Topics

I am trying to troubleshoot a problem. I have several hosts on my network that use `dhcpcd` (DHCP Client Daemon). I've used `dhcpcd` for years, and it seems to work quite well, but I am having an issue with a couple of hosts recently that are configured with the `inform` option. All that means is that the hosts send a DHCPINFORM message, and receive a DHCPACK as shown in the log messages below.


2022-05-17T16:40:52   dhcpd[42083]   DHCPACK to 192.168.1.57 (b8:27:eb:3a:b9:78) via em1   
2022-05-17T16:40:52   dhcpd[42083]   DHCPINFORM from 192.168.1.57 via em1


`dhcpcd` seems to be happy with this result; its log shows the following:


May 17 22:40:26 raspberrypi1bp dhcpcd[265]: dev: loaded udev
May 17 22:40:29 raspberrypi1bp dhcpcd[265]: eth0: waiting for carrier
May 17 22:40:31 raspberrypi1bp dhcpcd[265]: eth0: carrier acquired
May 17 22:40:32 raspberrypi1bp dhcpcd[265]: eth0: probing address 192.168.1.57/24
May 17 22:40:36 raspberrypi1bp dhcpcd[265]: eth0: received approval for 192.168.1.57
May 17 22:40:36 raspberrypi1bp dhcpcd[265]: eth0: adding route to 192.168.1.0/24
May 17 22:40:36 raspberrypi1bp dhcpcd[265]: eth0: adding default route via 192.168.1.1
May 17 22:40:37 raspberrypi1bp dhcpcd[265]: forked to background, child pid 371


The host seems to operate correctly, `ip addr` & `ip route` give expected results, the host can reach other hosts on the LAN, and on the Internet, and the host can be found by other hosts on the LAN.

The only odd thing is that this host is never listed in the lease table when the inform option is used. I have another host that is configured identically, and it does show up in the lease table as follows:


I/f      IP addr      MAC addr           Hostname      Description               Lease type
LANem1 192.168.1.51  b8:27:eb:a7:8c:00  raspberrypi0w  RPi Zero W - WiFi client  static


I suspect that one of these two clients is failing to send something that's needed for the log entry, but I have no idea what that "something" is. Beyond the DHCPINFORM, and the DHCPACK, what is needed by the OPNsense DHCP server to make an entry in the lease table?

[I did see that a couple of plugins were 'orphaned':]

I have gotten behind in my updates, and so today was a 'catch-up' day.

Things have gone x-well until just now; I first encountered a series of messages re missing packages during the OPNsense 21.1.9_1-amd64 update. And now, when I am attempting to update to 21.7 (my final destination for the time being), this message displayed for a very long time:

***GOT REQUEST TO CHECK FOR UPDATES***
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...

Eventually, it seems to have worked through the process, and the complete message appeared:

***GOT REQUEST TO CHECK FOR UPDATES***
Fetching changelog information, please wait... fetch: transfer timed out
Updating OPNsense repository catalogue...
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.1/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
pkg: https://pkg.opnsense.org/FreeBSD:12:amd64/21.1/latest/packagesite.txz: No address record
Unable to update repository OPNsense
Error updating repositories!
pkg: Repository OPNsense cannot be opened. 'pkg update' required
Checking integrity... done (0 conflicting)
Your packages are up to date.
***DONE***

I've not skipped any steps (e.g. when the pkg mgr required an update).

I did see that a couple of plugins were 'orphaned':

os-dyndns (orphaned)   1.24_2   169KiB   OPNsense   Dynamic DNS Support   
os-mdns-repeater (orphaned)   1.0_1   14.7KiB   OPNsense   Proxy multicast DNS between networks

I have the option to delete either or both of these two plugins... Should I ???

I've tried "Check for Updates" again, but it's headed for the same dead-end as above.

I've run an "Audit" on "Health"; it seems all "core package consistency" checks FAILED with the message: 'no upstream equivalent' as follows:

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.1.9_1 (amd64/OpenSSL) at Mon Mar 28 17:02:10 CDT 2022
>>> Check installed kernel version
Version 21.1.8 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.1.8 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 66 dependencies to check.
Checking packages: .
beep-1.0_1 has no upstream equivalent
Checking packages: .
ca_root_nss-3.68 has no upstream equivalent
Checking packages: .
choparp-20150613 has no upstream equivalent

...

Checking packages: .
wpa_supplicant-2.9_11 has no upstream equivalent
Checking packages: .
zip-3.0_1 has no upstream equivalent
***DONE***

What should I do? I don't seem to be able to get my next upgrade!

