Topics

1

23.7 Legacy Series / WAN connectivity loss after modem was powered off

« on: August 31, 2023, 01:50:47 pm »

Hi

The Setup:

OPNSense (VM) -> ESX Host -> Switch (Cisco) -> XGS-PON Bridge (Nokia) -> WAN FTTH

Everything here is powered by UPS.

Problem:

As of some re-wireing stuff I've disconnected my XGS-PON Bridge Power & Fiber. I've replaced it and then reconnected it again.
After re-wireing was finished I had no WAN connectivity at all. So I logged in to my opnsense FW to check whats happened.
I saw, that the WAN interface was stuck without IPv4 address with just the IPv6 address assigned.
But no connectivity at all. So I opend "Interfaces -> Overview -> WAN" and klicked "Release/Renew". After that everything was working again.

I assume that the problem is, as the WAN link never went really down in the view of opnsense. As it runs as a VM, the NIC was never disconnected. So may it never really noticed that the link was down and a new DHCP request is needed.

Any Idea how this could be solved propperly?

2

Virtual private networks / wireguard-kmod not working in 22.7

« on: July 31, 2022, 12:32:26 pm »

Hi

Just updated to 22.7 and noticed that wireguard-kmod is not working anymore.
As I found on google it needs a rebuild/recompile on 13.1 as the kernel module is not compatible anymore.

Anyone alreday did that? Any how to do this?

BR

3

21.7 Legacy Series / DynDNS client - how to get the right WAN IP

« on: December 23, 2021, 04:01:59 pm »

Hi

I'm running opnsense since a long time and using dynamic DNS with cloudflare to update my DNS record to the current public IP.

Unfortunately my FW can not directly connect to the providers network so I have to use the given ISP router in front of my opnsense.

Since the internet speed is not so good, the ISP got me a LTE Extention to the ISP router.
All TCP traffic that reaches the router will be balanced between both links. (Multipath TCP)

The problem I now facing in is that dyndns with cloudflare uses the public source IP to define the dynDNS record.
As the TCP https requests is also balanced I randomly get the public IP of the cellular network on the dynDNS record. This doesn't work as it uses carrier grade NAT.

So I was looking for another solution. I found out, that with a simple curl command in bash I can ask the router for the current public IP on the DSL.

My question now is: Is it possible to use some curl command to get information of the public IP first and use this IP to update dynamic DNS record?



 

4

21.1 Legacy Series / Strange behavior with unbound

« on: July 12, 2021, 09:44:32 am »

Hi

I noticed a strange behavior with unbound when I checked my upstream DNS logs.

Unbound tries to resolve names like:

Code: [Select]

host1.localdomain.tld.localdomain.tld
or

Code: [Select]

google.com.localdoman.tld
So... I don't get why this happens.
I already tcpdumped on some of my servers to check if the server does such reqeusts but they look all fine.
So for me it looks like unbound does add the "localdomain.tld" to a FQDN.

Any hint is likly welcome!


Edit:
I guess it depends as I added the following lines to unbound custom config to use DoT service:

Code: [Select]

forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: x.y.z.a@853#dnsserver.domain.tld
For me it is still unclear why this happens.
Why unbound forward "host1.localdomain.tld.localdomain.tld" to the upstream DNS even there is a local entry for "host1.localdomain.tld"

5

General Discussion / Traffic Shaper with IPTV

« on: December 17, 2020, 01:00:21 pm »

Hi all

I'm running opnsense for a long time now and I'm really happy with it.

I began using traffic shaper as I use IPTV (multicast) and sometimes a big download is running in parallel so I want to make sure that other stuff is working propper.

- IPTV (multicast udp stream)
- VOIP
- Office VPN
- DNS etc.

So I've created two Pipes. One for Up and another one for down. (UP = 37M / DOWN = 105M)
I created four queues:

DefaultUp: weight 5
DefaultDown: weight 5
PrioUp: weight 90
PrioDown: weight 90

So in theory all traffic which matches a rule with PrioUp/PrioDown queue will get much more slots in the queue than DefaultUp/DefaultDown.

The problem I now have is that after every channel swich on the iptv the first 5-10 seconds I will see a lot of fragments in the TV stream. This only occours when a heave Download is running at the same time and only for the first 5-10 seconds after the channel was changed. After that the stream is working without any issues.

So basicly I think the problem is the time it takes until the new multicast traffic gets sotret into the queue. So I've to wait until the shaper detects the prio-traffic and have his job done or something like this.

When I create a new Pipe which reserve the traffic for the IPTV stream this doesn't help so I think it is a issue with the buffers which are already "filled up" and I've to wait until the buffer is cleared.

Anyway... reserved isn't really what I want to achive as this bandwidth is lost when nobody is watching tv.

I read the documentation but I didn't found a answer to my issue

Any advice how to solve this?

