Topics

1

24.7 Production Series / Port Forward to 127.0.0.1 works, but not to ::1 [+ workaround]

« on: August 24, 2024, 07:59:08 pm »

I wanted a PF rule so all DNS / NTP traffic on my network not going to my OPNsense would be redirected to localhost (the OPNsense box itself) in order to transparantly redirect this traffic. I have a dual stack (IPv4/IPv6) setup.

Easy enough for IPv4, for example DNS, but same for NTP (but different ports and only UDP).
I have allow rules for DNS / NTP under Firewall-Rules-WhateverInterface

NAT Port Forward:

• Interface: Interfaces I want
• TCP/IP: IPv4
• Protocol: TCP/UDP
• Destination / Invert: selected
• Destination: Alias of my OpnSense box
• Destination Port Range: DNS-DNS
• Redirect target IP: Single host or Network: 127.0.0.1
• Redirect target Port: DNS

Works perfectly for IPv4.

For IPv6 however, I would expect that the only things I have to change are:
The 2nd one: TCP/IP: IPv6
The 7th one: Redirect target IP: Single host or Network: ::1

I found out this is not working. Unbound and Chrony, which I use for DNS/NTP, apparently bind on 127.0.0.1, but not on the IPv6 counterpart ::1.

I already found a workaround after too many hours of research and trying:

• Under Interfaces-Virtual IP's make a virtual IPv6 ULA on the Loopback interface, for example fd08::1/128.
• Restart Unbound and Chrony (they now bind to fd08::1/128).

Make a NAT Port Forward rule:

• Interface: Interfaces I want
• TCP/IP: IPv6
• Protocol: TCP/UDP
• Destination / Invert: selected
• Destination: Alias of my OpnSense box
• Destination Port Range: DNS-DNS
• Redirect target IP: Single host or Network: fd08::1/128
• Redirect target Port: DNS

To make things easier you could also make an alias under Firewall-Aliases to fd08::1/128 or whatever ULA you choose.

All set and done. Posted this for the benefit of the earth but also: I can't handle that I don't understand why it doesn't work with ::1? Or did I accidentally found a bug (probably not)? Maybe someone here could explain that, so I can sleep and give my brain some rest.

Thanks and cheers!

2

24.1 Legacy Series / Where to view IPv6 prefix assignment

« on: February 17, 2024, 12:09:32 pm »

Just updated to 24.1.1 and I spend last 30 minutes to look for my view IPv6 prefix assignment. I could usally view it in Interfaces-Overview-WAN, but I can't seem to find it now. I expanded it and looked at the datails... Where is it?

Edit: This issue is already discussed here.

3

23.7 Legacy Series / EOL OpenSSL 1.1.1 Sept 11 2023

« on: September 12, 2023, 08:48:36 pm »

OpenSSL 1.1.1 has ended their support for version 1.1.1 on sept 11 2023. OPNsense is on 1.1.1 and I think it's because of FreeBSD stable is still stuck on 1.1.1. There are packages on ports for OpenSSL 3+ though...

There are people warning for this for some time now. When is the switch to 3.0 or 3.1 planned? Is it posible OPNSense goes ahead with it before FreeBSD does, or is that too complex? Couldn't find info on this subject, except that FreeBSD is planning it fot 14.x somwhere in 2026! Shouldn't it be quite soon, because official support for 1.1.1 upstream has now come to an end?

4

22.7 Legacy Series / [Solved]PHP error on mongodb after installation to 22.7

« on: July 31, 2022, 02:51:49 pm »

I had serveral PHP errors after installation of 22.7 (problem detected in GUI). One of them displayed here:

Code: [Select]

PHP Errors:
[31-Jul-2022 12:38:35 UTC] PHP Warning:  PHP Startup: Unable to load dynamic library 'mongodb.so' (tried: /usr/local/lib/php/20200930/mongodb.so (Cannot open "/usr/local/lib/php/20200930/mongodb.so"), /usr/local/lib/php/20200930/mongodb.so.so (Cannot open "/usr/local/lib/php/20200930/mongodb.so.so")) in Unknown on line 0

Turns out it was a leftover from Sensei (probably) I had once installed.
Logging in via SSH and doing a

Code: [Select]

pkg remove php74-pecl-mongodb
solved it. Thanks to the German forums.
Posting for reference.