The subject of this post seems to summarize what I've been asking for a while without a definitive answer:

Is it possible to assign multiple subnets to a single interface?

For example:
I have a 2-NIC appliance running OPNsense. I have been using it as a router/firewall for my LAN at 192.168.1.0/24, and now I want to add 2-3 hosts to my network that use 192.168.6.0/24 (I actually have this situation). I want to give these devices on 192.168.6.0/24 access to the Internet through my OPNsense firewall.

Is this possible?

If so, please explain how.

If not possible, can anyone explain the meaning of this statement in the "Advanced" section of the firewall? https://docs.opnsense.org/manual/firewall_settings.html#static-route-filtering

"This may be desirable in some situations where multiple subnets are connected to the same interface."

A definitive answer would really be much appreciated.

[NOTE: You will not find the answer here. Instead look here: https://forum.opnsense.org/index.php?topic=18381.msg83553#msg83553]

NOTE: You will not find the answer here. Instead look here: https://forum.opnsense.org/index.php?topic=18381.msg83553#msg83553

My LAN uses 192.168.1.0/24, and it works just fine for all hosts with this address range.  The LAN gateway on my OPNsense firewall is 192.168.1.1. It all pretty much auto-configured itself, so I've not had to do much manual configuration.

I've added a new device to the network that insists on using 192.168.6.0/24. This device uses Ethernet-over-USB, and it's plugged into a Linux laptop whose WiFi is assigned via DHCP: 192.168.1.104. I understand that Ethernet-over-USB is indistinguishable from other Ethernet traffic, and requires no 'special handling'.

I think I've got the Linux laptop and its USB device configured properly: I can make an SSH connection from the Linux laptop to the USB device at 192.168.6.2. I can 'ping' the WiFi from the USB device on its 192.168.6.2 interface, and I can ping 192.168.6.2 from the Linux laptop.

My problem is that the devices on the 192.168.6.0/24 net cannot successfully make a connection to the Internet. In addition, I cannot successfully 'ping' the LAN gateway at 192.168.1.1 from the USB device at 192.168.6.0. I don't understand why this is so because the IPv4 rules on the LAN interface allow ALL sources (*). I've attached a screenshot so that's clear).

I am not sure if ALL sources includes packets with a source address from the 192.168.6.0/24 network or not??? This is a major point of confusion for me. I have searched in vain for anything in the OPNsense configuration GUI that would allow me to create or use this 192.168.6.0 network in a firewall rule. How is this done?... the 192.168.6.0/24 hosts are not directly connected to the OPNsense firewall - they are only connected to the Ubuntu host, and use its WiFi as the gateway to the 192.168.1.0/24 net.

Can someone explain what I need add to OPNsense to get Internet access for the USB device at 192.168.6.0/24? I've searched the OPNsense documentation, but found nothing relevant to this situation... but if I've missed something, I'd like to know that also.

[NOTE: You won't find the solution here. Instead, look here: https://forum.opnsense.org/index.php?topic=18381.msg83553#msg83553]

NOTE: You won't find the solution here. Instead, look here: https://forum.opnsense.org/index.php?topic=18381.msg83553#msg83553

I've just added an embedded device to my network that configures itself to use 192.168.6.0 network. The balance of my LAN is all on 192.168.1.0 and it has worked fine for years. I've added static routes in OPNsense to accomodate the new 192.168.6.0 subnet, and this seems to be working just fine - hosts on both subnets are able to connect to each other.

But I've run into what seems (to me) to be an odd problem - from a host on the 192.168.6.0 subnet I can ping hosts on the 192.168.1.0 subnet & all works fine. I can ping hosts on the Internet from 192.168.1.0 subnet as usual. However pinging hosts on the Internet from 192.168.6.0 subnet gets no reply. I suspect the firewall is blocking, but I don't find anything in the logs that helps isolate this (maybe I'm looking for the wrong things?). It seems that nothing from the 192.168.6.0 subnet is getting through - this based on failures to download webpages using `curl` with an IP address.

I have a "pass anything" rule on the LAN interface & use automatic outbound NAT generation rules. What could be blocking my replies originating in the 192.168.6.0 subnet?

My OpenVPN setup is working well enough in OPNsense. The only niggle is that once I'm on the "LAN side" of the firewall, DNS does not work for any of the hosts on the local network. Outbound DNS seems to work OK for an external VPN user, but the only way I can reach my internal hosts is to look up the DHCP assignment table in OPNsense!

I'm currently using Dnsmasq, set to listen on Port 53. "Register DHCP leases" and "Register DHCP static mappings" boxes are ticked.

