Topics

Hi,

We use a URL table alias that refreshes every day to centrally manage a list of IP's that are used in firewall rules.
This worked great untill now.

I keep getting this error:
2021-10-17T18:50:01   /update_tables.py[58137]   error fetching alias url https://bla.bla.com/support.txt   
2021-10-17T18:50:01   /update_tables.py[58137]   fetch alias url https://bla.bla.com/support.txt (lines: 8)

So it downloads the file as it knows it's 8 lines, but then throws an error. I can't seem to find why, is there any other log I can view to figure out why it throws an error?

Hi,

I'm trying to get the hights score in the SSL test: https://www.ssllabs.com/ssltest/index.html
I have it to a A status and everyting is green except this:
Cipher Suites
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc077)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   128

I Googled for solutions, and I found multiple requests and even a pull request on GitHub but no working solution. Can this be accomplished?

https://forum.opnsense.org/index.php?topic=19230.msg88253
https://forum.opnsense.org/index.php?topic=17151.msg86631
https://github.com/opnsense/plugins/commit/a694ac4cb65481df9abf7138c0eb7693a9e36d11
https://forum.opnsense.org/index.php?topic=15701.msg71853

Hi,

I have OPNsense 21.7.3_3 running on a XCP-ng host as a VM.
We have several IPv4 ranges and one IPv6 range.

IPv4 works as expected, I'm having trouble getting IPv6 working.

Our DC gave us this information (I changed some letters!):
Prefix: 2a00:xxx:13x::/48
Subnet: 48
Router 1: 2a00:xxx:13x::1 (don't use as a gateway)
Router 2: 2a00:xxx:13x::2 (don't use as a gateway)
Gateway: 2a00:xxx:13x::3

Start Range: 2a00:xxx:13x:0:0:0:0:4
End Range: 2a00:xxx:13x:ffff:ffff:ffff:ffff:ffff

I created a single gateway with address: 2a00:xxx:13x::3
I gave my WAN address 2a00:xxx:13x::5 /48 (4 is in use on another Linux VM)
I gave my LAN address 2a00:xxx:13x::6 /48
I gave a Windows VM behind the OPNsense 2a00:xxx:13x::7 /48

If I ping from OPNsense to Google IPv6 DNS I get a response when I use the WAN as a source.
When I use the LAN as the source, no dice.

Windows VM also has no Internet connection using IPv6.

What am I doing wrong here? and yes I'm pretty new in the IPv6 game, I have it running at home, also in OPNsense but my ISP provides a DHCPv6 address.

Kind regards,

Marcel

Hi,

I'm using Sensei (premium home edition) to protect my daughters from certain sites.
I also want them protected when they use their tablets on someone else's WiFi.
So I created WireGuard profiles for all devices.

WireGuard works fine, but no filtering happens...

I'm running OPNsense 21.1.9_1-amd64.

I read that It wasen't possible at first, but this was months ago and SV was funding netmap to get is to work.
I can and I have selected my wg0 interface as one of the protected interfaces.

Can this work now? If not, is it being developed? can we track progress? if It's possible, what am I doing wrong?

Hi,

I want to block certain content for my children (porn, phishing etc) and wife (phishing etc).
I installed Sensei and got a home subscription as I require more then one policy.

I just noticed (weren't at home a lot last couple of days) that my Internet hangs a lot since installing Sensei.
Sometimes It's a short hiccup, sometimes It's long enough to disconnect an RDP session. It happens a lot, sometimes multiple times a minute and then a couple of minutes no problem at all.

I'm running OPNsense OPNsense 21.1.9_1-amd64 on VMware ESXi 7 with 8 2.4 Ghz cores and 16 GB of memory.

I tried switching to L3 mode with generic drivers, but everything gets really really slow and switching to bypass mode does not help either. OPNsense shows em interfaces.

Any thoughts?

Hi,

Just read this in the 20.7.6 release notes:
plugins: os-mail-backup not available due to unaddressed security concerns

I'm using this plugin, where can I get more info about these security concerns?
I can't seem to find any open issues on GitHub mentioning mail-backup plugin.

Hi,

I'm setting up a new OPNsense firewall based on a PC Engines APU4D4.
I started yesterday and this morning when I tried to login it was dead.
I restarted the device via power cable unplug and it never came back so I connected the serial console and it was empty, rebooted again via power cable and I noticed it booting.

It eventually hangs on:
Creating wireless clone interfaces...done.
Configuring LAN interface...done.
Configuring WAN interface...done.
Creating IPsec VTI instances...done.
Generating /etc/resolv.conf...done.
Configuring firewall...
Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseField.php on line 305
Enter full pathname of shell or RETURN for /bin/sh:

I tried multiple reboots, it always hangs on this.

Haven't done anything special yet (I think). It's not even in production (lucky me).

Any thoughts on this?

