Topics

Hi,
My OPNsense box loses its gateway randomly (can work for weeks, then suddenly lost).

System -> Gateways -> Single is empty in these cases, also the Dashboard shows an empty table for "Gateways".
In the logs I couldnt find anything special.

My box is connected to a cable modem, using the re driver.

It is the only gateway configured, no special settings have been changed.

• Upstream Gateway: checked
• Monitor IP: 1.1.1.3

The box is a Fujitsu Futro S930.

Do you have hints what I could check? In the logs I couldnt find anything specific.

I thought that it might be the cable to the modem, even it worked for years.
I didnt have this issue with my APU unit. Not sure if it's related to the hardware.

Thanks for hints.

Hi,
I am trying to set up my new network.

I have a Fujitsu S930 with a 4-port Broadlink NIC. 3 Ports are configured as a LAGG device with 5 different VLANs assigned.
In the Unifi switch I set up the first 4 ports as "Aggregate" but I wont be assigned an IP address.

So before getting into details, does anybody have a similar setup working with OPNsense and are there general things to check (like VLAN filtering being disabled etc)?

Thanks for hints.

Hi,

I am running a Fujitsu S930 Futro Thin Client with a Intel Pro/1000VT (Dell P/N 0H092P) attached to the PCIe x4 Port.
It's quadport card which is identified as a Intel 82576 card.

Code Select Expand

igb0@pci0:3:0:0: class=0x020000 rev=0x01 hdr=0x00 vendor=0x8086 device=0x10e8 subvendor=0x8086 subdevice=0xa02c
    vendor     = 'Intel Corporation'
    device     = '82576 Gigabit Network Connection'
    class      = network
    subclass   = ethernet
    bar   [10] = type Memory, range 32, base 0xfe420000, size 131072, enabled
    bar   [14] = type Memory, range 32, base 0xfe000000, size 4194304, enabled
    bar   [18] = type I/O Port, range 32, base 0xd020, size 32, enabled
    bar   [1c] = type Memory, range 32, base 0xfe444000, size 16384, enabled
    cap 01[40] = powerspec 3  supports D0 D3  current D0
    cap 05[50] = MSI supports 1 message, 64 bit, vector masks
    cap 11[70] = MSI-X supports 10 messages, enabled
                 Table in map 0x1c[0x0], PBA in map 0x1c[0x2000]
    cap 10[a0] = PCI-Express 2 endpoint max data 512(512) FLR NS
                 max read 512
                 link x4(x4) speed 2.5(2.5) ASPM L0s/L1(L0s/L1)
    ecap 0001[100] = AER 1 0 fatal 0 non-fatal 4 corrected
    ecap 0003[140] = Serial 1 001b21ffff555cc8
    ecap 000e[150] = ARI 1
    ecap 0010[160] = SR-IOV 1 IOV disabled, Memory Space disabled, ARI disabled
                     0 VFs configured out of 8 supported
                     First VF RID Offset 0x0180, VF RID Stride 0x0002
                     VF Device ID 0x10ca
                     Page Sizes: 4096 (enabled), 8192, 65536, 262144, 1048576, 4194304

The 4 ports are configured as a LAGG interface.

Once I put some load on one of the ports, the system reboots. In the logs there is nothing. I could not even catch something that would be shown on the screen.

Has anybody faced a similar issue and has a hint what I could do?

In the tunables I set

Code Select Expand

hw.pci.enable_aspm = 0
but it didnt change anything.

Thanks for hints what could solve my problem.

Hi,

With 22.1 we have now this handy symbolic link "latest.log" pointing to the latest logfile.

I just realized though that this symlink is getting removed (and not re-created) when you reset your local log files.

Do others also face this issue or am I just too impatient that it would be re-created once there is the next log entry written?

Hi,

If you had the choice between
a) Intel Quad-Port card (each 1GBit), so 4x 1GBit, or
b) Mellanox 10GBit card, so 1x 10GBit

Which one would you choose to run either 2 VLANs per GBit port (option a)) or all 8 VLANs on one 10GBit port?

I can do simple math, 4x 1GBit is less than 1x 10GBit, but maybe there is something else about it I should consider?

Thanks for your help.

Hallo,
Ich plane den Einsatz einer IP-Türklingel und denke gerade über die bestmögliche Absicherung nach.

Die Türklingel ist per Ethernet angebunden (PoE) und kommuniziert über einen Switch mit einem separaten Türsteuergerät, das am gleichen Switch hängt.

Die Klingel braucht Internetzugang und die Clients aus zwei verschiedenen VLANs brauchen Zugriff darauf (Gegensprechen mit Videobild).

Die Liste der Devices mit Zugriff wird per MAC-Adresse reguliert, was aber kein sehr hoher Schutz ist. Nun überlege ich, ob es Sinn macht die Klingel mit Steuergerät in ein separates VLAN zu legen. Ich denke aber, dass ich auch per einzelnen IP-Regeln eine ähnliche Absicherung hinbekommen sollte.

Habt ihr ähnliche Szenarien schon mal umgesetzt?

Mögliche Risiken (hauptsächlich):
1) Jemand reisst die Klingel raus und verbindet seinen Laptop. Dann darf er nur in einen kleinen Teil, eher unwichtigen Teil des Netzes gelangen. Allerdings bestünde natürlich auch Zugriff auf das Türsteuergerät. Im Idealfall kann ich den Port abschalten, sobald ich eine Manipulation erkenne.

2) Jemand dringt von aussen in mein LAN ein und kann darüber mein Haustürschloss ansteuern. Das könnte dann nach meiner geplanten Absicherung nur via 5-10 iOS-Devices passieren, die als Clients für die Gegensprechanlage dienen und Zugriff auf das Steuergerät hätten.

