Topics

1

Virtual private networks / How to route only specific networks/addresses over VPN?

« on: September 21, 2021, 02:03:42 pm »

I was happily using a US based VPN to get around the geolock for pandora.com (I don't live in the US).

I think an update might have broken that setup, so I'm trying to re-create it.

I have the US VPN connected as a VPN client and showing as connected in the status page.

Then I go to interfaces, and create a USVPN interface using ovpnc1 as the interface. Once I do that, I can't setup that interface to be DHCP for IPv4 (I'm getting an error message: "Cannot assign an IP configuration type to a tunnel interface.")

If I create the interface anyway and leave it at None for IPv4 config, and then add a rule on my LAN network in the firewall to pass packets to pandora.com over the USVPN gateway, the packets are caught by the rule but go over the regular WAN gateway instead; and pandora.com sees my non-US IP.

How do I selectively route packets to pandora.com over the US VPN, and all the rest over the regular WAN interface?

2

21.1 Legacy Series / Is there a limit to the number of subnets I can put in a Shaper rule?

« on: April 23, 2021, 09:17:10 am »

I have tried making a shaper rule with over 100 subnets in it, and the rule just gets ignored. If I edit that rule to only have 10 subnets, then it shows in the live status page and it is actually enforced.

So is there a limit to the number of subnets we can put in any given shaper rule? What is that limit?

3

20.7 Legacy Series / I tried to block all but approved DNS servers. It didn't do anything.

« on: November 13, 2020, 11:17:52 am »

I'm trying to block all DNS queries, and only allow queries to the opnsense firewall's DNS or nextdns.io's DNS.

Attached is my config.

I try to enable or disable logging for these two rules and run `dig @1.1.1.1 example.com` but it never ever shows anything in the log (either in the web UI, or using option 10 on the serial/ssh console to opnsense) and it gets a response for any domain name I try. I would expect dig to timeout instead, and the firewall logs to show the packets were caught by the rule.

What's going on? How do I block ALL DNS queries and only allow devices inside my network to query OPNsense's internal DNS or nextdns'?

4

German - Deutsch / Verbindung zu Swisscom Glasfaser nicht möglich

« on: September 30, 2019, 08:32:35 pm »

Nutzt jemand OPNsense mit Swisscom FTTH? Ich kann es nicht zum Laufen bringen.....

Dies ist meine Konfiguration:

 


 


 


 

Code: [Select]

# /usr/local/etc/dhclient_wan.conf
interface "igb0_vlan10" {
        #DHCP Protocol Timing Values
        timeout 60;
        retry 15;
        select-timeout 0;
        initial-interval 1;

        #DHCP Protocol Options
        send dhcp-class-identifier "100008,0001,,OPNsense dhclient";
        script "/sbin/dhclient-script";
}

Wenn ich eine IP bekomme, die mit 100.x.x.x beginnt, dann kann ich zu swisscom.com/registration gehen, aber es fragt nach einem 6-stelligen Code, den ich nicht habe und bei dem der Kundenservice ahnungslos ist. Wenn sie fragen, welches Modem ich benutze und ich sage, dass es nicht das Swisscom-Modem ist, sagen sie: "Viel Glück, dass du alleine bist".

Wenn ich eine IP ab 85.x.x.x erhalte, kann ich nicht einmal auf die Swisscom-Registrierungsseite zugreifen.

Wie haben Sie Ihren FTTH-Anschluss mit OPNsense funktioniert?

5

18.1 Legacy Series / How to enable IPv6 dynamic DNS?

« on: July 10, 2018, 06:24:40 pm »

I have found the settings for IPv4 which is the default. But how do I update my he.net AAAA record on a dynamic IPv6?

6

Documentation and Translation / Step 1 for "Configure IPv6 Tunnel Broker" fails

« on: May 21, 2018, 02:07:26 am »

Here: https://wiki.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html

In the screenshot, it shows that GIF tunnel local address should have /64 after the address.

If you try to save with that setting, the UI complains that this isn't a valid address. The only way to save the settings is to remove the /64.

I don't know if this is a bug in the form validation or if it is an error in the wiki. Either way, it's confusing and blocks the process.

Thoughts?

7

Web Proxy Filtering and Caching / How can I exclude domains from the caching proxy?

« on: May 19, 2018, 11:49:05 pm »

For example, I don't want Spotify (which I pay for) to get a free ride and fill up my cache with music. I'd rather cache useful stuff like apt packages etc.

How do I tell squid to not cache certain domains and their subdomains? I don't want a particular host to bypass the proxy and cache, and I want to use domain names rather than IPs.

Is there a way? Or can I edit the squid.conf file manually and add it there? The header in the file says not to.

8

18.1 Legacy Series / Squid eating up all my free space despite max cache size limit set

« on: May 19, 2018, 10:46:37 pm »

I have setup a squid transparent proxy, my SSD is 16GB and I have set the limit for Squid's cache (under General proxy settings > show advanced > Cache size in MB) to 8500.

And yet I was bitten again: squid used up all the free space, the disk was full, and OPNsense freaked out. I was lucky this time, I was able to make some space and reboot (it got corrupt last time and I had to reinstall).

df -h shows I have 13G on /, out of which 1.8G are used by OPNsense (that's what I have after deleting squid's cache). So why is a hard limit on the cache size of 8.5G still makes it use up all the free space?

