Topics

1

General Discussion / NUT respawns old settings

« on: August 24, 2024, 08:29:31 pm »

I previously had NUT set up as service mode netclient. It connected to my NUT master server simply fine and the diagnostics page on OPSsense pulled the correct configuration settings.
Now I want to change my service mode to standalone. I had uninstalled NUT from my master server. I changed my NUT settings on the OPNsense end. This should be straightforward based on examples I've googled, such as this

https://schnerring.net/blog/configure-nut-for-opnsense-and-truenas-with-the-cyberpower-pr750ert2u-ups/

Unfortunately, no matter how hard I've tried, I can't get it to work. My setup is as follows (see attached).

Yet, OPNsense is not able to establish a connection to the UPS and it pulls some old configuration that points to my defunct NUT master server. Also, the the diagnostics page on OPSsense is blank, which makes sense since it's not working correctly. This is what I get on the terminal.

Broadcast Message from root@opnsense                               
        (no tty) at 10:25 PDT...                                               
                                                                               
UPS cyberpower@192.x.x.x:3493 is unavailable

I have uninstalled the plug-in, rebooted, disconnected the UPS, and deleted the NUT folder at /usr/local/etc/nut several times.
After the lates plug-in reinstall (again) the settings still point to my defunct NUT master server.

/usr/local/etc/nut $ less upsmon.conf
# Please don't modify this file as your changes might be overwritten with
# the next update.
#
MONITOR cyberpower 1 monuser PWD master
SHUTDOWNCMD "/usr/local/etc/rc.halt"
POWERDOWNFLAG /etc/killpower
MONITOR cyberpower@192.x.x.x:3493 1 nutslave slave slave
SHUTDOWNCMD "/usr/local/etc/rc.halt"
POWERDOWNFLAG /etc/killpower

Where are these settings coming from? Why are they not being overwritten after I made my configuration changes?

Thank you

2

23.7 Legacy Series / vnstat data usage reporting inaccurate

« on: February 07, 2024, 09:42:10 pm »

OPNsense 23.7.12_5-amd64

I have several interfaces but only WLAN WAN is selected in vnstat for usage reporting. It's consistently off by hundreds of GBs. My ISP enforces a data cap of ~1200GB, last month vnstat reported ~1790GB usage. I did not exceed my ISP's data cap.
Any suggestions? Thank you

3

23.7 Legacy Series / ntopng | unable to export configuration | error: couldn't download network issue

« on: December 17, 2023, 08:10:35 pm »

I am attempting to export my ntopng configuration settings.

Web Gui
Settings > Configurations > Manage Configurations > Configurations
> select: Entire ntopng configuration (includes users, preferences, and all configurations below)
> select 'Export'

Browser download manager error (independent of browser type/version):
couldn't download - network issue

I've also noticed that no backups of configuration settings are being generated under
Settings > Configurations > Manage Configurations > Nightly Backups

Thank you

4

23.7 Legacy Series / [SOLVED] CAM Command timeout & DSM TRIM

« on: October 27, 2023, 09:34:05 pm »

OPNsense 23.7.7_1-amd64
FreeBSD 13.2-RELEASE-p3
OpenSSL 1.1.1w 11 Sep 2023

I've just recently deployed a new instance of opnsense. SYSTEM: LOG FILES: GENERAL log shows the following errors:

Code: [Select]

2023-10-27T11:15:55-07:00 Notice kernel (ada0:ahcich0:0:0:0): DSM TRIM. ACB: 06 01 00 00 00 40 00 00 00 00 01 00
2023-10-27T11:10:17-07:00 Notice kernel (ada0:ahcich0:0:0:0): DSM TRIM. ACB: 06 01 00 00 00 40 00 00 00 00 01 00
2023-10-27T10:06:04-07:00 Notice kernel (ada0:ahcich0:0:0:0): DSM TRIM. ACB: 06 01 00 00 00 40 00 00 00 00 01 00

2023-10-27T11:15:55-07:00 Notice kernel (ada0:ahcich0:0:0:0): CAM status: Command timeout
2023-10-27T11:10:17-07:00 Notice kernel (ada0:ahcich0:0:0:0): CAM status: Command timeout
2023-10-27T10:06:04-07:00 Notice kernel (ada0:ahcich0:0:0:0): CAM status: Command timeout
2023-10-27T09:37:45-07:00 Notice kernel (ada0:ahcich0:0:0:0): CAM status: Command timeout
There are more entries, but for brevity I've just included a sample.
Some searches indicate that this could relate to a hardware problem (SSD drive, SATA cable, or like) or a FreeBSD bug.
My SSD is brand new and SMART reports no errors. BIOS is set to AHCI vs. SATA.
Does anyone have some initial impressions before I explore any other potential hardware issues?