5

General Discussion / Firewall Rules: Use "Foo.net" in source or "any"

« on: March 25, 2022, 10:19:55 am »

This bugged me for a long time and I cannot find a clear answer. Suppose I want a rule to give all devices on one VLAN access to one device on another VLAN - all ports, IPv4. You can make a rule like this:

Action	Pass
Interface	VLAN10
Protocol	IPv4
Source	any
Source Port	Any
Destination	192.168.20.10
Destination Port	any
Description	Allow VLAN 10 access to device

But in many tutorials I see this:

Action	Pass
Interface	VLAN10
Protocol	IPv4
Source	VLAN10_net
Source Port	Any
Destination	192.168.20.10
Destination Port	any
Description	Allow VLAN 10 access to device

It seems to me that both rules do exactly the same and that you could go for the first one. Why should you put VLAN10_net in there with the Source? The rule already applies to Interface VLAN10 only right?

6

20.7 Legacy Series / Local DNS not in /etc/resolv.conf with Unbound after reboot

« on: January 17, 2021, 05:59:56 pm »

• OPNSense is 10.0.0.1
• I have PiHole IP in Settings-System-General-DNS Server: 10.0.4.2
• OPNSense is DHCP server
• I have Unbound on the OPNSense box for local resolution of DHCP handed out IP's. Forwarding Mode OFF.
  Desectected: Do not use the local DNS service as a nameserver for this system in Settings-System-General, so OPNSense asks local DNS first for Aliases and so on.
• PiHole asks Unbound for local hostnames via Conditional Forwarding and talks to external DNS for all the other stuff

This works like a charm. I never see the OPNSense box in my PiHole logs asking for local hostnames.

However I had to reboot OPNSense and now I see OPNSense asking for local hostnames every 10 minutes in the PiHole log. Not a big problem, because PiHole simply asks Unbound and it is resolved via a small detour. But it is not the expected behaviour

I checked /etc/resolv.conf and noticed only the PiHole IP is there. That is the explenation of this behaviour.

When I click Save once in Settings-System-General OPNSense, the issue is resolved and I can see that now both 127.0.0.1 and my PiHole IP are in /etc/resolv.conf

This could be a bug, I think that after a reboot /etc/resolv.conf should contain 127.0.0.1 as DNS server (besides the one mentioned in Settings-System-General-DNS Server) when Do not use the local DNS service as a nameserver for this system is desleceted.

Or am I wrong?

OPNsense 20.7.7_1-amd64
FreeBSD 12.1-RELEASE-p11-HBSD
OpenSSL 1.1.1i 8 Dec 2020

7

Zenarmor (Sensei) / Errors Out on VLANs in non-Passive mode

« on: January 08, 2021, 12:12:29 pm »

I noticed Interface Out errors (Atachment) on my VLANS when they where very active dowloading. Tracked it down to Sensei. The errors only occur in non-Passive mode (both L3 native and generic). So, the errors stop occuring in Passive mode.

I have two VLANS and the errors do not occur on the parent LAN. Only the Parrent LAN is selected in Protected Interfaces. Everything is still in default mode (I'm testing this out), I have nothing blocked.

I tried to Enable and Disable VLAN Hardening in Interface settings, that did not help. Hardware CRC, TSO en LRO are disabled.

Opnsense is running in a qemu VM in Proxmox on a Dell Poweredge T330. The VM has two network cards assigned that are Linux Bridges of the original network cards, which are Broadcom Gigabit Ethernet BCM 5720.

Any ideas why the errors are occuring?

8

General Discussion / Rule in FW matched (in log), but why?

« on: January 06, 2021, 10:56:55 am »

I have a LAN, 2 (child) VLANS and OpenVPN.
My DNS Server (10.0.4.2) is on VLAN called VL_Serv (it's Pihole).
I wanted to ensure all DNS on my network goes to the DNS server so I made a rule for that (see attachmant).

The rules does what I want, if I try to do a DNS request to 1.1.1.1, I see it logged in my DNS server (do it is redirected)
However, when I set logging Enabled on the rule and check the log, I see that this rule is always logged, even when I do a DNS request to 10.0.4.2. In my understanding, when I do a DNS request to 10.0.4.2 it shouldn't be logged, because it doesn't match the rule I made. Why is it matched/logged? It's probably something I don't understand...

9

Zenarmor (Sensei) / Protected Interfaces: what to add?

« on: January 03, 2021, 10:48:54 pm »

Running latest OpnSense with Sensei 1.6.2
On Free right now, but will surely switch to paid if this works well. Just beginning.