Hi,

I'm trying to set up a virtual OPNsense router on Xen(XCP-ng) Hypervisor.
I'm running: 20.1.9_1-amd64

I have set up multiple networks on the Xen host in different VLAN's.
My phone VLAN (VLAN2) does not allow any traffic from a host to the router and beyond.
A computer in VLAN2 (fixed VLAN2 port at the switch) does receive a DHCP lease from the OPNsense router, but can't ping the router itself or the Internet.

I tried to add allow rules everywhere just to get it to ping. I even disabled the firewall, no dice.

I also have a VLAN5 for guests and that is working fine as is the normal VLAN1, all going to the same OPNsense router.

I tried setting everything the same as VLAN5 except the IP range and the VLAN's of course, but still no ping even to the IP that is handing out the IP addresses.

Any thoughts on this?

Hi,

I'm using OPNsense with the NGINX plugin to host a website (just some files) and redirect another domein to a Facebook page.

Both 'sites' have HTTPS working via Lets Encrypt.
One works fine, the URL redirect version does not renew. I created a certificate once when It was a normal site with a meta redirect in a HTML file, I changed it to a URL rewrite but now It also rewrites the challenge for Lets Encrypt.

My current rewrite rule is: ^/(.*)$

Any suggestions in how I can fix this?

Hi,

I am trying to setup an OPNsense 20.1.6 with multiple WAN links.
- one is directly connected to the APU 4D4 with fixed IP and manually created gateway
- second is a manually created gateway accessible via the LAN (this will eventually change to a direct connection to the fiber switch on a separate port on the APU 4D4)

I have WireGuard (road warrior) working if I use connection one as the default, but I want to use the second as the default and only use the first one for WireGuard traffic.

Can anyone help me how I can / should configure this, because I'm a bit lost...

Hi,

I've been configuring a guest VLAN for guest WiFi.

I have it working (really simple! including traffic shaper), but I can't get it to block inter VLAN routing.
My guest LAN is VLAN 38 and I do not want it to be able to ping / access anything on VLAN 1.

I searched and as far as I understand it should block it by default. So I compared a new install to mine and all the rules are the same (mine is an upgrade from version 16 etc etc I think).

To test if it works I have created a new VM (everything is running on ESXi) and booted Ubuntu live. This VM has one network card which is it the 'port group' Guest which is in VLAN 38.
The VM gets a DHCP address from OPNsense in the correct VLAN and I can access the Internet, but also VLAN1...

Would like to know what I can do to block this, everything I tried myself (different rules) dit not work.
Disabling the rule to allow Internet does not change the VLAN1 access.

[(see the line with "configctl system remote backup")]

Hi,

I have multiple OPNsense 'boxes' runnig.
I've been busy setting up some cron jobs, but I am experiencing some weird things.

On one box I have setup a cron job which appeared in the root cron, removing the job DOES NOT remove the job from the cron (!?).

New cron jobs appear in the cron from the nobody user and work.

On another box (2) the jobs appear in the nobody cron, but don't work.


Box 1:
Root: crontab -l
root@OPNsense:~ # crontab -l (see the line with "configctl system remote backup")

Code Select Expand


# or /usr/local/etc/cron.d and follow the same format as
# /etc/crontab, see the crontab(5) manual page.
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#minute hour    mday    month   wday    command
1       *       *       *       *       (/usr/local/sbin/expiretable -v -t 3600 webConfiguratorlockout) > /dev/null
2       *       *       *       *       (/usr/local/sbin/expiretable -v -t 3600 sshlockout) > /dev/null
3       *       *       *       *       (/usr/local/sbin/expiretable -v -t 3600 virusprot) > /dev/null
5       *       *       *       *       (/usr/local/etc/rc.expireaccounts) > /dev/null
*/4     *       *       *       *       (/usr/local/sbin/ping_hosts.sh) > /dev/null
0       1       *       *       *       (configctl system remote backup) > /dev/null
1       3       1       *       *       (configctl filter schedule bogons) > /dev/null
*       *       *       *       *       (/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables.lock /usr/local/opnsense/scripts/filter/update_tables.py) > /dev/null
root@OPNsense:~ #


root@OPNsense:~ # cat /var/cron/tabs/nobody

Code Select Expand


# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#
# User-defined crontab files can be loaded via /etc/cron.d
# or /usr/local/etc/cron.d and follow the same format as
# /etc/crontab, see the crontab(5) manual page.
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#minute hour    mday    month   wday    command
# Origin/Description: cron/Auto firmware update
0       5       1       *       *       /usr/local/sbin/configctl firmware auto-update
# Origin/Description: cron/Backup config remote
50      10      *       *       *       /usr/local/sbin/configctl system remote backup
root@OPNsense:~ #


Box 2:
root@OPNsense:~ # crontab -l (NOTHING WRONG HERE!)

