Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - mossi2000

Pages: [1]

German - Deutsch / OpnSense mit pi-hole als DNS Filter

« on: June 28, 2022, 01:36:47 pm »

Ja ich weiß, das Theman gibt's in verschiedenen Ausprägungen...

Mir hat es am Wochenende de Sense zerlegt: Irgendwas (ich vermute ntopng oder netflow) hat der Sense (apuc2d4) die root partition komplett zugemüllt
Aufgeräumt und nach dem reboot keine Interfaces mehr (keine IP zuordnung). Config Backup hat nicht geholfen.

Also habe ich, weil ich Internet im Netz für's HomeOffice brauche, die Sense frisch aufgesetzt.
v22.1.2 vom Stick gebootet und installiert, Adressen vergeben und OK.

Dann wollte ich das wie bisher:
Schritt 1:
IPv4 only
Sense hinter einem ISP Fiber Router 192.168.10.10
Sense macht DNS over TLS (Unbound) 192.168.100.3 LAN bzw. 192.168.10.3 WAN
Sense macht DHCP im 100er Netzwerk
pi-hole macht DNS Filter 192.168.100.13
DHCP gibt pi-hole als DNS Server aus.

Schritt 2:

UND ich möchte, daß der pi-hole geforced wird. (Also nix mit lokal eingestelltem DNS auf 8.8.8.8 oder so.

Mehrere Anleitungen gelesen und probiert;
Teil 1 klappt. Ich komme ins Internet und der pi-hole filtert, solange ich den DNS server mit DHCP beziehe.

Nur wenn ich einem Laptop den DNS Server auf 8.8.8.8 setze kommt dieser nicht ins Internet.
Heißt: z.B. nslookup www.spiegel.de kann nicht aufgelöst werden...

PIHOLE ist ein aliias auf 192.168.100.13

Meine Rules:
Firewall NAT:

LAN TCP/UDP * * ! LAN address 53 (DNS) PIHOLE 53 (DNS) Force DNS trafffic always to PIHOLE LAN TCP/UDP * * * 53 (DNS) 127.0.0.1 53 (DNS) FALLBACK:redirect and pass DNS

Firewall DNS:

IPv4 TCP/UDP PIHOLE * LAN address 53 (DNS) * * Allow PIHOLE DNS traffic IPv4 TCP/UDP * * PIHOLE 53 (DNS) * * Allow DNS requests to PIHOLE IPv4 TCP/UDP * * * 53 (DNS) * * Block any DNS traffic not being handled yet

Was fehlt denn da noch?

Nachtrag: Ich habe jetzt gesehen daß:
-der DNS Request an 8.8.8.8 vom Laptop rasugeht, redirected wird zum pi-hole aber ich sehe keine Antwort...
So als ob die Rückrichtung vom NAT nicht ginge... Mhhh...
Sieht nach : "Mit 'nem Wireshark drangehen...." aus

Gruß Axel

22.1 Legacy Series / ntp: no update anymore

« on: February 06, 2022, 05:44:09 pm »

Hi,

today I stumbled over the fact that my opnsense did no longer provide the ntp time.
(Configuration of Raspberry Pi OS on a Pi4 fails due to missing synchronized time)

I checked some logs and tried all I could find for 21.1.7....finally upgraded to 22.1, without change.

The last sync seems to have occured on July 31 2021 according to the ntpstats logfile.
Very strange I can ping all the ntp servers, but it seems that any request sent out just doesn't get an answer.

My configuration:
Fibre Router from ISP (CALIX 854-G2), IPv4 and IPv6 enabled (I cannot disable v6), Firewall active, blocking a bunch of incoming traffic. NTP request to my address are blocked, but outgoing traffic is allowed)
Fixed address an LAN side 192.168.10.10

OpnSense 22.1: 2 Interfaces WAN and LAN. WAN address 192.168.10.3, LAN address 192.168.100.3
Unbound DNS, DNS over TLS, IPv6 disabled.

NTP server config: 0/1/2.de.pool.ntp.org, Listening on LAN and WAN

Status:

Network Time Protocol Status
Status    Server    Ref ID    Stratum    Type    When    Poll    Reach    Delay    Offset    Jitter
Unreach/Pending    185.242.112.53    .INIT.    16    u    -    512    0    0.000    +0.000    0.000
Unreach/Pending    144.76.81.222    .INIT.    16    u    -    512    0    0.000    +0.000    0.000
Unreach/Pending    193.141.27.1    .INIT.    16    u    -    512    0    0.000    +0.000    0.000

root@OPNsense:~ # ntpdate -d 1.de.pool.ntp.org
6 Feb 17:38:41 ntpdate[25933]: ntpdate 4.2.8p15@1.3728-o Mon Jan 24 04:11:49 UT C 2022 (1)
arp: 00:08:9b:f1:71:16 attempts to modify permanent entry for 192.168.100.42 on igb0
transmit(136.243.66.91)
receive(136.243.66.91)
receive: server not found
transmit(65.21.190.104)
receive(65.21.190.104)
receive: server not found
transmit(94.16.114.254)
receive(94.16.114.254)
receive: server not found
transmit(176.9.157.155)
receive(176.9.157.155)
receive: server not found
transmit(136.243.66.91)
transmit(65.21.190.104)
transmit(94.16.114.254)
transmit(176.9.157.155)
transmit(136.243.66.91)
transmit(65.21.190.104)
transmit(94.16.114.254)
transmit(176.9.157.155)
transmit(136.243.66.91)
transmit(65.21.190.104)
transmit(94.16.114.254)
transmit(176.9.157.155)
136.243.66.91: Server dropped: no data
65.21.190.104: Server dropped: no data
94.16.114.254: Server dropped: no data
176.9.157.155: Server dropped: no data

6 Feb 17:38:50 ntpdate[25933]: no server suitable for synchronization found

ntptime
ntp_gettime() returns code 5 (ERROR)
time e5aa7875.88488000 Sun, Feb 6 2022 17:40:21.532, (.258532356),
maximum error 16871500 us, estimated error 16000000 us, TAI offset 0
ntp_adjtime() returns code 5 (ERROR)
modes 0x0 (),
offset 0.000 us, frequency 41.412 ppm, interval 4 s,
maximum error 16871500 us, estimated error 16000000 us,
status 0x41 (PLL,UNSYNC),
time constant 3, precision 0.000 us, tolerance 496 ppm,
pps frequency 41.412 ppm, stability 0.000 ppm, jitter 0.000 us,
intervals 0, jitter exceeded 0, stability exceeded 0, errors 0.

Firewalls rule: floating
IPv4 TCP/UDP    This Firewall    *    *    123 (NTP)    *    *    NTP traffic for local NTP server
Allowed

PING 0.de.pool.ntp.org (173.249.33.207): 56 data bytes
64 bytes from 173.249.33.207: icmp_seq=0 ttl=54 time=27.121 ms
64 bytes from 173.249.33.207: icmp_seq=1 ttl=54 time=20.731 ms
64 bytes from 173.249.33.207: icmp_seq=2 ttl=54 time=20.546 ms
64 bytes from 173.249.33.207: icmp_seq=3 ttl=54 time=20.928 ms

Mir gehen jetzt die Ideen aus, kennt jemand sowas Blödes?
Und viel wichtiger: eine LÖSUNG. :-)

German - Deutsch / Verständnisfrage Firewall Regeln

« on: May 24, 2020, 11:51:48 am »

Hi,

seit gestern habe ich eine frisch aufgesetzte opnSense 20.1.7 Installation mit Import der Konfiguration von 17.7.x (Update Funktion war schon länger tot)

Ich habe seit 2018(??) DNS-over-TLS in Unbound konfiguriert und heute morgen dies von General Options nach Miscellaneous verschoben. Klappt anscheinend auch.

Ich habe nur WAN (192.168.10.x) und LAN (19.168.100.x) konfiguriert. OpnSense ist jeweils die .3 .

Ich habe einen raspi mit pi-hole laufen. 192.168.100.13 DNS zeigt auf 192.168.100.3 (opnSense)
Der DHCP server in opnSense liefert diesen .13 auch als DNS Server aus.
Das funzt auch. Clients mit diesem DNS per DHCP werden über pi-hole geschützt/geblockt.

So jetzt will ich erzwingen, daß man NUR über den pi-hole DNS aufloesen kann.
Also in LAN_100 DNS 53 con pi-hole an OpnSense erlauben und von allen anderen blocken.
2 Rules, 1 Pass, 1 block.
Soweit die Theorie.

Stelle ich bei meiner Workstation den DNS manuell auf 8.8.8.8 geht die Anfrage auf eigentlich geblockte Seiten aber durch.... :-(

Wo ist mein Denkfehler, bzw. was mache ich falsch?

In den Rules is PIHOLE ein Host-Alias
Axel

18.7 Legacy Series / OPNSense System|Firmware|Update fails: Timeout connecting to selected mirror

« on: January 01, 2019, 06:14:41 pm »

Hi,
yesterday I tried to update OPNsense 18.7.5 via Check for Updates. Timeout....
I searched around, checked various things DNS... and so, tried pkg update -f:

Updating OPNsense repository catalogue...
pkg: Repository OPNsense load error: access repo file(/var/db/pkg/repo-OPNsense.sqlite) failed: No such file or directory
pkg: http://mirror.dataroute.de/opnsense/FreeBSD:11:amd64/18.7/latest/meta.txz: No address record

Internet access works fine, I have Unbound DNS with the DNS over TLS activated.

