
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 2 (enp0s25)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.31.1         <---- opnsense box
                      2001:4860:4860::8888   <----  Google DNS server
                      2001:4860:4860::8844  <----  Google DNS server
                      2a02:...:fe5d:4ca1     <---- opnsense box
          DNS Domain: home.mydomain.de

I suspect that this behavior occurs when the external IP address of the opnsense box changes (DSLight Unitymedia cable connection).

How can I trace the issue to its root cause and remedy it? Your help would be greatly appreciated, thanks in advance.
Boris

5

18.1 Legacy Series / [SOLVED] 18.1.5: IPv6 interface tracking does not work for me any more

« on: March 22, 2018, 08:32:13 pm »

Hi,

upgraded from 18.1.3 to 18.1.5 recently. Now my LAN interfaces do not get IPv6 addresses any more as they did previously in the 18.1 series. The LAN interfaces are set to IPv6 Configuration Type: Track Interface (WAN). WAN has IPv6 address.

Rebooted several times, even with suricata turned off, without success. What logs should I have a look into on the search for the cause?

Kind regards
Boris

6

Web Proxy Filtering and Caching / Transparent SSL Proxy and Letsencrypt Certificate

« on: February 17, 2018, 09:58:00 pm »

Hi,

as more and more sites on the internet use HTTPS for delivering content, I would like to make Squid cache encrypted connections as well. I had this setup once but dropped it soon because I did not want to install the self-signed certificate on any PC, smartphone, ... in my local net.

I am now considering using this feature in combination with the os-acme-client and the os-haproxy plugins to facilitate the automatic retrieval of Letsencrypt certificates for the man-in-the-middle OPNSense box. This will be some work, particularly because my OPNSense box sits behinds the FritzBox which connects the LAN to the internet.

Thus, three questions, please, to check if I am on the right way:
1. Is this feasible at all? I have my own DynDNS service running and can assign an offical domain name to my internet facing IPv6 address assigned by my provider.
2. What needs to be said about the hostname of the OPNSense box in relation to the domain name for which the Letsencrypt certificate is issued?
3. Won't the browser still complain since the domain in the OPNSense box's certificate does not match the remote website's domain?

Kind regards
Boris

7

17.7 Legacy Series / OpenVPN connection dropped every 30 minutes

« on: December 29, 2017, 08:55:41 am »

Hi,

I recently noticed that the OpenVPN connection from OPNsense (client) to server drops exactly every 30 minutes.

Since the OpenVPN server process complains about a reconnect of the same client when the OPNsense re-initiates the connection, I assume that the disconnect is triggered on the client end of the connection, but not necessarily caused by OPNsense or the running OpenVPN client process.

keepalive option is set. No 1800 (seconds) or 30 (minutes) in any config.

client log only shows the reconnect even at verbosity 5.

Could this be related to Issues https://github.com/opnsense/core/issues/2010 and https://github.com/opnsense/core/issues/1931 and an internal 30 minute timer at OPNsense trying to restart the client?

Regards,
Boris




client configuration (OPNsense):

Code: [Select]

root@opnsense:/var/etc # less openvpn/client1.conf
dev ovpnc1
verb 3
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.178.2
engine rdrand
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote s1.4nv.de 1194
ca /var/etc/openvpn/client1.ca
cert /var/etc/openvpn/client1.cert
key /var/etc/openvpn/client1.key
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo adaptive
passtos
resolv-retry infinite
reneg-sec 0
#fragment 1428                                                                                                                                                 
mssfix 1428                                                                                                                                     

server configuration:

Code: [Select]

verb 3
#verb 6

proto udp
port 1194

dev vpn-s1
dev-type tun
# fragment 1428 # does not work with android
# mssfix
mssfix 1428
keepalive 10 60
passtos
fast-io
#compress lz4
comp-lzo adaptive

