Topics

1

22.1 Legacy Series / Controller Timeout - Register Dump on startup

« on: March 25, 2022, 09:06:46 pm »

Attached is the screen after 2 iterations of the error.  That error repeats itself maybe 10 times (not sure how many).  But it does EVENTUALLY boot after like 5 minutes maybe. 

What is causing this.  I've searched for the same error and see a few people with similar issues but no resolution.

The computer this is running off of is a fitlet2 with the following specs:

Code: [Select]

fitlet2 - build-to-order
    CPU: Atom x7-E3950 [CE3950]
    RAM: 4 GB [D4] $34.80
    TPM: Not installed
    Storage:  M.2 SATA 32 GB [M32S]
    FACET-Card: FC-M2LAN 2x Gbit Ethernet [FLAN]
    Top cover: Standard top-cover
    Temperature range:  Commercial temperature range 0°C to 45°C
    DC input:  Standard DC input range 7V - 20V

It's worth noting again that OPNSense works, entirely, in this state.  But startup takes about 20x longer than it should because it keeps waiting for whatever that is.

OPNSense version on that is 22.1.

2

21.7 Legacy Series / Wireguard no LAN access

« on: September 13, 2021, 12:59:43 am »

Situation: I'm trying to create a site-to-site tunnel with a VM in the cloud.  Currently it can connect to OPNSense's wireguard and traffic can flow freely between OPNSense (10.0.0.1) and the VM (10.0.2.10).  But trying to access any other LAN IP from the VM will timeout, and vice versa.

So trying to ping 10.0.0.20 from the VM fails, and 10.0.0.20 can't ping the VM.

I assume the issue is somewhere with rules, but I can't find out where.  Can someone help me figure out why the VM can't connect to other devices on my LAN?

Attached are the rules I currently have applied.

Some network info:
- 10.0.0.0/16 is the LAN subnet
- 10.0.2.0/24 is the range of addresses I will assign to wireguard clients
- 10.0.0.1/16 is the OPNSense LAN address
- 10.0.2.10/16 is the intended VM address.
- wg_networks is an alias for 10.0.2.0/24
- WG0 is the interface I created for wireguard
- WireGuard interface is the hidden interface that the plugin creates.

3

21.7 Legacy Series / Unsure what addresses to put in for all points

« on: September 06, 2021, 07:19:09 am »

I'm working on setting up WireGuard to tunnel between cloud VMs and my local network.  I'm unsure however as to what exactly Im supposed to put for some addresses.

OPNSense LAN address: 10.0.0.1/16
VM WAN address: X.X.X.X
VM desired LAN address: 10.0.1.42/16


Current VM wg0.conf

Code: [Select]

[Interface]
# set address to next address
Address = 10.0.1.42/16
ListenPort = 51820
PrivateKey = REDACTED
# I want it to use OPNSense for DNS to resolve internal names
DNS = 10.0.0.1



[Peer]
PublicKey = P9EmfDRcTCDxzjCDuXkPY8kBieWmx337zusMIqEUfTE=
Endpoint = vpn.example.com:51820
AllowedIPs = 10.0.0.0/16
PersistentKeepalive = 21

Attached is the OPNSense config.

4

21.1 Legacy Series / FreeIPA behind HAProxy changing URL

« on: July 22, 2021, 11:00:33 pm »

I have 2 FreeIPA servers set up in HA configuration.  I want to be able to go to https://ipa.example.com and view the web UI.

Problem is however, when I do said thing, it rewrites the URL to https://ipa1.example.com/ipa/ui/

How can I prevent this so that it continues to use ipa.example.com?

5

20.7 Legacy Series / Prevent Host Rewrite with HAProxy

« on: December 14, 2020, 03:52:47 am »

I have a FreeIPA server setup to manage lan.example.com.  I want to be able to access the web UI on ipa.example.com with ACME certs, so I set up HAProxy to do so.

Real server: ipa1 ipa-server1.lan.example.com:443

Backend: ipa1

Frontend: listen ipa.example.com:443

And it works... somewhat.  It does properly redirect to the backend.  But it seems to be getting rewritten to the lan.example.com host.

Ex, when I visit it, the URL changes from ipa.example.com to ipa-server1.lan.example.com/ipa/ui/.

How can I prevent that host rewrite so that it stays as ipa.example.com?  When it redirects it also prevents using the proper SSL certificate because its connecting directly to the backend now.

6

19.7 Legacy Series / Configure BGP for Kubernetes

« on: October 13, 2019, 06:32:46 am »

I'm planning on using metallb with bgp configuration for a kubernetes 3 node cluster on my home network.  I plan to use BGP instead of layer2 because I frequently get timeout errors with layer2.  I am currently uncertain if this is due to OPNSense or MetalLB. 

I figured that if I configure BGP, then the timeout issues will go away.  However, I can't find any information on how to configure BGP in OPNSense. 

How would I configure BGP to allow for allocation of IP addresses between 10.0.15.0-10.0.15.255?

7

19.7 Legacy Series / Unbound wildcard entry

« on: August 25, 2019, 03:52:58 am »

Am I able to add wildcard overrides to unbound? 

Say, if an override doesn't exist for SOMETHING.example.com, it will default to the override for *.example.com.

Or if it doesn't find any match, but ends in example.com, have it forward to that IP.

8

19.1 Legacy Series / No User Import Option when setting LDAP server

« on: May 07, 2019, 07:18:29 am »

I'm trying to add LDAP auth to my OPNSense installation.  I got the server set up and can confirm it works with the tester by entering a valid username/password.  I'm using FreeIPA as the LDAP server. 

