Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - siegfried

#1
24.1, 24.4 Legacy Series / update 24.1.10 kills ssh
July 11, 2024, 04:03:42 PM
no ssh connection possible after updating via GUI, disabling and re-eabling via GUI ssh solves the problem. I think starting update by ssh  is this time a bad idea.
At the 2nd box same issue: updating using ssh, logoff and ssh is no longer connecting. Open a shell before logoff and "service openssh onerestart" solves this.
#2
Since upgrade to 20.7, if SysDesc.0 is queried, the SNMP agent adds the string "root@sensey64:/usr/obj/usr/src/amd64.amd64/sys/SMP amd64" to output.

Edit: now using the option "Display Version in OID" for checking installed version.
#3
edit: oh I'm a bit confused...there are some old entry for aliases and the field gateway is empty for this entries..

error when I create or want to create a new alias IP or trying change an existing CARP IP:
The following input errors were detected: A valid gateway IP address must be specified. What's wrong?
#4
Hi, since I upgraded to 20.1.1 last week, squid auth against the AD using LDAP no longer works, but the Kerberos authentication works fine. Log messages says that the users are authenticated for squid service by LDAP:

user ....authenticated successfully for squid  [using OPNSense\Auth\Services\Squid\ + OPNSense\Auth\LDAP]

I tried to test with opnsense-login -s squid -u username and the result is OK. But the Browser still asks with a popup for auth data. It seems like that is similat behaviour like here:

https://forum.opnsense.org/index.php?topic=12813.msg59349#msg59349

Any hints? Thanks in advance!

Edit: I added a additional conf file in ./auth with basic_auth_ldap and the users are authenticated against AD and able to surf. It's my workaround. Also if i'm trying to authenticate at the console with valid credentials using /usr/local/libexex/squid/basic_pam-auth -o also returns "OK" as result.
#5
Hi all,

blocking browser or user-agents using a regex is possible using GUI, but i want also to allow individual user-agents accessing the internet without authentication in the same way. The reason is that some applications are unable to authenticate at the proxy and an URL exception is not an option for this case.

Thanks in advance,
Siegfried
#6
19.7 Legacy Series / Solved: Sensei blocks SNMP
August 07, 2019, 03:26:48 PM
It seems that the Sensei plugin blocks some SNMP queries via the LAN interface. At the monitoring host SNMP checks (i.e. bandwith usage checks for network interfaces) don't get answers from the firewall box. If i press "Enter Bypass mode" at the status page for the sensei plugin in Opnsense, the checks works fine. But the strange thing is, other SNMP check (query for OID sysDescr.0) works all the time...
Running system is 19.7.2.
Any ideas/hints?

Update: I figured out that the checks works fine if SNMP v1 is used. SNMP packet size for the check was the problem. After reducing the max packet size in the service check configuration the checks are working again with SNMPv2.
#7
Guten Abend allerseits,
ich möchte ein Site-2-Site mit VTI aufbauen. Baue ich den Tunnel manuell auf oder setze die Config auf "sofort starten" ist alles schick (also hab ich wohl keine grundsätzlichen Fehler gemacht), aber nur bis der Tunnel dann mal abgebaut wird. Der Tunnel wird nicht automatisch aufgebaut, Anbei die Meldungen dazu (zeitliche Abfolge von oben nach unten):

charon: 15[KNL] received an SADB_ACQUIRE with policy id 2 but no matching policy found
charon: 15[KNL] creating acquire job for policy a.b.c.d/32 === w.x.y.z/32 with reqid {0}
charon: 16[CFG] trap not found, unable to acquire reqid 0

Auf beiden Büchsen läuft 19.1.8, beide zeigen das gleiche Verhalten, Auf der einen ist das einzige Tunnel, auf der anderen laufen noch andere, bisher policy-basierte Tunnel.

Kennt jemand das Problem oder hat eine Idee, wo der Fehler liegt?
Danke vorab,
Siegfried
#8
Hello all,

i'm using certificates issued by our internal PKI, all the certs for the boxes are generated with extentedKeyUsage for serverAuth. In the past i was able to make changes in OpenVPN servers. But the GUI is showing me (since update to 19.1.4?) that the cert is not used for server use. So i cannot make any changes in OpenVPN configuration, the GUI is telling me that that "certificate is not intended for server use".
Also a certificate issued by the internal CA is unusable for OpenVPN server (same message)...what's wrong?

Thanks in advance for your help!
#9
Hi everybody, every time i change something at the Open VPN servers (or also activate/deactivate the server) there is no longer traffice through the IPSec tunnels at the same box. I have to kill the tunnels and then it's fine again (until the next change at the Open VPN). I've never seen this behavior before, so i think it's possible new since 18.7.