Topics

1

19.1 Production Series / Getting Keys to various servers

« on: March 17, 2019, 12:06:55 pm »

Hi there,

What do people do to get keys that are generated in OpnSense to the relevant applications that require them?

I can obviously hit download put them somewhere then point the application in the right direction.  The problem is that then I need to do this every time the certificate requires renewing, which is a pain.  I thought there may be a well developed mechanism to do this, however I cannot find anything.

Can anyone point me in the right direction?

2

19.1 Production Series / NTOPNG will not start

« on: February 07, 2019, 11:44:02 am »

I had a problem with Redis and Ntopng.  They both stopped working.  Following links etc. within the forum I deleted the Redis DB and managed to get that working :-)  Now however NTOPNG refuses to start.

What I am not sure about is how does NTOPNG know where to find the Redis service and how does it know what the password for the service is?  Or is the password only relevant for direct access to redis?

3

18.7 Legacy Series / Best practice re: Opnsense and packages you are not using

« on: November 21, 2018, 05:43:09 pm »

I have a few options that come as standard with opnsense that I am not using, nor planning to use.

for example DynamicDNS, DNSMasq, OpenDNS etc.

Is best practice to leave these alone as they will get automatic updates and stuff ongoing?  Or is it to remove stuff that you are not using to release memory and drive space used?  The later is obviously easier.  Having unused software on my router though seems unnecessary and a potential route for malware if I'm not actually using it so don't notice issues.

What does everyone else do?

4

18.7 Legacy Series / My opnsense box will not use the default route

« on: November 19, 2018, 10:55:39 pm »

Sorry if I keep asking this.  As yet I've not had a reply that has helped.

I have to define a route for any server on the internet if I want to access it from the opnsense box itself.  This includes

    The opnsense update server
    The let's Encrypt servers
    The Cloudflare servers.

Why does the box itself not just follow the default route?  desk top Clients using opnsense to get to the internet can see the addresses and access them.   the opnsense box just cannot.


It feels like there is a setup issue which I am not understanding.  can somebody please help me?

5

18.7 Legacy Series / Default network rule for opnsense router

« on: November 14, 2018, 10:10:55 pm »

I have a problem to which I have a work around.

When working on the opnsense box itself I get no access to the internet unless I add a defined static network route.

The DNS servers I use (1.1.1.1 and 1.0.0.1) must have a route defined.  I had to define a route for opnsense to use to run the update and now I am seeing lack of connection from Let's encrypt so I have the same problem there.

The interesting thing is that from a computer connected to the LAN port of the opnsense box no such route needs to be defined.  You can navigate anywhere you wish.  An IP address I can ping on my PC, cannot be pinged using the  Interfaces->Diagnostics->ping tool.

If feels like something is wrong, possibly even an option I have or have not chosen by mistake.  The system is a basic one with one WAN and one LAN.  The WAN uses PPPoE through a huawei HG612, also a fairly common setup I believe.

Any help anyone can give would be gratefully received.

6

18.7 Legacy Series / Timeout while connecting to the selected mirror.

« on: November 09, 2018, 07:34:15 pm »

This is getting pretty frustrating.

I have had an issue with the above message for some time now.  The conclusion the last time I raised this was I needed to rebuild from scratch.

Today I did that (finally on my own!).  Once I did this I had it working fine and ran a check for updates.  Off it went and installed 18.7.7  Job done  :-), or so I thought.

Having succeeded in doing an update I decided that I would now install the plugins again.  Guess what I am back to where I was with the timeout.  The only clue I have is that the above message is in the logs every time I try and do an update.

configd.py: [41b52d75-3aa2-43c3-a09b-abc3703b319f] Script action failed with Command 'pkg rquery "%n|||%v|||%c|||%sh|||0|||%L"' returned non-zero exit status 74 at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 481, in execute stdout=output_stream, stderr=error_stream) File "/usr/local/lib/python2.7/subprocess.py", line 190, in check_call raise CalledProcessError(retcode, cmd) CalledProcessError: Command 'pkg rquery "%n|||%v|||%c|||%sh|||0|||%L"' returned non-zero exit status 74


This is really frustrating as now I have none of the plugins I want to use and no ability to load them.  None of the mirrors work and I will be back to being unable to get security updates.  Please can someone help?

7

18.7 Legacy Series / Since my Update stopped working I'm concerned about security

« on: November 09, 2018, 11:01:20 am »

So a couple of months ago my updates stopped working and it looks like something is wrong with the files.

How is the best way to go about completely starting from scratch?  I have tried booting from a USB key and I thought reinstalling it, however that does not seem to happen.  It just stays the same.

Clearly I am doing something wrong and I thought the best way was to ask for advice to see if I can make this work.  If I was doing this on a windows device I would have cleared out all partitions and started from scratch installing, however my familarity with this environment is low and I could not find a way to achieve this.

Please help.  This firewall has so much capability but is useless if I cannot keep it up to date.

8

18.7 Legacy Series / IPv4 address is being used by another interface or VIP

« on: October 12, 2018, 10:34:18 am »

In an attempt to fix the update issue I decided to turn off IPV6 as it appeared to be not working anyway.

When I tried to do this on the LAN I got the message in the subject.  I looked for a bit and then reasoned that I would need to change the router IP then change it back.  I changed it fine, when I came to change it back though I still get the message.

I unplugged my network from the router and plugged my workstation directly in (incase something on the network was causing the clash) alas issue is still there.

I've turned off all the plugins that I can and still I get the message.  The address will ping from the router however nothing else can see it at all.  It feels like this address is on the router.  How do I find out where it is so that I can get my router back on the address it should be on?