Also, the MDNS Repeater is enabled. This one looks suspect... A note says "At least two interfaces must be selected.", but I've only ticked the LAN interface. ???

Unbound DNS and OpenDNS are NOT enabled.

How should I configure DNS to provide OpenVPN users with reliable DNS for all hosts on the local network??

My CA (cert. authority), OpenVPN cert and my user cert have all recently expired. As a consequence it seems, I can no longer connect to my OpenVPN server (a very bad thing). I am back in the office here for a few days, and hope to get everything repaired quickly.

I have read https://forum.opnsense.org/index.php?topic=5592.0 in this forum that the solution for this is to create a new CA and certs. However, it seems (based on this Q&A: https://serverfault.com/questions/306345/certification-authority-root-certificate-expiry-and-renewal) that it is possible to renew a root CA, such that existing certs will become valid again.

Can anyone comment on this? Is it possible to "renew" without starting over?

So I've been using v 18.X for some time. My OpenVPN server on OPNsense had always worked just fine with my `Viscosity` client. Recently, I upgraded OPNsense from v 18.X to v 19.X. Everything seems to work except my OpenVPN client refuses to connect.

And it's a "quick disconnect": as soon as the authentication is entered (userid + 2FA password), the client reports the connection as "down". I've double-checked my password, and my IP address (dynamic IP), and they're correct. The timing makes me wonder if the client config that I exported over a year ago is now deprecated in some way.

Any ideas? Did something change between v 18 and v 19 that would have broken an existing OpenVPN configuration?

I've configured the DynamicDNS updater in OPNsense, but I want a "backup" solution.

Is there a way to have OPNsense send an email (or otherwise communicate) when the IP address on the WAN-side changes?

[Details follow:]

Is there any way to test that my OPNsense DynamicDNS client is working properly? Of course it will be tested eventually when my ISP changes it, but I may not have access to my firewall when that happens (I travel a lot).

Details follow:
I use OPNsense for a number of reasons. One of the features that is particularly important to me is the VPN feature as it allows me to connect to resources on my home network while I am away on travel (which is very frequently). My sw version is: OPNsense 19.1-amd64

Following is a summary of my network configuration:
My ISP provides a "cable modem" box. To use OPNsense, I configure this modem to operate in "bridge mode". In my network, the cable modem faces the Internet, my "WAN-side" OPNsense fw/vpn adapter is connected to the "LAN side" of the modem, and then my home network is connected to the LAN-side adapter of my OPNsense fw/vpn. Everything works reasonably well until my ISP decides to change things around. One of the things that they are changing more frequently now is the routable IP address assigned to my modem. I have decided that it is time to add Dynamic DNS.

Dynamic DNS to the rescue:
To that end, I've gotten an account at "freeDNS", and a hostname to use for my OPNsense fw/VPN server. I've also set up the Dynamic DNS service in the webGUI. AFAIK, things are working as they should, but I've learned over the years that assumptions often lead to failure and disappointment. And so I want to test my Dynamic DNS configuration to make sure it works as it should. This is where I need help: I can find nothing in the docs that describes a test procedure.

How to Verify Dynamic DNS is operating correctly?:
Of course I will get a test when my ISP eventually changes the IP address of my cable modem, but I may be out of the country when that happens. I'd like some way to verify that things are working properly now - while I am still in  position to make necessary changes. Any suggestions?

I have a rather awkward method that I must use for the time being to access OPNsense (Ref: https://forum.opnsense.org/index.php?topic=8623.0). When I visit the "Lobby" in OPNsense, I see there are a number of "Notices" (see attachment for screen shot), but I am not able to read the entire line.

Where can I find the full text of these Notices; i.e. are they in a log file?

[EDIT]: I've made some forward progress, so I'm updating this post.

I've got my OPNsense+OpenVPN configured, and **mostly** operational now, but there's one awfully annoying item that persists:

The remote LAN is in the US behind an OPNsense firewall that also serves as the LAN gateway, DNS and DHCP server. Its IP address on the LAN side is 192.168.1.1.

My local network is behind a P.O.S. Sky router in the UK, which was configured by someone else - I am using the network here as a guest - not as the admin, tho' I might be able to get a change made if it would help. The P.O.S. Sky router's LAN interface is also 192.168.1.1, but it does not respond to https:, only http.

I can reach all the active hosts on the remote LAN as long as I know its IP address. That's not a huge problem as it's a small network, but still - it would be nice if that worked. The exception to this is the one I really need to access: the OPNsense firewall at https://192.168.1.1  If I just connect to 192.168.1.1, I am connected to the P.O.S. Sky router. When I specify https://192.168.1.1, it simply refuses to make the connection (I assume due to the duplicity of the single IP address.