Thank you

5

23.1 Legacy Series / Security Audit: y39-setuptools-63.1.0 and openssl-1.1.1t_2,1

« on: June 06, 2023, 04:29:54 am »

I ran a security audit and got the following.

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.1.9 at Mon Jun  5 19:21:32 PDT 2023
vulnxml file up-to-date
openssl-1.1.1t_2,1 is vulnerable:
  OpenSSL -- Possible DoS translating ASN.1 identifiers
  CVE: CVE-2023-2650
  WWW: https://vuxml.FreeBSD.org/freebsd/eb9a3c57-ff9e-11ed-a0d1-84a93843eb75.html

py39-setuptools-63.1.0 is vulnerable:
  py39-setuptools -- denial of service vulnerability
  CVE: CVE-2022-40897
  WWW: https://vuxml.FreeBSD.org/freebsd/1b38aec4-4149-4c7d-851c-3c4de3a1fbd0.html

2 problem(s) in 2 installed package(s) found.
***DONE***

I've seen posts dating back to 2021/2022 that talk about similar or possibly the same issue. Is there any concern?

Thank you

6

22.7 Legacy Series / Laptop & Managed Switch (TL-SG10) & VLANs

« on: January 16, 2023, 01:03:30 am »

Hello,

I am running OPNsense 22.7.10_2-amd64 on a desktop with three NIC cards: WAN, LAN (192), and LAN02 (172). I have to abandon this setup and switch to a laptop.

I understand that instead of using USB Ethernet adapters it's better to setup VLANs with a managed switch (https://forum.opnsense.org/index.php?topic=9363.msg42382#msg42382) like the TP-Link TL-SG10 series.

Setting up VLANs on OPNsense itself seems straightforward enough. I've looked at screenshots of the TL-SG10 configuration interface and read up a bit on the topic of VLANs (https://www.theregister.com/2017/06/30/vlans_at_20/).

Traffic flow should be something like this I believe:
Internet > Modem > Switch port 1 (WAN) > Switch port 2 (LAN) & port 3 (LAN02)

This seems straight forward enough but for some reason I still struggle on how to get this to work. I was hoping that someone in particular who is familiar with TL-SG10s can help to get this fast tracked.

Thank you very much

7

22.7 Legacy Series / Spectre/Meltdown and Wirguard Performance

« on: December 06, 2022, 08:11:03 pm »

It is my understanding that WG performance can be increased by using the WG kernel module and/or by disabling the spectre/meltdown mitigation under Tunables.

The subject of spectre/meltdown is highly technical and very complex; and apparently still evolving.
I am trying to understand if it's safe to disable the mitigations. It only seems to pose a potential risk when OPNsense is used in multihosted VM environment. Is that correct? Ohterwise, I would very much appreciate it if somebody could provide me with some guidance that would help me in assessing the potential risk/s. I just don't know where to start.

I am using a dedicated desktop as an OPNsense firwall. It's not a dual boot system and I don't run any VMs.

Thank you very much

8

20.1 Legacy Series / IGMP Proxy and DLNA

« on: June 07, 2020, 05:38:56 am »

OPNsense 20.1.6-amd64

Firewall setup: LAN02 (172.x.x.x) is blocked from accessing services on LAN (192.x.x.x)
Objective: Access DLNA services on LAN from LAN02
DLNA ports: 8200,1900

I've created an Alias for the DLNA ports; created a rule to allow traffic through for those ports; and setup IGMP Proxy. I am unable to access the DLNA service from LAN02.

Any thoughts?