Today I had the ides to check if I can get the file/the mirror site directly:
Pasted the http:// URL from the error message into the browser: And - yep I get the index page for amd64/18.7/latest.

So what's wrong there? Why can't I get possible updates, when access basically is working.

Axel

18.1 Legacy Series / SOLVED:Error during install of self signed certificate / CA - NO ACCESS any more

« on: May 20, 2018, 11:56:37 am »

Hi,

I wanted to get rid of the no-https problem preventing me to use Firefox to access the OPNsense GUI and looked for a solution. I found a description of how to generate and install a self signed CA and certificate.
The part on OPNsense worked fine. But on the client side (Windows, Firefox, Chrome) something went wrong (most probably that I made an error myself) and now I can't access the GUI any more. :-(

Chrome gives me a NET::ERR_CERT_INVALID and when I click on the error I get:
PEM encoded chain, followed by two different certificates.

Can these help me to solve the problem? If yes, how?
I'm really not familiar with signing/certificates....

Axel

17.7 Legacy Series / Experiences with OPNSense - on the way to FTTH

« on: February 06, 2018, 12:16:00 am »

Hi,

I just want to share my experience with OPNsense as my future FW/router when my internet connection will be FTTH (200MBits/s down, 80MBit/s?? up).

Coming from a 1.5 MBit/s DSL line this will be cool..

I planned to use VLANs and LAGG link for the connection to the network, (Meanwhile all switches are smart/manageable) and use the Ubiquity AP's capability to have multiple SSIDs using different VLANs (Guest, Family 2.4G, Power 5G, Geo-VPN).Captive Portal for Guests.

After the initial problems with the setup on the APU2C4 I started configuring...and everytime I activated some VLAN related setting in OPNsense or on a switch I ended up locked out....
The switches are easy, just reboot, since the changes were only applied but not SAVED to the configuration, a reboot helps.
With OPNsense applying a setting, directly adds it to the config.... and the last / lockout setting wold come back after reboot.

I then understood, that switching the network to VLAN cannot be done partially...it's all or nothing.
8-port POE-Switch --- 24 port Main switch and 8-port switch in the office, 5 port switch near the TV..
I will have to thoroughly plan it...

Ok, to be ready, I decided to first start with a simple solution.
LAN , WAN and WLAN_AP networks to the APU2C4 interfaces.
OPNSense 17.7.12 on APU2C4 with Serial Console via Ethernet.

LAN, WAN is set up, AVM Fritzbox (former router and phone/VOIP master) moved to network between DSL-router OPNsense. Avoids VOIP port forwarding.... but I want it back into LAN with VOIP data passing the FW.

When the fast internet pipe is up, I will exchange the DSL-router with the Fiber-Router, adjust IP adresses and it should work again. (Fiber should already be working, but someone has left a cable with fibers unconnected in an underground cable distribution box somewhere in the village. Shall be fixed this week. I'm the first one in the village to have FTTH in the house. )

Currently the Firewall rules allow all traffic.

I have configured DHCP on OPNsense and some static entries, forward the DNS to a pi-hole (which is the default DNS for the clients) and use the OpenDNS servers.
I can see that the DNS requests are being filtered, but I can't see the host names being resolved on the pi-hole.

I was looking at the traffic graphs. Nice. Insight nice.
But I'm still asking how I could get some nice statistical graphs for a day....for top clients.
What I stumbled upon:
Currently my DSL line goes up to 1.9 MBit/s.
My PC was doing a GB+ Win10 update yesterday and today the line was saturated for more than an hour.
And the graphs for 24 hours just show a max. peak of 230 KBits/s and total in/out bytes of 160 MB...

After the last update of Firefox I'm unable to login to the OPNsense Dashboard.
Before I always had to add an exception for self-signed certificate.
Now FF 58.01 tries to perform a TLS handshake and waits...and waits....
Switched over to Chrome: No prob. Tells me https.// NOT SECURE, but works.
Ok, started to read about Let's encrypt. Hard stuff.
Did not find a good how-to for getting a certificate for a local web page.
What I found was some guy saying to get the certificate for a sub-domain of a real domain.
Using a real domain would simplify everything.