I'm currently working around this by making a remote desktop connection to a host on the remote network, and connecting from there, but that's awkward, and since it's a Windoze PC, it may fall over and die at any moment!

Can anyone tell me how to resolve this? I need access to the OPNsense firewall on the remote LAN - not the P.O.S. Sky router here on the local LAN.

I'm trying to install the latest distribution (OPNsense-18.1-OpenSSL-serial-amd64.img.bz2) on a PCEngines APU2. I am able to boot successfully from the USB I created using "Etcher". Everything seems to be going OK until immediately after I log in as "installer". At that point, the data presented over the serial port (still configured at 115200, per OPNsense docs) is (virtually) illegible. At any rate it's not displayed correctly.

Any ideas on what the issue might be?

FWIW, here's what I see at my serial terminal:

----------------------------------------------
|      Hello, this is OPNsense 18.1          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website:      https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook:     https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums:       https://forum.opnsense.org/  |         @@@///   \\\@@@
| Lists:        https://lists.opnsense.org/  |        @@@@         @@@@
| Code:         https://github.com/opnsense  |         @@@@@@@@@@@@@@@
----------------------------------------------
.[1;24r.[m.[?7h.[?1h.=.[H.[J.[23B.[H.[23B.[HF10=Refresh Display.[4;47H@@@@@@@@@@@@@@@@@@@@@@@@@@@@.[5;46H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.[6;46H@@@@@.[6;71H@@@@@.[7;50H@@@@@.[7;67H@@@@@.[8;47H@@@@@@@@@@@       @@@@@@@@@@@.[9;52H\\\\\.[9;66H/////.[10;46H))))))))))))       (((((((((((.[11;52H/////.[11;66H\\\\\.[12;47H@@@@@@@@@@@       @@@@@@@@@@@.[13;50H@@@@@.[13;67H@@@@@.[14;46H@@@@@.[14;71H@@@@@.[15;46H@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.[16;47H@@@@@@@@@@@@@@@@@@@@@@@@@@@@
.[8BWaiting for backend....[5;46H                 .[6;46H     .[B.     .[8;47H           .[B......     .[10;46H            .[B......     .[12;47H           .[13;50H     .[14;46H     .[B.....                 .[16;47H                .[20;19H.[5;19H.(0.[1mlqqqqqqqqqqqqu.(B OPNsense 18.1 .(0tqqqqqqqqqqqqqk.(B.[m.[6;19H.(0.[1mx.(B.[m.[6;62H.(0.[1mx.(B.[m.[7;19H.(0.[1mx.(B.[m Welcome to the OPNsense 18.1 installer!  .(0.[1mx.(B.[m.[8;19H.(0.[1mx.(B.[m.[8;62H.(0.[1mx.(B.[m.[9;19H.(0.[1mx.(B.[m Before we begin, you will be asked a     .(0.[1mx.(B.[m.[10;19H.(0.[1mx.(B.[m few questions so that this installation  .(0.[1mx.(B.[m.[11;19H.(0.[1mx.(B.[m environment can be set up to suit your   .(0.[1mx.(B.[m.[12;19H.(0.[1mx.(B.[m needs..[12;62H.(0.[1mx.(B.[m.[13;19H.(0.[1mx.(B.[m.[13;62H.(0.[1mx.(B.[m.[14;19H.(0.[1mx.(B.[m You will then be presented a menu of     .(0.[1mx.(B.[m.[15;19H.(0.[1mx.(B.[m items from which you may select to       .(0.[1mx.(B.[m.[16;19H.(0.[1mx.(B.[m install a new system, with or without    .(0.[1mx.(B.[m.[17;19H.(0.[1mx.(B.[m importing a previous configuration.      .(0.[1mx.(B.[m.[18;19H.(0.[1mx.(B.[m.[18;62H.(0.[1mx.(B.[m.[19;19H.(0.[1mx.(B.[m.[19;32H.(0.[1m.(B< Ok, let's go. >.[19;62H.(0x.(B.[m.[20;19H.(0.[1mmqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj.(B.[m
.[4B.(0.[1m.(B.[mSet up the installation environment and continue.[5A.[24;1H
.[?1l.>The installation was aborted.