# test
reneg-sec 7200

tls-server
key /etc/openvpn/........
cert /etc/openvpn/........
ca /etc/openvpn/........
dh /etc/openvpn/........
remote-cert-eku "TLS Web Client Authentication"
cipher AES-256-CBC
tls-auth /etc/openvpn/........ 0

float  # Allow remote peer to change its IP address and/or port number, such as due to DHCP

topology subnet
server 192.168.38.0 255.255.255.0
client-config-dir /etc/openvpn/......../clients
route 192.168.30.0 255.255.255.0
route 192.168.31.0 255.255.255.0
route 192.168.178.0 255.255.255.0
client-to-client
push "route 192.168.30.0 255.255.255.0"
push "route 192.168.31.0 255.255.255.0"

push "dhcp-option DNS 192.168.31.1"

management localhost 7505

8

17.7 Legacy Series / radvd[...]: sendmsg: Permission denied

« on: December 12, 2017, 08:32:40 pm »

Hi,

I do not know since when this occurs and if it was already there before the update to 17.7.9. My routing.log gets spilled with messages. This is how the log looks like after a reboot:

Code: [Select]

Dec 12 20:05:41 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:05:45 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:05:54 opnsense radvd[12509]: version 1.15 started
Dec 12 20:07:57 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:06 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:13 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:22 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:26 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:31 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:37 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:46 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:08:55 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:01 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:09 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:16 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:19 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:24 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:30 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:32 opnsense radvd[12772]: Exiting, sigterm or sigint received.
Dec 12 20:09:32 opnsense radvd[12772]: sending stop adverts
Dec 12 20:09:32 opnsense radvd[12772]: sendmsg: Permission denied
Dec 12 20:09:32 opnsense radvd[12772]: removing /var/run/radvd.pid
Dec 12 20:09:36 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:09:40 opnsense radvd[64346]: version 1.15 started
Dec 12 20:09:40 opnsense radvd[64868]: sendmsg: Permission denied
Dec 12 20:09:40 opnsense radvd[64868]: sendmsg: Can't assign requested address
Dec 12 20:09:40 opnsense radvd[64868]: Exiting, sigterm or sigint received.
Dec 12 20:09:40 opnsense radvd[64868]: sending stop adverts
Dec 12 20:09:40 opnsense radvd[64868]: sendmsg: Can't assign requested address
Dec 12 20:09:40 opnsense radvd[64868]: sendmsg: Can't assign requested address
Dec 12 20:09:40 opnsense radvd[64868]: removing /var/run/radvd.pid
Dec 12 20:09:41 opnsense radvd[78492]: version 1.15 started
Dec 12 20:09:41 opnsense radvd[78845]: sendmsg: Can't assign requested address
Dec 12 20:09:41 opnsense radvd[78845]: sendmsg: Can't assign requested address
Dec 12 20:09:41 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:09:45 opnsense radvd[78845]: Exiting, sigterm or sigint received.
Dec 12 20:09:45 opnsense radvd[78845]: sending stop adverts
Dec 12 20:09:45 opnsense radvd[78845]: sendmsg: Permission denied
Dec 12 20:09:45 opnsense radvd[78845]: removing /var/run/radvd.pid
Dec 12 20:09:45 opnsense radvd[96804]: version 1.15 started
Dec 12 20:09:45 opnsense radvd[98771]: sendmsg: Permission denied
Dec 12 20:09:46 opnsense radvd[98771]: Exiting, sigterm or sigint received.
Dec 12 20:09:46 opnsense radvd[98771]: sending stop adverts
Dec 12 20:09:46 opnsense radvd[98771]: sendmsg: Permission denied
Dec 12 20:09:46 opnsense radvd[98771]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[98771]: removing /var/run/radvd.pid
Dec 12 20:09:46 opnsense radvd[25046]: version 1.15 started
Dec 12 20:09:46 opnsense radvd[25054]: sendmsg: Permission denied
Dec 12 20:09:46 opnsense radvd[25054]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[25054]: Exiting, sigterm or sigint received.
Dec 12 20:09:46 opnsense radvd[25054]: sending stop adverts
Dec 12 20:09:46 opnsense radvd[25054]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[25054]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[25054]: removing /var/run/radvd.pid
Dec 12 20:09:46 opnsense radvd[36299]: version 1.15 started
Dec 12 20:09:46 opnsense radvd[36965]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[36965]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[36965]: Exiting, sigterm or sigint received.
Dec 12 20:09:46 opnsense radvd[36965]: sending stop adverts
Dec 12 20:09:46 opnsense radvd[36965]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[36965]: sendmsg: Can't assign requested address
Dec 12 20:09:46 opnsense radvd[36965]: removing /var/run/radvd.pid
Dec 12 20:09:47 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:09:48 opnsense radvd[69684]: version 1.15 started
Dec 12 20:09:48 opnsense radvd[69906]: sendmsg: Permission denied
Dec 12 20:09:48 opnsense radvd[69906]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense radvd[69906]: Exiting, sigterm or sigint received.
Dec 12 20:09:48 opnsense radvd[69906]: sending stop adverts
Dec 12 20:09:48 opnsense radvd[69906]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense radvd[69906]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense radvd[69906]: removing /var/run/radvd.pid
Dec 12 20:09:48 opnsense radvd[77485]: version 1.15 started
Dec 12 20:09:48 opnsense radvd[78132]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense radvd[78132]: sendmsg: Can't assign requested address
Dec 12 20:09:48 opnsense rtsold: Starting dhcp6 client for interface wan(igb0)
Dec 12 20:09:53 opnsense radvd[78132]: Exiting, sigterm or sigint received.
Dec 12 20:09:53 opnsense radvd[78132]: sending stop adverts
Dec 12 20:09:53 opnsense radvd[78132]: sendmsg: Permission denied
Dec 12 20:09:53 opnsense radvd[78132]: removing /var/run/radvd.pid
Dec 12 20:09:54 opnsense radvd[63529]: version 1.15 started
Dec 12 20:09:54 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:04 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:08 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:16 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:21 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:27 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:31 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:40 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:48 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:10:56 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:01 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:10 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:16 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:20 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:29 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:36 opnsense radvd[64432]: sendmsg: Permission denied
Dec 12 20:11:45 opnsense radvd[64432]: sendmsg: Permission denied
And from there on the message repeats all over every 4 to 6 seconds. I did not touch anything in the first 10 minutes after the reboot to let the system settle. IPv6 works well.

