OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of comet »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - comet

Pages: [1] 2
1
General Discussion / OPNsense should get a Mastodon presence and make announcements there
« on: January 20, 2023, 10:43:47 am »
Twitter seems to be in a death spiral, see https://blog.iconfactory.com/2023/01/twitterrific-end-of-an-era/ for how they are treating app developers.  I was using a different app to access Twitter and it also stopped working and I am so fed up with Twitter anyway that I haven't been on their site since except to stop following everyone I had been following there.  For a number of reasons you may want to consider leaving Twitter and moving to Mastodon while you have the choice and can announce it to your followers, because there's a good chance that if and when (and I think it's a matter of when, not if) it disappears it will do so quite suddenly, and then you won't have the opportunity to tell your Twitter followers how to find you on Mastodon.  Obviously you don't need to leave Twitter in order to have a presence on Mastodon, you could post to both for a while, but increasingly you may find that Twitter is turning into the kind of place you won't want to be.

Just a suggestion.

2
General Discussion / How do you set OPNsense to use a different DNS than your ISP's?
« on: May 29, 2021, 05:28:59 pm »
Sometimes what should be the simplest questions are the hardest ones to find an answer to.  I just want to set it so that when OPNsense goes out to get updates, etc. it uses Google's DNS rather than my ISP's, because my ISP's DNS is horribly slow.  I am hoping that you do not have to make changes in Unbound, because it seems that when people do that they then have all kinds of DNS issues.

I found these settings, if I just enter the DNS I want to use in those fields will that be sufficient, or is that for some other purpose entirely?


3
20.7 Legacy Series / What is the easiest way to power down an OPNsense router from another system?
« on: January 11, 2021, 02:24:29 am »
What I am looking for is a way to run a bash script from a different machine on the LAN side of the network that will gracefully power off the router prior to powering itself down.  This would be for a very rare use case but I do need it to work reliably if it is run.  Is there any relatively easy way to do this?

4
20.7 Legacy Series / Any known problems installing 20.7 on system wih Intel Atom D2550 1.86Ghz CPU?
« on: December 30, 2020, 12:02:22 am »
Since we are having no luck getting OPNsense to install on a system with an older AMD cpu I would like to know if there are any known issues with installing OPNsense on an older system with an Intel Atom D2550 1.86Ghz and 8Gb of DDR3 RAM?  In other words I am just trying to determine in advance if OPNsense has problems installing on all older computers, or just ones with AMD cpus?


5
20.7 Legacy Series / Reboots during installation on system with AMD Athlon II X2 260 Processor
« on: December 28, 2020, 11:56:05 pm »
Trying to install OPNsense on a system with the following specs:

AMD Athlon II X2 260 Processor
3.20 GHz
Cache RAM (L2): 2MB
Installed Memory 3072 MB /PC3-10600

This system has a BIOS.  We tried the VGA version and the serial version, both of which rebooted during install, and the DVD version would wouldn't boot at all (but we had it in a USB stick so probably no surprise there).

Just before it fails these are the last things it prints on the screen:

Code: [Select]
Trying to mount root from ufs:/dev/ufs/OPNsense_install [ro,noatime]...
da0 at umass-sim0 bus 0 scbus 4 target 0 lun 0
da0: <Multi Flash Reader 1.00> Removable Direct Access SCSI device
da0: Serial Number (a hexadecimal number)
da0: 40.0000MB/s transfers
da0: Attempt to query device size failed: NOT READY, Medium not present
da0: quirks=0x2 <NO_6_BYTE>
GEOM: da1: the secondary GPT header is not in the last LBA.
GEOM: diskid/DISK-(some hexadecimal digits): the secondary GPT header is not in the last LBA.
Right after printing that last line, the screen goes black for a short bit and then the BIOS boot screen appears.  The installation to the hard drive apparently never even gets started, because after it reboots it goes into Ubuntu which is what was previously on the drive.

We also tried the fix at https://forum.opnsense.org/index.php?topic=13564.msg62529#msg62529 but that accomplished nothing, after entering those lines at the OK prompt the system still rebooted at that same spot in the install.