Odd question perhaps, and maybe not the correct forum, but here goes:

OPNsense has done a fabulous job of integrating Google's OTP service. I have a project that needs OTP authentication also. Until I looked into this, I thought that Google's OTP code was open source, and therefore generally available for such usage by a 3rd party. However, I've learned that it's no longer open source; Google has made it proprietary. And so I wonder how is it that the OPNsense project is able to continue using it?

Can someone provide a brief explanation, or better, point me toward documentation that explains it?

Thnx,
~S

It seems the form for adding a firewall rule limits one to the ports that are in the drop-down list. Is there a reason for this??

I'm setting up a 'backup' VPN server. I'd like to use port 1195 so I can run both VPN servers at the same time, but the form won't allow it. Is there a work-around, or is this a weird browser-specific thing, or... ??

~S

I've installed the vga-amd64 version of the current OPNsense distro. However, I do not get a login prompt on my console monitor after the system finishes booting. Otherwise, the installation works perfectly in all respects (afaik), I can access the GUI, etc. When I connect to the serial port however, I do see the login prompt there (and it does work).

Is this by design?

My remote OpenVPN clients are all Macs (as in OS X). My LAN is an eclectic mix of Windows clients, a DC/server, NAS units, the odd Linux box, etc. I used Avahi some time ago on pfSense, and it seemed to work pretty well. I've read that Avahi is not available for OPNsense (and why), and that mDNS is a 'functional equivalent'. And so I've installed mDNS, and configured it to listen on the LAN and OpenVPN ports. However, after a few hours, I'm not seeing my Mac VPN client pick up any of the devices on my LAN that use Bonjour (other Macs, Time Capsule, etc).

One suspect: Under General Settings for Domain, the following caution appears, but its meaning is unclear to me:
"Do not use 'local' as a domain name. It will cause local hosts running mDNS (avahi, bonjour, etc.) to be unable to resolve local hosts not running mDNS. e.g. mycorp.com, home, office, private, etc."

My "local"/LAN domain is 'MyNet.local' - it's been this way for years, and would be a terrific pain to change.

Where would I begin looking to try to sort this out? Hey - I thought this was supposed to be "zero-configuration" networking  :)

Still working through the SSL VPN setup "How-To" guide (https://docs.opnsense.org/manual/how-tos/sslvpn_client.html).

Trying to follow the guide in Step 2, "Firewall Rules" - to allow traffic from the VPN clients to the LAN interface. Specifically, in the rule for the OpenVPN interface, it seems that I'm missing something because I do not see an "OpenVPN Clients" option in the drop-down for that firewall rule (as shown in the "How-To guide"); all I get is the phrase "Nothing Selected".

Could it be that the guide has omitted a step for creating an OpenVPN client?

I've found what seems to be a glaring error in the 'How-To' Docs on the subject of "Setup SSL VPN Road Warrior" at the following URL:

https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

All is well until the end of Step 0; specifically, the following passage:

"Click Save and you will be redirected to the User page. Now we will activate your newly created seed with Google Authenticator. To do so click in the (i) symbol on the left of OTP seed now you will see a link to the google authenticator image. Click on it and it will open in a new browser window and an image will be displayed. This image can be scanned with you mobile see also: Configure 2FA TOTP & Google Authenticator."

In the first place, the GUI does not do what's described here: 'click the (i) symbol' only hides or reveals the Help tip. THERE IS NO URL revealed.

Second, clicking the Google Authenticator Image does nothing at all. If I scan it in my iPhone, it tells me that there IS NOT a Google Authenticator client available for iPhone!  If this was intended to be Google-centric, or Android-specific, this should have been stated in the beginning (rather than wasting someone's time reading instructions that won't work).

OTP is great stuff, and my hat's off to the project for incorporating it in OPNsense. However, the Docs should reflect reality, not wishful thinking.

~S

P.S. Here's my version info:
OPNsense 18.1.2_2-amd64
FreeBSD 11.1-RELEASE-p6
OpenSSL 1.0.2n 7 Dec 2017

I've just upgraded my firewalls from pfSense to OPNsense. I'm struggling with two items, one of which I struggled with using pfSense also. Without further ado:

Requirement 1. I need to do remote administration of my firewalls. I understand there is some risk associated with this, but I simply have no (practical) choice.

Requirement 2. I need to be able to use the VPN feature to actually connect to hosts behind my firewall... this is the only real value of the VPN for me in this context.

Question #1: Can I use the VPN to connect to the webGUI via the LAN port (instead of a direct connect ot the WAN port)?

Question #2: Alternatively, could/should I use SSH to access the webGUI through an "SSH tunnel"?

Question #3: Once I have the VPN (OpenVPN) working, what other steps must I take to gain access to my internal hosts?