Anything I can do to track the cause?

Best regards,
Boris

9

17.7 Legacy Series / LAN tracks WAN IPv6 propagates DNS servers from general setup

« on: August 27, 2017, 12:13:16 pm »

Hi,

hosts in my LAN get IPv6 addresses from OPNsense LAN interface (track WAN). Besides they have
- either static IPv4 addresses and fixed IPv4 DNS servers configured
- or use the DHCP server on OPNsense to get a IPv4 lease and the IPv4 address of the DNS server.

DHCP correctly hands over the IPv4 address of OPNsense (configured to use resolver) as the DNS server. I have verified this with a tool (dhtest).

Unfortunately, the IPv6 addresses of both OPNsense and of the DNS servers entered in System: General setup are also present in the DNS configuration of the hosts that have no static DNS configured. This is undesirable because now e.g. my mobile devices use Google's name servers instead of my resolver on OPNsense as they give precedence to the IPv6 DNS server addresses.

IMHO, only the IPv6 address of OPNsense as DNS server should be propagated to the LAN and not all configured DNS servers. How can I turn this off?

Kind regards
Boris

10

17.1 Legacy Series / OpenVPN: interrupted system call

« on: April 02, 2017, 08:36:27 am »

Hi,

a previously working installation of OpenVPN on 17.1.3 stopped working after upgrade to 17.1.4. After successful initiation of the VPN tunnel, I get an interrupted system call error in the log:

Code: [Select]

...
Apr  2 01:24:40 opnsense openvpn[21132]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr  2 01:24:40 opnsense openvpn[21132]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Apr  2 01:24:40 opnsense openvpn[21132]: [<server FQDN>] Peer Connection Initiated with [AF_INET]<server IP address>:1194
Apr  2 01:24:41 opnsense openvpn[21132]: event_wait : Interrupted system call (code=4)
Apr  2 01:24:41 opnsense openvpn[21132]: TCP/UDP: Closing socket
Apr  2 01:24:41 opnsense openvpn[21132]: SIGTERM[hard,] received, process exiting
...
Reverting openvpn to 17.1.2 seems to have solved the problem.

Anything I can do to help track down the cause of the issue?

