Topics

1

Hardware and Performance / monitor transceiver temps?

« on: November 28, 2024, 05:58:50 am »

Is there a way to monitor transceiver temps with SNMP? It doesn't look like there is anything there without modifying the SNMP config files manually.

If there isn't I'll request it as a feature?

2

24.7 Production Series / Multi-WAN with transit network, servers and LAN

« on: November 26, 2024, 02:58:47 am »

Hello! I have two different WAN connections:

Primary WAN: Connected via a /30 transit network to a /29 network, similar to Comcast EDI. One IP from the /29 is assigned to an OPT interface on the main OPNsense router. Other routers behind this interface use that IP as their default gateway.

Backup WAN: Provides a DHCP-assigned public IP.

Goal:

LAN Traffic: I need the LAN connection behind these two WAN connections to be as bulletproof as possible. During work hours, I can't afford any latency or packet loss. Therefore, I want the LAN to fail over to the backup WAN immediately when there's any issue with the primary WAN.

OPT Interface Traffic: I want the public IPs in the /29 network (used by the OPT interface) to stay up as much as possible, even if there's some latency or packet loss on the primary connection. Essentially, I prefer that the gateways remain marked as up for the OPT interface, even when the primary WAN has minor issues.

Issue:

When I experience packet loss or latency on the primary network and OPNsense switches to the backup WAN for failover, the routers using the OPT interface's IP lose their connection completely until the primary WAN recovers. I believe this happens because OPNsense tries to route the /29 network traffic through the backup WAN, which doesn't support it.

Question:

Is there a way to configure OPNsense so that:

LAN Traffic: Fails over to the backup WAN when there's latency or packet loss on the primary WAN.

OPT Interface Traffic: Continues to use the primary WAN (via the /30 transit network) exclusively, regardless of the gateway's status, unless the primary WAN is completely down.

Current Configuration:

I've set up the EDI-like network similar to this guide: https://meh.roach.xxx/2024/04/26/comcast-edi-with-opnsense-route-public-ips-through-opnsense/

Summary:

I need the LAN to fail over to the backup WAN immediately during any latency or packet loss on the primary WAN to maintain reliable connectivity for work-related applications (like Zoom and VPNs).

I want the OPT interface (and the public IPs in the /29 network) to continue using the primary WAN even during minor issues, to maintain services that rely on those public IPs.

I'm looking for the best way to configure OPNsense to accommodate these requirements without adding another physical router.

Any advice or guidance would be greatly appreciated!

3

23.7 Legacy Series / Multi WAN and local services

« on: October 04, 2023, 08:10:41 pm »

Hello,

I've been using BIND and unbound as well as running SNMP, NTP and a few other services on my install. Recently I added a backup Internet connection and followed the "Multi WAN" instructions in the OPNsense documentation. Step 5 explains that i need to add a rule for DNS to work. After this I noticed several other services weren't working and ended up creating a bunch of new rules in order to get them working again. This seems somehow wrong to me even though it works. What I ended up with looks like the attached.

Is there something else I should have done instead?

4

23.1 Legacy Series / Automatic Firmware Update Cron not running/one-time automated update

« on: July 25, 2023, 06:07:26 pm »

Hello,

I am trying to have an OPNsense automatically reboot to install new firmware during off-hours. I don't want it to try and reboot every day or even every week. Just fire once and I'll disable the cron job after that. If there is a better way to do this I would be interested.

I'm not sure where to start troubleshooting this, pointers would be greatly appreciated. I'm not sure what logs to check and I don't see where the job would be running in the regular filesystem (/etc/cron.d, /etc/crontab). Freebsd  doesn't seem into run-parts.

I found a previous post where someone brought this up and franco mentioned clicking the "Apply" button. I PROMISE I did that. He also said something about rebooting first? Do I need to reboot to enable this cron? That wouldn't help a lot for what I'm trying to do.

TIA for your help.

5

General Discussion / DNS Filtering for kids

« on: April 15, 2023, 09:11:33 pm »

Hi all,

Wanted to see if anyone had any great opinions on this. I am replacing my legacy FW with a new machine to support 10Gb (w00t fiber!)

In the previous machine I use NAT rules to send all DNS traffic back to the FW itself. I have a /24 that I created a FW alias of a number of IPs that I called "trusted." All other IPs in the DHCP range and are "untrusted." The "untrusted" IPs go to a port that runs BIND with safe-search and a few other blackholes enabled. The "trusted" IPs go right to 53 where unbound is running and tunneling DoT to supported, external servers.

All of this was a little complicated, but ended up working great. Any new machine the kids pop up automatically is safe and I add static-mapped IPs for any devices that need unfettered Internet access. I mainly did this because of the limitations of BIND and Unbound at the time. I know there are a lot of new changes, but I never updated the old configuration.

What I want is to have some devices pushed through safe searches and other filters for a bit longer and others with unfettered access. Any thoughts on new ways to do this? What are you using?

Thanks so much.