Enough for today, to be continued.
Axel

17.7 Legacy Series / [SOLVED] Image backup failing due to strange partitioning

« on: November 29, 2017, 09:07:07 pm »

Hi,

I'm still inquiring why a default installation from USB stick fails on the APU2.
Some say it's due to USB 3.0 port / stick problem, I think it's only due to a AHCI problem.
I have the APU2 running with 2 additional entries in /boot/devices.hints (that disappeared while upgrading to 17.7.8 and - oh wonder - the AHCI problem practically immediately returned).

So I had the idea to to have an image backup of the MSATA SSD before trying any other installation experiment.

I got myself a second SSD (same type SANDISK), an inateck USB3 to MSATA adapter and an adapter cable for the internal USB 2.0 ports.

First I tried a dd clone on the APU2 itself, booted from a TinyCore USB stick to the second SSD attached to the inateck. Worked in principle, but the second SSD was NOT booting completely and missing some startup.sh.
No 1:1 copy. Why? No idea.

Then I tried to create an image of the already installed SSD on my Windows system. No chance using any Windows tool.
I then prepared a Clonezilla Live stick and booted it. I tried to create the image to a second USB stick, but Clonezilla failed immediately telling something about "recursive partition" or so.

When I started investigating the partitioning i got puzzled: All I see is a 24 MB partition and unallocated free space for the rest of the SSD.

Booting the SSD and letting opnSense (FreeBSD) tell me how the disk is partitioned only leads to:

Code: [Select]

root@OPNsense:~ # fdisk /dev/ada0
******* Working on device /dev/ada0 *******
parameters extracted from in-core disklabel are:
cylinders=31029 heads=16 sectors/track=63 (1008 blks/cyl)

Figures below won't work with BIOS for partitions not in cyl 1
parameters to be used for BIOS calculations are:
cylinders=31029 heads=16 sectors/track=63 (1008 blks/cyl)

Media sector size is 512
Warning: BIOS sector numbering starts with sector 1
Information from DOS bootblock is:
The data for partition 1 is:
<UNUSED>
The data for partition 2 is:
<UNUSED>
The data for partition 3 is:
<UNUSED>
The data for partition 4 is:
sysid 165 (0xa5),(FreeBSD/NetBSD/386BSD)
    start 0, size 50000 (24 Meg), flag 80 (active)
        beg: cyl 0/ head 0/ sector 1;
        end: cyl 1023/ head 254/ sector 63
root@OPNsense:~ #

Can somebody explain me that nonsense??
Why does the existing ufs partition NOT show up??

Standard way on FreeBSD is similar to Linux...

With that it's clear that Clonezilla can't do anything useful...

Axel

17.7 Legacy Series / [SOLVED] OPNsense V17.7.5 installation on APU2

« on: November 12, 2017, 05:44:24 pm »

Hi,

I just want to share my experience on installing OPNsense on a APU2C4.
A while ago I bought the APU2 and installed pfSense 2.3.4 (memstick-serial-amd64).
Then I had no time to finalize the setup for production.
Since I will receive a Fiber-to-the-Home connection before christmas, I wanted to finish it and wanted to give OPNsense a try, since the GUI and what I've read about it pleased me.

HW: APU2 with 4GB RAM, 16 GB m2-SSD. Latest BIOS 4.6. Serial connection to an USR TCP 232 302 to Ethernet via a Virtual COM on Windows.

Yesterday evening I tried to install the serial-amd64 version via USB stick. Tried different USB sticks, but when logged in as installer, copying of the system always hung at some cpdup command 45-64%. Then I read about the problem with USB3 ports and AHCI.
Using RUFUS and/or Win32Image is quite straight forward and TinyCore for flashing or MemStick preparation is easy.
If I would have had a smaller USB 3 stick free (the ones I have are all 64 GB),I would have tried USB3 memory stick, but I think It would have helped much except for preparation speed..

Ok, retried this morning also with pfSense, same thing.
I searched for a cable to connect the internal USB2 ports to Type A conectors, but couldn't find one... Shit.
In the afternoon I tried to install the nano version via a TinyCore stick. Yep!! That worked.
I could open the GUI and do some settings.

But later on I see on the serial console I AHCI errors occurring:

(Just one example)

(aprobe0:ahcich0:0:0:0): ATA_IDENTIFY. ACB: ec 00 00 00 00 40 00 00 00 00 00 00
(aprobe0:ahcich0:0:0:0): CAM status: Command timeout
(aprobe0:ahcich0:0:0:0): Error 5, Retries exhausted
ahcich0: Timeout on slot 30 port 0
ahcich0: is 00000002 cs 00000000 ss 00000000 rs 40000000 tfd 50 serr 00000000 cm d 00407e17

and I no longer can login on the serial console or open the GUI.

How can I get rid of these??

Pages: [1]