Kind regards,
Boris

11

17.1 Legacy Series / LAN set to Track IPv6 Interface WAN but no global IPv6 address on LAN

« on: March 18, 2017, 11:15:18 am »

Hi,

I had this working once but I am unsure if I screwed up the configuration or the update from 17.1.1 to 17.1.2 was the cause. I am now on 17.1.3.

Details:

Configuration in web interface is
WAN interface: Basic, Directly send SOLICIT, DHCPv6 Prefix Delegation size 64, Send IPv6 prefix hint
LAN interface: Track IPv6 Interface WAN, IPv6 Prefix ID 0

WAN interface gets 64bit prefix from upstream stateless DHCPv6 server:

Code: [Select]

inet6 2a02:908:x:x:x:x:x:f83 prefixlen 64 autoconf
LAN interface only has link-local address

Code: [Select]

inet6 fe80::1:1%em0 prefixlen 64 scopeid 0x1
LAN interface does not get an IPv6 address from the delegated prefix.

The following reports may or may not be related:
https://forum.opnsense.org/index.php?topic=4774.msg18598#msg18598
https://forum.opnsense.org/index.php?topic=4404.msg16570#msg16570

Any ideas other than filing an issue?

Best regards
Boris

12

17.1 Legacy Series / [SOLVED] Traffic does not pass from LAN to OPT1 in spite of firewall pass rules

« on: March 04, 2017, 11:08:09 am »

Hello,

searched the Internet before and found similar issues but the solutions did not apply. So please bear with me for asking here. In spite of having easy and manual firewall rules to make (all) traffic pass between LAN and OPT1, I can only reach port 80 on a host at OPT1 network from my workstation at LAN network. Please see below for details.

What do I need to do to enable full TCP connectivity from LAN network to OPT1 network? Any help would be appreciated.

Kind regards
Boris



OPNsense 17.1.2-amd64

LAN 192.168.31.0/24
     opnsense at 192.168.31.1
     my workstation at 192.168.31.8

OPT1 192.168.30.0/24
     opnsense at 192.168.30.254
     a host at 192.168.30.1

my workstation ---------------- opnsense ----------------------- host
192.168.31.8            192.168.31.1      192.168.30.254         192.168.30.1

From opnsense I can ping host at 192.168.30.1 and reach all open TCP ports.
From my workstation at 192.168.31.8 I can connect to port 80 of host 192.168.30.1.
From my workstation at 192.168.31.8 I cannot ping host 192.168.30.1 and not reach any other TCP port than 80.

Firewall: Log Files: Normal View shows that ICMP from 192.168.31.8 to 192.168.30.1 is blocked.
I add easy rule from the view to enable ICMP from 192.168.31.8 to 192.168.30.1.
Still cannot ping.
I add firewall rule for OPT1 to enable all traffic/all protocols between LAN and OPT1 networks.
Still cannot ping. Even not after a reboot.

"Block private/bogon networks" is unchecked for both LAN and OPT1.

The dashboard shows increasing packet count in at OPT1 for the pings but no packet count out.

13

17.1 Legacy Series / Issue with AX88179 USB ethernet adapter

« on: February 26, 2017, 06:02:39 pm »

Hi,

after successful testing in a virtual machine, I replaced IPFire by OPNSense today on the real hardware. The box has a retail mainboard with only one ethernet NIC put in a 1U chassis in my rack which precludes adding more PCIe NICs. I therefore use USB Ethernet adapters for additional LAN connectivity.

My Delock 62417 adapter has the ASIX AX88179 chip and is listed as a supported device unter FreeBSD. It is detected, axge driver is loaded, an IP address can be assigned but it cannot reach anything on the LAN nor can it be reached. I successfully tested the adapter under Linux to ensure that the adapter and cabling is all right.

There is another report about malfunction in this forum but probably went unnoticed because it is in Spanish.

Is this an issue with OPNSense and if so, is there a chance that it will be fixed soon?

If not, could someone please recommend a USB 3.0 Gigabit ethernet adapter that is proven to work? TPLink UE300 is not detected, Logilink UA0144 works but is only Fast Ethernet on USB 2.0.

Thank you,
Boris