6

22.1 Legacy Series / mDNS Repeater not working after multi-WAN

« on: May 11, 2022, 01:09:43 am »

I setup multi-WAN recently with the Comcrap LTE modem and mDNS repeater stopped working.

I have 2 interfaces; one trusted and one guest. Trusted has 10.18.1.0/24 and Guest has 172.18.1.0/24 on it. I have a rule to pass traffic from a handful of 172.18.1.0/24 IPs to a handful of 10.18.1.0/24 IPs. ICMP/Telnet/HTTP/etc. all work. I ran mdns-repeater in a screen on the router so I could watch with debug enabled. I see essentially nothing:

Code: [Select]

# /usr/local/bin/mdns-repeater -p /var/run/mdns-repeater.pid -f em0 em2
mdns-repeater: dev em0 addr 10.19.76.1 mask 255.255.255.0 net 10.18.1.0
mdns-repeater: dev em2 addr 172.19.76.1 mask 255.255.255.0 net 172.18.1.0
From both wired and wireless clients I can see mDNS/Bonjour devices without issue given I am on that particular network.

I assume this has something to do with multi-WAN, but I'm at a bit of a loss as to where to start.

Thanks in advance for any ideas.

7

General Discussion / Comcast LTE modem remote access

« on: February 11, 2022, 06:05:30 am »

Wasn't sure where to set this up, but I was wondering if anyone else has a OPNsense box connected to a Comcast LTE modem (Connection Pro) for failover. If so, have you figured out a remote access solution via the NAT that the Comcast box is providing? I was thinking something like Tailscale/headscale. Thoughts?

TIA!

8

Virtual private networks / 2xOPNsense and static routing

« on: December 03, 2021, 08:49:42 pm »

Hello,

I have a machine with several VMs and I am using OPNsense to control their access to the outside world. I also have a regular OPNsense server that has a VPN server on it. What I am trying to do is get access to the VM's internal IPs (10.2.0.2 for instance) via the VPN, but the default route for the servers is the OPNsense VM (172.16.1.1) so packets coming from the 10.1.0.0/24 get in, but the return goes through the OPNsense VM. I set a static route on the OPNsense VM to route 10.1.0.0/24 via 10.2.0.1 (it has an interface that can talk to this server), but I get denied at "Default deny rule". I've set various Firewall rules and I can get ping to work, but no other packets. They all hit the same "Default deny rule". I've tried the "Bypass firewall rules for traffic on the same interface" thing, but that doesn't help.

What am I missing?

Thanks!

9

20.7 Legacy Series / firewall log shows blocked, Sensei shows passed

« on: August 25, 2020, 12:09:35 am »

Hi all,

I have a LAN rule that blocks one host from accessing an alias full of hostnames (pic attached.) The firewall log shows it is blocked using that rule, but the host gets out and Sensei can see its requests. What am I doing wrong here?

10

General Discussion / block entire domain

« on: June 16, 2020, 05:02:23 am »

I want to block fwmrm.net (ads), but there FQDN for a bunch of different servers. Is there a way to block everything going to that domain? Thanks!

11

General Discussion / Find entry in DNSBL?

« on: March 26, 2020, 02:51:07 am »

Hello,I recently broke my Nest Protects and I have tracked down the issue to the DNSBLs that I have setup. I see a bunch of lookups to czfe65.front01.iad01.production.nest.com for instance being blocked. I do I find which list is causing this? Love to turn that one off if possible. I know I can whitelist, but I would prefer to find the offending list.

Thanks so much!

12

General Discussion / Serial Console via SOL

« on: March 23, 2019, 01:44:17 am »

I'm trying to set up the serial console to dump out to the SOL interface so I can access it via IPMI. How do I specify which serial port to use in the OPNsense interface? So far I can get the bootloader and kernel messages, but then everything goes away on the serial connection. I have a SMC X9SCi-LN4F... Thanks in advance for any tips!

13

General Discussion / BIND/Unbound/DoT leakage

« on: March 08, 2019, 03:02:42 am »

Hello,

I set up Unbound recently to encrypt my DNS requests to 1.1.1.1 and 9.9.9.10. I then setup a NAT rule to push any port 53 request back to localhost for Unbound to grab and encrypt. This works as expected.

The next part is to set the kids' devices to use BIND so that I can use some of the DNSBLs there as well as force safe-search for Google, Bing, etc. I'm doing this with another NAT rule which works great. What I want is for BIND to forward requests to Unbound so that the non-blacklisted requests are encrypted. I guess I don't understand the "DNS Forwarders" field? Right now BIND is just hitting the Internet itself to look these up even though I have 127.0.0.1 in the "DNS Forwarders" field. I see them via tcpdump.

Is there any way to get this done?

Thanks so much!

14

18.7 Legacy Series / enable PAE

« on: February 12, 2019, 04:12:32 am »

Not sure if this is possible. I assume I would need to recompile the kernel completely, but I have a Sossaman machine with 8GB of RAM, but only 4 shows up. I assume I need to enable PAE to get that to work.