Anything else we can try to make OPNsense install?

6
18.1 Legacy Series / DNS question: How to use DNS other than the one the ISP specifies in its DHCP?
« on: April 24, 2018, 08:28:06 pm »
The problem is simple, the ISP's DNS sucks.  Quite often it will simply stop resolving certain addresses for a few hours, for no specific reason.

As a workaround, for now I'd like to use Google's DNS servers.  I see that under System: Settings: General, under "DNS servers" there is a place where you can specify up to five DNS servers, but I'm not quite clear on how that's used.  There is a dropdown next to each DNS server field under "Use gateway" and the choices are "NONE" or "WAN_DHCP - wan - (wan IP address)" - which should I use?

Then at the bottom there are two options, "Allow DNS server list to be overridden by DHCP/PPP on WAN" which is currently checked, and "Do not use the DNS Forwarder/Resolver as a DNS server for the firewall" which is currently not checked - would I need to change either of those?

And also, by default when I set this up, under Services: Unbound DNS: General, "Enable DNS Resolver" is checked, and the only other thing checked on that page is "Enable DNSSEC Support" (I honestly don't remember if that was checked by default, or if I checked it for some reason).  Other that that all the Unbound DNS settings are the defaults, except that under Services: Unbound DNS: Access Lists it shows the local network and says "From General settings" but I have no idea where that is coming from.  If you click the pencil in that section it takes you back to Services: Unbound DNS: General but still I see nothing there about Access Lists.  But putting all that aside for a moment, is there anything at all that would need to be changed in the Unbound DNS settings so that I could use Google's DNS rather than my ISP's?

I'm not trying to do anything fancy here at the moment, just substitute Google's DNS service for the one my ISP (actually my cable modem) hands out via DHCP.  Seems like it should be simple, but I have searched and searched and I can't find a page that explains how to do this simple task correctly.

7
General Discussion / Is there any (easy) way to set OPNsense to never remap certain outbound ports?
« on: April 22, 2018, 12:42:26 am »
I ran into an issue today where a Linksys VoIP adapter connected to OPNsense, but registering to an Asterisk server at another location on the Internet (not on the same local network), was re-registering every few minutes but every time it did, it would use a different SIP port.  This behavior would cause the Asterisk server to think the VoIP adapter had disappeared near the end of each registration cycle.  The solution in this case was to create a new rule under Firewall: NAT: Outbound, specifying the VoIP adapter's address as the Source address (actually I created an alias and used that), and then checking the Static-port: checkbox.  Then the VoIP adapter registered using the correct ports, and Asterisk is happy.

However, sometimes I use a softphone client on one of my desktop machines and I wonder if that could be similarly affected.  It occurs to me that there should be some way to set a list of outgoing ports that would not be remapped.  For example 5060 UDP, or perhaps a range such as 5060-5063 UDP (which are commonly used by SIP devices with multiple phone ports or "lines").  Basically, if a device is trying to make a outgoing connection using one of the "protected" ports, it should not be remapped.

I'm not sure if that is a workable solution (please feel free to explain if it isn't) but I just wondered if OPNsense has the ability to protect certain specific user-specified ports from being remapped, and if so, how do you do that?

8
Hardware and Performance / Does this WiFi Module work with OPNsense?
« on: April 16, 2018, 01:33:25 am »
Amazon sells a "AR9462 AR5B22 Combo WiFi 2.4G/5G & Bluetooth 4.0 module, 802.11 ABGN Dual Band, 2T/2R Mini PCI-Express Half-Size Module, Atheros AR9462 chipset" that would fit in the hardware we are using, but I can't determine if OPNsense supports it.  Does anyone know for sure, or does anyone know of a similar module that is known for sure to work with OPNsense?

9
18.1 Legacy Series / New install, having problems with WiFi and OpenVPN
« on: April 15, 2018, 02:11:30 am »
Hello.  Today I installed OPNsense on a QOTOM Q330G4 (like one of these on Amazon's site) but I am having two issues.