9

General Discussion / Connection timeouts of services on LAN over WDS bridge

« on: October 18, 2019, 06:06:43 am »

This is more of a general question to rule out OPNsens as fault domain.
 I've recently set up a new bridge. When I try to reach services (SSH, SMB, etc.) across the bridge the connection times out or if the connection is successful in the case of SMB for example folders with less then ten items take forever to load or the file manager freezes up. In the case of SSH I also get the initial connection timeout and once I connect the terminal after some time (a few minutes) of usage stops to accept input then it may work again or the terminal session just freezes up completely. Also, some of these hosts cannot be reached at all and pings fail. The hosts affected switches around. So sometimes A works sometimes B.
OPNsense is configure to use static DHCP and permanent ARP. IP addresses get assigned and arp correctly maps IP to MAC. There are no rules in play. There are no issues trying to connect between LAN services/devices on either end of the bridge (not across the bridge).
All devices are on the same subnet. The bridge is correctly configured with IP, gateway, DNS, etc. There are no connection issues with external services, internet, Netflix, etc. Throughput is excellent.
I've put in a ticket with the vendor (Engenius), but my experience with their customer support hasn't been stellar.
I hope that some network wizard my have feedback for me.

Thanks

10

19.1 Legacy Series / Apple ID, browser: 502 Bad Gateway, iPhone: authentication server [RESOLVED]

« on: February 10, 2019, 11:56:03 pm »

I've recently purchased an iPhone and I am unable to authenticate with my Apple ID credentials on the device itself:
authentication server can't be reached

Or with any browser from any other device (laptop, etc.) https://appleid.apple.com/
502 Bad Gateway

So I know it's not a browser issue with any one of my devices. I don't know if this is an issue introduced with the upgrade to 19.x, because I had already upgraded prior to purchasing the iPhone.

Regardless I found this forum topic that I thought might be related and followed the instructions, but it did not resolve the issue. https://forum.opnsense.org/index.php?topic=11401.msg51701#msg51701

Any thoughts?

Thanks

11

General Discussion / Need help with firewall rules

« on: December 02, 2018, 10:52:12 pm »

I've two private subnets: LAN 192.168.1.x and LAN02 172.16.1.x. I've used the guest network how-to https://wiki.opnsense.org/manual/how-tos/guestnet.html as a template to segregate LAN02 from LAN. With the block rules in place clients on LAN02 can't access any clients on LAN, but clients on LAN can access any client on LAN02.

What I would like to accomplish now is to allow certain clients on LAN02 to access certain clients on LAN. I've implemented three rules that I thought would accomplish that, but they don't work as expected. I've attached a screenshot.

In the screenshot these three rules are currently disabled, because if I've any one of them is enabled all traffic from any client on LAN02 can access any client on LAN. I am stumped.

Could somebody help a lending hand?

Thanks

12

General Discussion / DHCP static IP addresses for multi MAC devices

« on: November 19, 2018, 06:47:31 pm »

Most devices have multiple MACs i.e. wired and wifi. How do I create static mappings for the _same_ hostname, but a different MAC address. It appears that's currently not possible. Could somebody please explain?

Thanks

13

18.7 Legacy Series / [SOLVED] Can't su; but user is member of wheel and admin

« on: November 03, 2018, 11:23:05 pm »

OPNsense 18.7.6-amd64
FreeBSD 11.1-RELEASE-p15
LibreSSL 2.7.4

ssh to opnsense; authenticate via key; then:

$ groups my.username
wheel admins
$ su
Password:
su: Sorry
$ su
Password:
su: Sorry
$

Just to be sure the password is correct, I've changed it for 'root' in the GUI. Still no go. What gives? 

14

General Discussion / [SOLVED] Two-Factor-Authentication for GUI authentication

« on: September 14, 2018, 09:34:28 pm »

I want to enable 2fA for authentication when logging into the admin GUI. I've followed all steps here:
https://wiki.opnsense.org/manual/how-tos/two_factor.html
I succeeded for steps 1 - 5. But when trying to log into the admin GUI with token + password authentication fails. Using the plain password works. What am I missing?

Thanks

15

General Discussion / How to disable / enable GUI user account at CLI (disable Local Database?)

« on: September 14, 2018, 08:17:15 pm »

I am considering enabling two-factor-authentication for my primary admin account. As a failsafe I considered disabling the default 'root' admin account in hope to be able to enable it at the console CLI, if needed. Is that possible?

EDIT:
As a related question, I believe that the Local Database should be disabled, if 2fA is enabled, how do you prevent locking yourself out, if the TOPT server is unavailable?