9

18.7 Legacy Series / How can I update my plugins manually

« on: October 12, 2018, 09:40:31 am »

Hi All,

As I can no longer update from the standard button in Firmware is there another way I can update and load plugins that I can use?

Many thanks.

10

18.7 Legacy Series / Wildcard SSL using Let's Encrypt and the ACME plugin

« on: October 09, 2018, 10:07:48 pm »

Hi There,

Has anyone managed to actually achieve this?  If so do you fancy sharing the steps you took to make it happen?

Many thanks.

11

18.7 Legacy Series / Timeout while connecting to the selected mirror

« on: October 07, 2018, 12:19:54 pm »

I loaded NTOPNG the other day to do traffic analysis.  What I didn't spot until I went in to configure it was I need to install Redis.  When I have tried to update the plugins to see this and install it I constantly get the above.  I have tried everything I can think of.  I have tried rebooting the router, several times and I have tried changing the mirrors.  To no avail.

Yesterday I read something about pinging opnsense.org.

If I do this from my router it pings 81.171.2.181 and gets 100% packet loss

If I do it from a workstation connected to the same router this pings fine 0% packet loss average 14ms

Is this the source of my issue with updating the plugins?  and if so what the heck have I done here?  Really wish the config on this could be source managed through GIT or something so I can unwrap ;-)

12

18.7 Legacy Series / Monitoring internet traffic types

« on: October 04, 2018, 02:40:43 pm »

One of my goals in starting a journey with OpnSense was to get an idea of the protocols travelling on my network.  I want to be able to monitor my network and to see what is being used and in what volume etc.  Some of my interest is in a lot of traffic showing that I really do not understand.

I am assuming Suricata is a route to this with appropriate rules loaded, though it does not seem to have a great set of reporting functions.  Could anyone point me in a direction that it would be logical to travel with this?  I appreciate it may not be possible, in which case how close can I get using the IPS system?

13

18.7 Legacy Series / https Not Secure - how can I use ACME and Let's Encrypt to change this?

« on: September 20, 2018, 06:26:19 pm »

This is a question I expected to find an easy answer to on the web or in FAQs.

With the default setup I can ask for opnsense to be HTTPS, which it does using a self generated certificate.  This leads to a Not Secure flag in Google.  Not too bothered about that as I understand the reason however it would be good to generate a certificate that changes this.


I want to make use of Let's encrypt so I thought that would be the logical place to get the certificate.  I added the ACME plugin to do this.  It appears though it is not as simple as all that ;-)  I cannot generate a certificate and I'm sure I really don't understand what I am doing :-(


I have my own domain hosted with a provider.  That also hosts my external DNS.  I am using unbound on my opnsense as my internal DNS using the same domain name.  Theory being from outside I can route in through the opnsense box.  From inside people can use the same URL and potentially be routed to a different server to the one they see externally.  At this point I have not tried to connect any other servers though.  When I am providing a domain name for the certificate I'm assuming it will be generated using the external IP Address, which will always be the same.  Am I right?  Or am I way off beam and none of this will work?  Is there an easy how to gety your router to sto saying "Not Secure" guide (without turning off https)?


Many thanks for your help.

14

18.7 Legacy Series / DNS packets are the only ones that seem to do anything

« on: September 15, 2018, 06:08:05 pm »

Having fought OpnSense for a bit I now seem to have achieved a connection to the internet.

My only issue right now is that only DNS queries seem to travel it!  Looking at the status page in routes I am struggling to understand what is there as it talks about Link#3 and Link#9 with no reference to what those are.  However as I can make NSlookup queries against 1.0.0.1 I am assuming that routing is actually working.

This means that something else is stopping me getting information too and from the internet.  I thought the basic setup of OpnSense would get things basically working.  Seems something might be missing though and again I need pointing in the right direction.

I have IPv4 "Any" rules defined by default in the LAN firewall rules as part of the setup and I thought that this would be all I needed firewall wise.  There are now Floating or Wan rules.  Similarly NAT is set to Autogenerate only so again I thought I would be okay.  Essentially I have done a factory reset, configured the local LAN on 192.168.0.x/24 and the WAN as PPPoE with my broadband password and that is it.  I have verified that all else is disabled so there should be nothing else interfering right now. I have disabled the resolver on UnBound and pointed my client directly at 1.0.0.1 to avoid local DNS issues as a challenge.

What am I missing?  I know someone is going to say something that makes me feel like a complete idiot.  Right now though I just cannot figure it out.

15

18.7 Legacy Series / New at this and Struggling with PPPoE routing

« on: September 09, 2018, 06:56:58 pm »

Hi All,

Numpty, newbie question necessitated as this is driving me made.  I'm trying to get my broadband working using a Opnsense firewall.  I am an IT professional and I have done a fair bit with networks before, just not with OpnSense and not with PPPoE and not for quite some time ;-)

Initially I connected it on a Networking level to my vodafone router.  This works fine, although the latency is noticable and there is the underlying double nating going on.  My vodafone router cannot be put in bridge mode, however in my loft I had a huawei HG612.

I configured a Vlan of 101 setup the Wan to use that and set up PPPoE with the passwords etc.  If I look in overview this link is up and working fine.  If I try to send packets from the Lan nothing happens.  Same happens if I try and use the ping tool on OpnSense to contact an external service. 

I appear to have connected to the vodafone broadband and yet I cannot pass packets so I am doing something wrong.  I've checked for a gateway etc.  I cannot find the IP address assigned to my broadband anywhere in OpnSense though so I think I may need to set something up here.

Anyone got time to give me some pointers on what I should be looking for?