First, I cannot get the WiFi to work, it does not seem to be recognized by OPNsense.  I opened it up and the chip inside is a Broadcom model BCM943228HM4L (FCC ID: QDS-BRCM1054).  Do I need to load a driver of some kind, and if so, how?  This FreeBSD man page seems to indicate that a Broadcom driver is available but I see no way to get it into OPNsense, even if that would fix the problem.  If there is no way possible to make this work, is there any replacement that is known to work with OPNsense?  Physically it looks like this:

EDIT (the next day): Tried temporarily replacing that module with a similar Atheros module pulled from an old Acer Aspire Revo R3610.  It works and OPNsense recognizes it, but had to follow the instructions in this pfSense video (starting at around the 18:30 mark) to get it to work. Naturally what you see there is not exactly what you see in OPNsense, in particular when you do the part of the setup from terminal window there is an initial question about DHCP that is not shown in the video, and you have to answer "no" to that.  Also found I got the best speed selecting 802.11g as the standard (802.11ng was considerably slower).  Note that if you have already created a wireless interface and you cannot go out to the Internet then you have to delete everything you added regarding wireless and completely start over, following the instructions in the video.  For me, at least, trying to set it up using just the Web GUI did not work - devices could connect but could not reach the Internet (I even tried the trick of bridging the Wireless and LAN interfaces and that did not work). YMMV, I am just saying what worked for me.  This probably isn't a long term solution, due to the age of the module and the apparent fact that it doesn't seem to support 802.11n. (End of edit)

Is there any page that lists what WiFi cards will work with OPNsense?  There are pages that list cards that are supported by FreeBSD but it appears that in at least some cases you have to specify which drivers are included when FreeBSD is built, so therefore my assumption is that I need to know what cards are actually supported by OPNsense (since I'm not building FreeBSD from scratch).

The other issue is that I tried to set up an OpenVPN server using the wizard, and everything seemed to be going smoothly until I tried to generate the client.ovpn file that will be used at the remote location.  I went to VPN: OpenVPN: Client Export and under Client Install Packages it shows my User Name and Certificate Name but when I click the Export dropdown and select "File Only" it returns this error:

"The following input errors were detected:

    Could not locate the CA reference for the server certificate.
    Failed to export config files!"

If I go to System: Trust: Certificates it shows two certificates, a "Web GUI SSL certificate" which is shown as in use by Web GUI and OpenVPN Server, and a cert with a name that matches the user name I created and is shown as in use by "User Cert".  So I am confused - is there supposed to be yet a third certificate, and if so, what might I have done wrong in the wizard?  Are there any more up-to-date instructions that show how to use the OpenVPN wizard properly to get this to work?

Under OpenVPN servers my settings are these:

General information:
Disabled    (unchecked)
Description    VPN
Server Mode    Remote Access (SSL/TLS + User Auth)
Backend for authentication    Local Database
Enforce local group    (none)
Protocol    UDP
Device Mode    tun
Interface    WAN
Local port    1194

Cryptographic Settings:
TLS Authentication    
Enable authentication of TLS packets. (checked)
(A 2048 bit OpenVPN static key is shown in the text box)
Peer Certificate Authority    VPN Certificate
Peer Certificate Revocation List    VPN Certificate (VPN Certificate)
Server Certificate    Web GUI SSL certificate *In Use
DH Parameters Length    4096 bits
Encryption algorithm    AES-192-CBC (192 bit key, 128 bit block)
Auth Digest Algorithm    SHA256 (256-bit)
Hardware Crypto    No Hardware Crypto Acceleration
Certificate Depth    One (Client+Server)
Strict User/CN Matching    (unchecked)

I believe the tunnel and client settings were left at the defaults.

If you see anything in those settings that might cause this issue please let me know.

What I am trying to do is not exactly covered by either of your tutorials, "Setup SSL VPN Road Warrior" or "Setup SSL VPN site to site tunnel".  Besides the fact that both seem to have been written for older versions of OPNsense that do not include the "wizard", neither covers my situation exactly.  The first seems to require the use of use two-factor authentication, and the second seems to want to set up a peer-to-peer setup where users on either network can interact with the other.  What I want to do is more like a site-to-site tunnel except that I only want it to work in one direction, in other words I want to be able to come in remotely from one fixed location (always the same machine at the same IP address) and connect to the VPN server on the router, but I do NOT want users on the local network on the OPNsense router to be able to access the remote network.  But also, I need it setup so the remote end can login automatically with just the .ovpn file and a username and password. 2-factor authentication is not required nor desired in this case.