Habt ihr Ideen und Tipps für mich?

Alles hängt an einem Unifi L2/L3 Switch, könnte aber auch an einem managed Netgear betrieben werden (falls nötig).

PS: Anbindung per WiFi wäre auch möglich, aber ich denke nicht, dass das ein Sicherheitszugewinn ist, nur weil kein Kabel dran hängt.

Hi,

I have a fresh install on a demo system.

There were two gateways automatically created:
1) WAN_DHCP6
2) WAN_DHCP

I stopped WAN_DHCP6 and it's now in the status "pending".
If now click on the bin to delete it, I am asked if Im sure to delete it. If I confirm, the gateway turns active again.

Is this a known bug or intended behavior?

I know that you can change the interface configuration and set IPv6 to "none" and then delete it. But I would expect a hint "You need to disable..." and not re-activate the gateway.

Thanks!

Hi,

I currently have an OPNsense instance running as my firewall and router for 3 VLANs.
My plan is to add 2 additional VLANs and replace the current Netgear Switches by a Ubiquity PoE L3 Switch.

So I have a basic question which you can maybe help me to answer:

If all my VLANs are fully separated from each other, I might only benefit from faster inter-VLAN traffic.
Even if I permit access from VLAN 1 to VLAN 2 (e.g. trusted to IoT), all traffic will go through OPNsense for "evaluation" as the L3 switch is not doing "firewalling".

Is that correct?

I want to better understand which device in my LAN needs to have more power. Is it worth investing in the L3 switch or should I rather replace the OPNsense device (which needs to handle a 100 MBit connection and is doing fine)?

Thanks for your thoughts.

Hi,

I have a 21.7 instance running as a test system.

My idea is to have all 4 LAN ports grouped as a LAGG interface and one separate WAN interface.
Now I have the problem that the lagg0 interface is not requesting an IP address, even I set it up as DHCP. The WAN interface requests and assigns the IP via DHCP properly.

Is there something I forgot in the process?

Is it recommended to keep one interface for management only (out of the LAGG)?

Hi,
I tried setting up dnscrypt-proxy behind unbound. Sadly I cant get it to work.

1. I installed the dnscrypt-proxy package.
2. I disabled the OpenDNS service.
3. I started dnscrypt-proxy without any special configuration.
4. I added the following lines to the "Custom Options" field (often referred to as "Advanced Options", but "Advanced" doesnt have a "Options" field):

Code Select Expand

do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@5353

First Unbound said "duplcate forward-zone", so I switched of "Enable Forwarding Mode" which seems to be a conflict.

So basically I had dnscrypt-proxy running on port 5353, unbound on 53. Sadly it seemed unbound didnt forward the requests to dnscrypt-proxy. In the log of dnscrypt I only saw that the server list was downloaded successfully.

Any idea what I could do different or what I should check?
With my setup above it didnt resolve any names. I did also not succeed in providing a port number in the general settings for the DNS servers.

Would be great if you had a hint what I could do/check.

Thanks.

Hi,
I updated to the latest OPNsense version, since then the DNS overrides in Unbound seem not to work anymore.

Before I could use "https://nas" in my browser and it pointed to the internal IP. Now Chrome says the hostname was not found.

I flushed the cache on my mac, restarted OPNsense etc but no use. The DNS on the client is the IP of my OPNsense.

Anybody else facing the same problem?

Thanks.

Hi,

I am about to migrate from *sense to OPNsense and prepared a configuration in a VM to have as little downtime as possible. Afterwards I exported the configuration and wanted to import it with the opnsense-importer during startup of a live environment to test it.

First I put it on the OPNsense partition on the USB drive but I couldn't provide a path, only a drive name.
Secondly I put it with the original name on a second USB drive but it always said "No previous config found".
Thirdly I put it as "config.xml" on the second USB drive but it still said "No previous config found".

As I couldn't find anything in the documentation (man-page also not mentioning how to do it), I had a look at the code...
The configuration-file needs to be put in

conf/config.xml

of the USB drive.

I would suggest to add

• the option to provide a local path
• the option to download from a remote path (e.g. website)

Hallo,
Ich würde gerne beim Web Proxy eine Blacklist konfigurieren. Diese soll aber nur für bestimmte Aliase/IPs im Netzwerk gültig sein.

Bei pfSense ging das über das SquidGuard-Package.

Gibt es bei OPNsense auch einen Weg das zu realisieren?

Danke!

Hi,

Ich bin mit der Migration von pfSense beschäftigt und frage mich wo ich die Einstellungen für den Traffic Shaper abhängig vom Interface finde.

Bei pfSense ist das unter "Firewall/Traffic Shaper/By Interface" angesiedelt. Das finde ich bei OPNsense nicht.

Kann mir jemand weiterhelfen?

Danke im Voraus!

Hi,
I'm running pfSense for years and am quite familiar with it. Now I want to check if I should switch to OPNsense, therefor I need to read the documentation a little.

My problem is that the Wiki feels very confusing. Am I the only one having problems with it?

What I feel makes it difficult to read:

- I can't see if there are subpages to a chapter. When I click on it I can see the small "tree structure" icon. I would prefer to see directly if there is more behind this point.
- The structure feels not straightforward. After initial installation I want to set up rules. I can't find a chapter "Firewalling". Either it's hidden in a sub-chapter but as I am new to OPNsense, I feel "lost".
- What role does "HowTos" play? Is it part of the documentation or are these specific scenarios which are described in more detail?

I know, you can use the search function, but if you are new and want to get a first overview and the principles behind, I feel very difficult.

So my question to you: Am I using it wrong? Is there a better place to start?

Thanks for your feedback and help :)