I have LAN (vtnet0), that is parent to 2 VLANS (vtnet0_vlan10 and vtnet0_vlan20)
I have a OpenVPN Server running (ovpns1) to connect to my home network when away.
Most my network traffic is ging out via a OpenVPN client (I use ProtonVPN): ovpns2
Some clients are going out via normal WAN (Netflix hates VPN).

Which clients to add in proctected interfaces?

I figured:

• LAN (vtnet0) -- Than my 2 VLANS are protected too.
• VPNServer (ovpns1)

Does this make sense?

Does it make sense to protect the ovpns2 interface? As it is a client, similar to WAN interface and WAN isn't proctected too (as advised per the manual).

10

20.7 Legacy Series / Default Flavour switches after switching to LibreSSL and back

« on: November 25, 2020, 09:13:29 am »

I switched my OPNSense to LibreSSL, but I switched back to OpenSSL because I noticed very choppy internet after the switch to LibreSSL (I will investigate that problem later, no idea why that happened, but that is not why I'm writing this post).

I noticed that before the switch from OpenSSL to LibreSSL Firmware Flavour was on default, so OpenSSL is/was the default. When I wanted to switch back from LibreSSL to OpenSSL I set Firmware Flavour back to default, but noting happened after checking for updates. I had to switch to OpenSSL specifically. I tested some furher and noticed that the new default was indeed LibreSSL and not OpenSSL.

Is this supposed to happen, or is this a bug?

11

19.7 Legacy Series / How to actually use os-backup-api

« on: August 12, 2019, 11:15:55 pm »

I want to use the plugin os-backup-api, but I found a complete absence of documentation how to actually use it. I did find this, but I cannot find where to configure "key" and "secret" anywhere in the GUI. Is there any GUI element? Am I overlooking something? The documentation found here is not very helpful either. The "info" of the plugin is not helpful either, stating

Provide the functionality to download the config.xml

Can anyone point me in the right direction?

12

General Discussion / [SOLVED] Rule order

« on: January 21, 2019, 09:22:08 am »

I understand that rules are executed from top to bottom.
That is why "block" rules come after "allow" rules.

One thing is hard to grasp for me and I can't find the answer on internet or this forum (or maybe the answer is there, but I don't see it):

When I add a rule to the firewall for something to pass, let's say this simple rule:
- LAN segment pass all DNS (53).
And AFTER that:
- Specific host (but IN the LAN segment above) block DNS (53)

Will the second rule be effective? In my tests it is effective, so there's my answer. But shouldn't the rule execution STOP after the first rule (because it matched)... Am I missing something?

_{edit: typo}

13

18.7 Legacy Series / Cron job does not run at desired time

« on: October 02, 2018, 08:14:45 am »

I have 1 cron job (remote backup of config) set for runnig at 05:25 every day. (25 5 * * *).
However, it runs every day at exactly 01:00.
I checked the server time: good
I restarted cron and I restarted the server, both without luck
Strangely, if I set this job to run a few minutes ahead of the current time (eg 15.30 when it's 15.28) it will run at that time exactly.

This instance is running as a VM in ESXi on a server.

Anyone else with this kind of problem? How to troubleshoot this further?

Edit:
Found out that no matter what time you put in: it will always run at 01.00.
According to crontab -l that is... is there a default cron for this job? When I delete it, the job stays.

Still: Strangely, if I set this job to run a few minutes ahead of the current time (eg 15.30 when it's 15.28) it will run at that time exactl, although contab -l shows to run at 01.00...

14

18.7 Legacy Series / OpenVPN: OpenVPNServer Interface - usefull?

« on: September 28, 2018, 04:08:00 pm »

I have a working OpenVPN server on my up-to date OPNsense (18.7.4) box.
In the Firewall-Rules tab there are 2 instances related to this server:


1 OpenVPN
2 OpenVPNServer


1. there is a rule here to pass traffic from the tunnel to my LAN
2. is empty.

Furthermore:
2. corresponds to a interface with the same name.
This interface get's the first IP of my tunnel network (I don't know how it knows that, because the settings in the interface are empty).
I can disable this interface - and the VPN still works!
If I, however, check "Block Private Networks" in the interface settings: I can connect to the VPN but I can not use internet (everything seems blocked) - So it seems to have some sort of function.

Questions bothering me:
- What is the function of the Firewall instance of OpenVPNServer?
- What is the function of the OpenVPNServer interface and why can I disable it without consequence?
- How does the OpenVPNServer interface gets it's IP?