10
18.1 Legacy Series / How difficult is it to get an OpenVPN server working, really?
« on: April 01, 2018, 01:19:22 am »
I've been using OPNsense for several weeks now and it's working quite well, but I really only use it as a basic router for the most part.  I don't know enough about networking to use its advanced features, and I don't understand a lot of the technical stuff that's discussed in this forum, but I like OPNsense because it gets frequent security updates.

So to get to the question, one of my relatives is currently running a router with a specific version of DD-WRT on it that does not seem to get updated frequently.  I was considering replacing it small computer running OPNsense but there is one thing that puts me off.  I need it to be able to run OpenVPN (as a server) so I can access their network remotely, and I need it to be EASY to set up.  The workings of VPNs are a bit of a mystery to me, but in DD-WRT they make setting up a VPN quite easy - they have a page where you set up the OpenVPN server, and then it generates a client.ovpn file you can take to your client machine (I may be oversimplifying that a little bit, but not much).  I have not attempted to set up OpenVPN under OPNsense so how easy it is to do (compared with setting it up in DD-WRT, if you've ever done it there)?

But also, I want to know if OpenVPN works pretty well, or if you have to fiddle with it a lot to get it working reliably.  I see a thread like the one at https://forum.opnsense.org/index.php?topic=7761.0 and it makes me wonder if setting up OpenVPN or getting it to work reliably would be a real struggle.  Given the problems I had just getting port forwarding to work, my fear is that setting up OpenVPN under OPNsense would be beyond my ability level.  Am I worried for nothing, or is setting up an OpenVPN server a complicated process in OPNsense?  And, are there any good recommended videos or pages on how to do it?

11
18.1 Legacy Series / Plugin suggestion: Persistent SOCKS5 proxy
« on: March 26, 2018, 10:31:58 pm »
Don't know if this is the correct forum for this but anyway if anyone is looking for the chance to author a plugin, here's my suggestion: A persistent SOCKS5 proxy that could be used by any device on the local network.  This assumes you can SSH into some other system to create the proxy.  My guess would be that beneath the GUI you'd use something like autossh to set up the proxy, since if the connection drops autossh will keep trying to reconnect.

The plugin would need to ask for the following information (at a minimum) to make the ssh connection:

SSH IP address
SSH Port (default: 22)
SSH Username
SSH Password  (could also allow the use of Public Key authorization, I'm not sure what would be required to enable that)
SOCKS5 Proxy Port

I believe this would translate to something like this:

autossh -f -N -C -p SSHport Username@IPaddress -D SOCKS5ProxyPort

-f runs it in the background
-N tells ssh to not run any commands
-C disables compression
-p SSHport is not needed for default SSH port 22 (some people run SSH on an alternate port for security reasons)

Once this is set up, the idea is that any machine or software on the local network (Firefox, for example) could use the SOCKS5 proxy simply by specifying the router's address and the SOCKS5 Proxy Port number.  You would not have to run multiple SOCKS5 proxies from each local machine on the network that needs to use the proxy.

Just a suggestion and just so you know, I am not a programmer and would not have even the beginnings of a clue how to do this myself.  If you like the idea you are welcome to it; if you don't then feel free to ignore it.

12
18.1 Legacy Series / Has anyone had a problem-free upgrade from OPNsense 17.7.12 to 18.1?
« on: January 31, 2018, 07:35:56 am »
I have seen so many posts and threads about people having issues upgrading from 17.7.12 to 18.1 that I am wondering if anyone had had a problem free upgrade, and if so, did you need to do anything special?  I am still pretty new at this stuff and don't really know how to dig myself out of a hole if the upgrade fails, so if there is a path to success I'd like to know what it is.  I do use aliases and I do use port forwarding, but I do not use IPv6, if that makes any difference.