Code Select Expand


# or /usr/local/etc/cron.d and follow the same format as
# /etc/crontab, see the crontab(5) manual page.
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#minute hour    mday    month   wday    command
1       *       *       *       *       (/usr/local/sbin/expiretable -v -t 3600 webConfiguratorlockout) > /dev/null
2       *       *       *       *       (/usr/local/sbin/expiretable -v -t 3600 sshlockout) > /dev/null
3       *       *       *       *       (/usr/local/sbin/expiretable -v -t 3600 virusprot) > /dev/null
5       *       *       *       *       (/usr/local/etc/rc.expireaccounts) > /dev/null
*/4     *       *       *       *       (/usr/local/sbin/ping_hosts.sh) > /dev/null
1       3       1       *       *       (configctl filter schedule bogons) > /dev/null
*       *       *       *       *       (/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables.lock /usr/local/opnsense/scripts/filter/update_tables.py) > /dev/null
root@OPNsense:~ #

root@OPNsense:~ # cat /var/cron/tabs/nobody

Code Select Expand


# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#
# User-defined crontab files can be loaded via /etc/cron.d
# or /usr/local/etc/cron.d and follow the same format as
# /etc/crontab, see the crontab(5) manual page.
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#minute hour    mday    month   wday    command
# Origin/Description: cron/Backup config remote
50      10      *       *       *       /usr/local/sbin/configctl system remote backup
# Origin/Description: cron/Automatic firmware update
0       5       1       *       *       /usr/local/sbin/configctl firmware auto-update
root@OPNsense:~ #


Hi,

Best wishes for everyone.

I noticed a commit to fix the availability changes in GeoIP database made by Maxmind.
https://github.com/opnsense/core/commit/b4147a1e947997a79186f95bbf52fa8131f50501

It also states: support other vendors as well (format should be documented in our docs)

Are there any other working (already supported) alternatives? and if so which is the best?

Hi,

I just updated to 19.7.2 and after each update I run the security scan an the audit.
Security sometimes shows some 'issues' but the audit has never... until today.

***GOT REQUEST TO AUDIT HEALTH***
>>> Check installed kernel version
Version 19.7.2 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 19.7.2 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for and install missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: ........
python37-3.7.4: checksum mismatch for /usr/local/lib/python3.7/__pycache__/textwrap.cpython-37.pyc
python37-3.7.4: checksum mismatch for /usr/local/lib/python3.7/__pycache__/threading.cpython-37.pyc
python37-3.7.4: checksum mismatch for /usr/local/lib/python3.7/__pycache__/token.cpython-37.pyc
python37-3.7.4: checksum mismatch for /usr/local/lib/python3.7/__pycache__/tokenize.cpython-37.pyc
python37-3.7.4: checksum mismatch for /usr/local/lib/python3.7/__pycache__/traceback.cpython-37.pyc
python37-3.7.4: checksum mismatch for /usr/local/lib/python3.7/__pycache__/types.cpython-37.pyc
python37-3.7.4: checksum mismatch for /usr/local/lib/python3.7/__pycache__/uu.cpython-37.pyc
python37-3.7.4: checksum mismatch for /usr/local/lib/python3.7/__pycache__/uuid.cpython-37.pyc
python37-3.7.4: checksum mismatch for /usr/local/lib/python3.7/__pycache__/warnings.cpython-37.pyc
python37-3.7.4: checksum mismatch for /usr/local/lib/python3.7/__pycache__/weakref.cpython-37.pyc
Checking all packages..... done
***DONE***

Is there a problem in my installation or is this a bug in the audit maybe?

Hi,

My ISP blocks a certain website, let's say it's duckduckgo.com.

I would like to have OPNsense route traffic to that site through the Tor plugin.

I installed the Tor plugin, but now what?

Hi,

Because of my problem I mentioned earlyer ( https://forum.opnsense.org/index.php?topic=9285.0 ) I also wanted to try a fresh install because the 'working' image I have is an upgrade of an upgrade etc etc. I don't know with wich version I started with.

I now tried to install 18.7 on my 'server' (Windows 8.1 With VMware Workstation 12 Pro (can't upgrade to 14 because of specific CPU requirements) and my work laptop Windows 10 with VMware Workstation 14 Pro.

I tried with VM hardware version 11 and 12 (can't go higher because of my 'sever' limitation.

When I boot from the ISO I end up with an error 'Bus error (core dumped) when I enter on GPT/UEFI mode.
See attached screenshot.

Hi,

Finally got the time to test / start using OPNsense in my live environment. I installed it on my Windows (for now) 'server' running on VMware Workstation for more than a year ago and the release of 18.7 and a quiet evening made me try it for real.

I have two NIC's in my server, one is used for LAN other for WAN (disabled all protocols except VMware bridge protocol) leading to my Cisco cable modem / router (in bridged mode). My WAN received an ipv AND ipv6 IP from my provider and all functions ON OPNsense work (I can check for updates, test ping and trace route).

Unfortunately my clients cannot access the Internet, something is blocking it I guess or not functioning.

I have no idea where to look (tried a lot though, but it just won't work).

Can anyone give me any pointers?
What do you need more to help?