6

20.7 Legacy Series / Update failed 20.1 -> 207 with Sensei

« on: July 31, 2020, 06:30:27 pm »

I run opnsense as a VM on my ESXi Server.

So I just take a snapshot first and then started the update. Tried twice.

After update process has finished I also updated the Sensei packages. (Triggering Update again over WebGUI).
As soon as I start Sensei the console output of my VM explode and OS doesn't respond to anything.
VM is then booting up again from itself and as soon as the sensei packet engine gets started it stuck with log console output and boot again.
So I'm ending in Bootloop as soon as Sensei Packet Engine is get started.

So I've to revert to 20.1 for the moment.

Any ideas?

7

19.7 Legacy Series / DynDNS with Cloudflare not updating anymore

« on: January 21, 2020, 07:39:58 am »

Hi

I run into an error with latest OPNsense 19.7.9_1-amd64 build.

Today my dynamic IP-Adress changed. But my dynDNS doesn't update the record on cloudflare.
This was woring befor for more thant a year with exact same config.

Now I just got this two errors:

Code: [Select]

opnsense: /usr/local/etc/rc.dyndns: Dynamic DNS (example.domain.tld): PAYLOAD: { "result": null, "success": false, "errors": [ { "code": 9021, "message": "Invalid TTL. Must be between 120 and 2,147,483,647 seconds, or 1 for automatic" } ], "messages": [] }


opnsense: /usr/local/etc/rc.dyndns: Dynamic DNS (example.domain.tld): UNKNOWN ERROR - Invalid TTL. Must be between 120 and 2,147,483,647 seconds, or 1 for automatic

I checked my settings but there is no TTL I can set in opnsense GUI. It also not helps if I set the TTL on Cloudflare directly to "2 min" for example.

Any ideas how I can solve this issues?

Edit: I just checked my monitoring. Last IP WAN-IP change was at 10. December 2019. At this time it was working normally.

8

19.7 Legacy Series / Use Let's encrypt for FreeRadius

« on: August 25, 2019, 08:31:01 pm »

I want to use a let's encrypt certificate for 802.1x auth. Is this possible if I use DNS challange?
Can't find any information about that.

9

19.7 Legacy Series / ICAP protocol error. after reboot of opnsense

« on: August 06, 2019, 04:13:24 pm »

Hi together

I run web proxy (squid) with blacklist and ICAP is activated.
Then there is C-ICAP and ClamAV installed and configured.

Everything works fine but and also virus is filtered (if I try it with eicar).

After every reboot I can't open any webpage. There is always a error `ICAP protocol error.`

The error can be solved by just restart "squid" in the opnsense GUI. But it's anoying.

Any hints why this happens? Is this a known bug?

OPNsense 19.7.2-amd64
FreeBSD 11.2-RELEASE-p12-HBSD
OpenSSL 1.0.2s 28 May 2019
os-c-icap 1.7
os-clamav   1.7
squid 4.8_1

10

17.1 Legacy Series / Problem opening some websites over webproxy

« on: June 11, 2017, 08:14:15 pm »

Hi together

I currently have some strange issue and atm I don't have a clue why that happens.

I installed opnsense (17.1.18) on two vm's on a esx host. They are a cluster with carp.
Everything look to work fine so far. I can disable CARP on the master and the backup switches to master and internet with proxy is working fine so far.

The only thing that I figured out today is, that I can't open some sites. As example: http://wikipedia.org

It always stuck on loading and times out. In /var/log/squid/access.log appears no entry like the other one when I hit  enter in my browser. (Tried on Windows 10 with Chrome, Firefox and Edge and on my iPhone with Chrome & Safari).
I tried with Proxy.pac Config also as with static proxy config direct in settings.

After it times out... in the log appears this line:

Code: [Select]

1497203664.529  59957 192.168.1.196 TAG_NONE/503 0 CONNECT www.wikipedia.org:443 - HIER_NONE/- -
Yes, there is a blacklist on (adv, tracker, spyware, porn...) but not sites like wikipedia.

Issue exists even if backup firewall is master so it look like both installs having the same issue.
If I reactivate the proxy on my old pfSense installation all work fine again. Also wikipedia. Same ESX, same network devies, browsers, os etc... also same Blacklist & Config.

Does everyone have a idea how to solve this issue?

If you need some more information to track the issue please contact me so I can try to provide more logs or something like this.

Regards
scream

11

17.1 Legacy Series / Web Proxy with CARP (Virtual IP)

« on: June 08, 2017, 10:09:15 pm »

Hi together

I try to get my Web Proxy to work with CARP Failover.

I can't configure WebProxy to listen on Virtual IP. So I tried the solution I found somewhere in the Internet. Created a NAT Rule for VirtualIP:3128->localhost:3128.

If I now try to connect with firefox it doesn't work. If I try with telnet it works...

Does everyone meybe have a hint for me, how I can get that setup to work it would be really great!

Regards
scream