But I don't see any import icon when I go to System > Access > Users. 

Details for System > Access > Servers > FreeIPA server:
Hostname: ipa.example.com
Port: 389
Peer CA: OPNSense
Bind Credentials: (blank)
Base DN: dc=example,dc=com
Authentication containers: cn=users,cn=compat,dc=example,dc=com
User naming attribute: uid


Am I doing something wrong?

9

19.1 Legacy Series / Outside Traffic Redirecting to OPNSense instead of HAProxy

« on: March 22, 2019, 12:52:18 am »

I have a bunch of subdomains (ex1.example.com, ex2.example.com, ...) pointing to my OPNSense router (10.0.0.1).  I also have HAProxy to proxy requests on 443 to their respective backends.

I don't recall changing anything, but now, they won't work from the outside.  Only if the DNS resolves to 10.0.0.1, and not my WAN ip, will it proxy the traffic correctly to their backends.  If you try from WAN, it gives the warning about DNS rebind attack.

How can I prevent this behavior and make it proxy correctly?

10

18.7 Legacy Series / radvd file location?

« on: January 18, 2019, 10:52:08 am »

Is there a file that contains the contents of the output of the command `radvdump`?  I need to enable radvd on my dd-wrt wireless router to be able to get an ipv6 address and it would work best if I can just copy its radvd to the radvd location on dd-wrt.

11

18.7 Legacy Series / WAN Interface not obtaining IPv6 prefix.

« on: January 14, 2019, 11:18:12 am »

I have my WAN configured to use DHCPv6 to request only a /64 prefix, and have DHCPv6 server configured to dish out addresses with the entire /64 subnet.

But when I try to renew the DHCP lease for the WAN to actually obtain a prefix, it doesn't seem to grab one. 

Running dhcp6c manually to see what happens yields the following: (em0 is WAN interface, em1 is LAN)

Code: [Select]

root@opnsense:/var/etc # dhcp6c -Df em0
Jan/14/2019 05:14:39: extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:23:cf:17:58:1c:c1:de:06:d7:70
Jan/14/2019 05:14:39: cfparse: fopen(/usr/local/etc/dhcp6c.conf): No such file or directory
Jan/14/2019 05:14:39: reset a timer on em0, state=INIT, timeo=0, retrans=891
Jan/14/2019 05:14:39: Sending Solicit
Jan/14/2019 05:14:39: a new XID (c0b30) is generated
Jan/14/2019 05:14:39: set client ID (len 14)
Jan/14/2019 05:14:39: set elapsed time (len 2)
Jan/14/2019 05:14:39: send solicit to ff02::1:2%em0
Jan/14/2019 05:14:39: reset a timer on em0, state=SOLICIT, timeo=0, retrans=1091
Jan/14/2019 05:14:41: Sending Solicit
Jan/14/2019 05:14:41: set client ID (len 14)
Jan/14/2019 05:14:41: set elapsed time (len 2)
Jan/14/2019 05:14:41: send solicit to ff02::1:2%em0
Jan/14/2019 05:14:41: reset a timer on em0, state=SOLICIT, timeo=1, retrans=2083
Jan/14/2019 05:14:43: Sending Solicit
Jan/14/2019 05:14:43: set client ID (len 14)
Jan/14/2019 05:14:43: set elapsed time (len 2)
Jan/14/2019 05:14:43: send solicit to ff02::1:2%em0
Jan/14/2019 05:14:43: reset a timer on em0, state=SOLICIT, timeo=2, retrans=3982


12

18.7 Legacy Series / IPv6 addresses not accessible over internet.

« on: January 02, 2019, 11:16:53 am »

I have an experimental gitlab server accessible only on IPv6 (I set the listen address to "[::]")

I can access it over IPv6 fine, but only on my home network.  If I try to access it over the internet (say from my phone over LTE [confirmed LTE had ipv6 by going to ipv6.google.com]), the connection times out. 

My WAN interface is using DHCPv6, and the server is confirmed to have IPv6 connectivity.

Why can't I access it using ipv6 over internet?

13

19.1 Legacy Series / Adding LDAP Users?

« on: December 31, 2018, 01:57:00 am »

I was following the docs on how to add LDAP auth to OPNSense.  I added an LDAP server and using the tester, I authenticated against it successfully.

But how do I go about adding an LDAP user to opnsense?  I tried going to System -> Access -> Users but I don't see a cloud import icon anywhere.

14

18.7 Legacy Series / Use Extra NIC for VLAN support.

« on: December 30, 2018, 12:01:22 pm »

I have 2 NICs in the server I use with OPNSense (2 port/4 port).  Currently, the 2 port has my WAN interfance and LAN interface (plugged into an unmanaged switch).

Because the switch is unmanaged, it doesn't support VLAN tagging, so when the wireless router tries to use a VLAN it gets stripped away.

But can I use the 4 ports on the other NIC as extra LAN ports, so say any traffic coming from bce0 is assigned to a certain VLAN, that way I can just plug the wireless router directly into that.

15

18.7 Legacy Series / IKEv2/Wireguard Client

« on: December 12, 2018, 01:12:24 am »

I have Algo set up a VPN on a VPS instance that I use my for a VPN most of the time.   It only supports IKEv2 and Wireguard.

Currently there's some issues on Xbox that only affect the Northeast, but tunnelling with a VPN (not located in northeast US) fixes the issue. 

Can I configure OPNSense to tunnel all traffic (possibly only for 1 client) through a VPN tunnel?