Code: [Select]

root@router:~ # df -h
Filesystem         Size    Used   Avail Capacity  Mounted on
/dev/gpt/rootfs     13G    1.8G     11G    14%    /
devfs              1.0K    1.0K      0B   100%    /dev
tmpfs              2.8G    308K    2.8G     0%    /tmp
devfs              1.0K    1.0K      0B   100%    /var/dhcpd/dev

What am I missing? How much space does OPNsense need to live happily?

9

18.1 Legacy Series / Router defaulting to the wrong route for OPT1

« on: February 18, 2018, 04:31:32 pm »

My configuration is as follows:

igb0 is WAN
igb1 is LAN (192.168.1.0/24)
igb2 is OPT1 (192.168.0.0/30)

I have added rules to OPT1's firewall to let traffic through. I don't think I need to add anything to LAN's rules?

But I can't ping 192.168.0.2 from the LAN or the router. I can ping 192.168.0.1.

When I take a look at the routes, it knows that 192.168.0.0/30 should go on Link#3, but 192.168.0.2 goes out the WAN gateway.

Why is that? How does it make any sense if 192.168.0.0/30 is on Link#3? Why would it send 192.168.0.2 out WAN?

10

18.1 Legacy Series / [SOLVED] Can't access device on OPT1 from LAN

« on: February 17, 2018, 09:54:43 pm »

I have setup my LAN port to the 192.168.1.0/24 subnet, and the OPT1 interface to be the 192.168.0.0/30 subnet (only two IPs, the interface itself at 192.168.0.1, and a DNS server at 192.168.0.2).

From a device on the LAN side, I can ping OPT1 at 192.168.0.1. I can also ping it from the router. But I can only ping 192.168.0.2 from the router.

I thought it was a missing route, but I see that it knows about the 192.168.0.0/30 route in the router's admin GUI, and it says not to add any route related to one of the interfaces.

So what gives? How do I access 192.168.0.2 from my 192.168.1.0/24 subnet?

11

18.1 Legacy Series / Can I use the Letsencrypt cert with the OpenVPN server?

« on: February 17, 2018, 07:46:02 pm »

I would like to setup an OpenVPN server on my OPNsense so I can encrypt my connection when using public WiFis.

I also have Letsencrypt setup with the os-acme-client plugin.

Can I use Letsencrypt for my OpenVPN server certificate? It seems the only option is to self-sign the OpenVPN certificate in the wizard.

12

18.1 Legacy Series / [SOLVED] Setup letsencrypt ok, but OPNsense keeps using self-signed cert

« on: February 17, 2018, 05:19:28 pm »

I have setup the ACME/LE plugin, and I'm able to get a valid certificate issued.

The problem is that the GUI keeps serving the self-signed certificate instead of the LE certificate. I don't know how to force it to use the LE cert instead of the self-signed one.

Attached are the Trust and LE screens. `openssl s_client -conect <my fqdn>` shows the self signed cert being sent.

Any ideas?

13

18.1 Legacy Series / [SOLVED] Can't boot every once in a while on apu2

« on: February 16, 2018, 10:43:02 pm »

Once in a while, I am getting this error on apu2 via the serial console when cold starting:

Code: [Select]

usbus1: EHCI version 1.0
usbus1 on ehci0
usbus1: 480Mbps High Speed USB v2.0
isab0: <PCI-ISA bridge> at device 20.3 on pci0
isa0: <ISA bus> on isab0
sdhci_pci0: <Generic SD HCI> mem 0xf7f27000-0xf7f270ff at device 20.7 on pci0
sdhci_pci0: 1 slot(s) allocated
orm0: <ISA Option ROM> at iomem 0xef000-0xeffff on isa0
ppc0: cannot reserve I/O port range
uart0: <16550 or compatible> at port 0x3f8 irq 4 flags 0x10 on isa0
uart0: console (115200,n,8,1)
uart1: <16550 or compatible> at port 0x2f8 irq 3 on isa0
hwpstate0: <Cool`n'Quiet 2.0> on cpu0
Timecounters tick every 1.000 msec
nvme cam probe device init
ugen1.1: <AMD EHCI root HUB> at usbus1
ada0 at ahcich0 bus 0 scbus0 target 0 lun 0
ada0: <SATA SSD SBFM01.1> ACS-4 ATA SATA 3.x device
uhub0: <AMD EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus1
ada0: Serial Number 8EFA077A1AE701738346
ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes)
ada0: Command Queueing enabled
ada0: 15272MB (31277232 512 byte sectors)
ugen0.1: <0x1022 XHCI root HUB> at usbus0
[ thread pid 15 tid 100066 ]
Stopped at      vga_bitblt_one_text_pixels_block+0x135: movl    (%rax,%r13,4),%ebx
db>

Not sure what to make of it, the only way is to unplug and replug the power. Then it will boot like nothing happened. Any ideas?

14

18.1 Legacy Series / [SOLVED] Can't switch WAN from PPPoE to DHCP

« on: February 16, 2018, 10:40:07 pm »

My WAN is currently set to PPPoE. I have switched to a cable provider, so I need to have it as DHCP now.

But nope, it won't let me.

The error is "you have to reassign the interface to be able to configure as dhcp"

What does that even mean? I tried removing PPPoE from the Point to Point devices, but no difference.

15

18.1 Legacy Series / How to implement something similar to pfBlockerNg?

« on: February 08, 2018, 05:02:20 pm »

I would like to block ads network wide, similar to what pfBlockerNg/PiHole does. I would also like the firewall to block the ad domains, not only for the DNS to resolve them to a dummy IP. This is for the Android YouTube app for example that does its own DNS and for which DNS ad blocking isn't effective.

How would I go about it in OPNsense? There doesn't seem to be a pfBlockerNg plugin available.