It seems to me that there are three possible options:
  • Try to do an upgrade in the normal manner via the web interface, as was done with upgrades of point versions of 17.7.  Has anyone had success with this?
  • Save the configuration, do a complete install of 18.1 from scratch, then try to import the saved configuration.  Since the configuration is saved as a .xml file I wouldn't think this should cause any problems, but still I am wary after seeing so many reports of failure.  Has anyone gone this route, and if so, has it worked for you or did you still have problems due to using the imported settings?
  • Do a complete install of 18.1 from scratch, then re-enter all the settings manually.  The obvious disadvantage here is that I might miss a few important settings, or that if the labels on any settings have been changed, I might not know where to put certain settings from the previous version.  Yet it appears this is the only thing that has worked for some users.
I probably won't be doing this until the weekend so I'd just like to know, which of these ways is likely to be successful and which is likely to result in failure, based on the experience of those that have already completed the upgrade?  This will be the first major version upgrade I have done since starting with OPNsense, and I don't really know what to expect.

13
17.7 Legacy Series / Upgraded to 17.7.12 and it says unbound-1.6.7_1 is vulnerable
« on: January 20, 2018, 06:23:14 am »
After doing the upgrade an audit shows this:

***GOT REQUEST TO AUDIT SECURITY***
Fetching vuln.xml.bz2: .......... done
unbound-1.6.7_1 is vulnerable:
unbound -- vulnerability in the processing of wildcard synthesized NSEC records
CVE: CVE-2017-15105
WWW: https://vuxml.FreeBSD.org/freebsd/8d3bae09-fd28-11e7-95f2-005056925db4.html

1 problem(s) in the installed packages found.
***DONE***

Near the bottom of the page at https://unbound.net/downloads/CVE-2017-15105.txt it says that the solution is to download a patched version of Unbound, or apply the patch manually.  But I don't know how to do that, or if it's even possible to do that in OPNsense, without causing serious breakage.  What would be the best way to fix this without breaking anything, or should I just wait for an upgrade fix?

14
17.7 Legacy Series / libxml2-2.9.4 is vulnerable
« on: December 17, 2017, 07:26:22 am »
Got this on a router audit:

***GOT REQUEST TO AUDIT***
Fetching vuln.xml.bz2: .......... done
libxml2-2.9.4 is vulnerable:
libxml2 -- Multiple Issues
CVE: CVE-2017-9050
CVE: CVE-2017-9049
CVE: CVE-2017-9048
CVE: CVE-2017-9047
CVE: CVE-2017-8872
WWW: https://vuxml.FreeBSD.org/freebsd/76e59f55-4f7a-4887-bcb0-11604004163a.html

1 problem(s) in the installed packages found.
***DONE***

15
General Discussion / Possible to force all devices to use the time server in OPNsense?
« on: November 27, 2017, 08:03:55 pm »
I saw a discussion in another forum (completely unrelated to networking) about how someone forced all the devices on his network to use the time server on his router, even if they were trying to go to some other address, using something called DNAT.  He posted this image as an example.  This is obviously not from OPNsense:



I am probably going to be sorry I asked, given the complexity of the responses I have received in previous threads, but I just wonder if there is any EASY way to do this in pfSense.  As best I can tell, they are intercepting any outgoing traffic to the NTP services (probably to UDP port 123) from any system on the LAN and redirecting it to the router's internal NTP server.  I just don't understand this DNAT thing.

This is not a high priority item for me, it just falls into the category of "would probably be a good thing to do if not too difficult", so if it involves a lot of effort or can't be explained simply, then never mind and thanks for reading.

EDIT:  If I were taking a complete wild guess at what to do, this is how I would do it, but I have a feeling this isn't right:



The reasons I think it may not be right is because under Interface I am choosing LAN, but the hint says "in most cases, you'll want to use WAN here."  But WAN doesn't seem right either.

And also under  Source port range I specified NTP as both the from and to port range, but the hint says "When using the TCP or UDP protocols, specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any')."  But in this case, "any" didn't seem like the right choice either, since I am only wanting to intercept NTP traffic.

And beyond that, just the fact that I feel like I really don't know what I am doing!

Pages: [1] 2
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2