Topics

1

General Discussion / *Something* is filling up my hard drive causing Unbound DNS service to die

« on: September 30, 2024, 02:51:14 pm »

Hey everyone,

I recently upgraded to the latest version of OpnSense (24.7). I started getting internet dropouts where DNS would not resolve but teh OpnSense UI would still work and it could still pull updates.

I have OpnSense in a Proxmox VM and switched to VirtIO network drivers because throughput was much higher. Initially I thought that was the issue, so I reverted them back to Intel drivers. Yet, the issue remained.

I recently discovered that the hard drive was full (disk usage showed 106% use). I added about 10 GB of storage space to the VM, yet a few days later the disk was full again. I also noticed that, when rebooting the machine, it would hang on the Netflow Backup script step.

I looked at the Netflow settings and cleared all the data from it. I also disabled logging for it. On the same page I could also clear and disable DNS request logging, which I did. And behold, my drive use went down with 40%. Awesome!

But... a few days later, the disk is full again. I checked the Netflow settings again, they are still disabled. Check other log setting to make sure nothing was verbose logging and check if retentions were set to a reasonable level. Clearing the Netflow data did nothing this time.

So something is filling up my disk space causing Unbound DNS to die and not start again, but I can't seem to find what it is. Anyone have any idea how I can troubleshoot this issue or what might be the cause?

2

General Discussion / Some issues with Caddy (Certificate and Routing)

« on: April 16, 2024, 10:59:30 am »

Hey everyone,

I was thrilled to find out that OpnSense now has a plugin for Caddy, so I started to migrate my configuration from HAProxy to Caddy. However, I seem to be running into some snags:

1. Wildcard certificates do not seem to include the domain root.

When using a wildcard certificate and browsing to myDomain.com, I get an invalid certificate error. However, when browsing to www.myDomain.com, everything is fine. So it seems that the wildcard certificate does not contain the domain root and I cannot find any way to include it.

2. I cannot replace headers for forwarding requests

In the documentation (https://docs.opnsense.org/manual/how-tos/caddy.html) it states you can manipulate the headers when sending to vhosts, however, the "headers" tab mentioned in the documentation seems to be missing. Since I cannot set the headers, my routing fails.

Is there a way to resolve these problems? And is there a way to see what config the caddy plugin generates?

Thanks!

3

General Discussion / So many problems ... what is going on!?

« on: January 31, 2019, 12:47:04 am »

Hey everyone,

With everything I do I seem to encounter some bug of some sort which has made setting up OpnSense a real pain in the butt. 2 evenings of work only got me as far as a working internet connection and internet from my DMZ and LAN towards my WAN... quite abysmal result if you ask me.

What has been happening

Problem 1, getting the internet to work over PPPoE:

This was with the previous OpnSense version I was running. For the life of me I could not get PPPoE to connect. I found in some forums that this could be caused by a race condition in which a blocking system call in the PPPoE deamon would not return in a timely fashion causing the connection request to drop.

I solved this by connecting through the internet using a router I had, and connecting OpnSense WAN to the router. I then upgraded OpnSense and all plugins to the latest version (OPNsense 18.7.10_3-amd64). After that PPPoE connection was instantaneous.

Problem 2, getting Dynamic DNS to work:

When I set up Dynamic DNS to update my Namecheap domain I get the following error when the service tries to start:
parser error : Space required after the Public Identifier in /usr/local/etc/inc/plugins.inc.d/dyndns/phpDynDNS.inc on line 1072


I logged a bug for this here: https://github.com/opnsense/plugins/issues/1156
No solution yet.

Problem 3, getting HA Proxy to start:

Had this working on the previous install, but now I cannot get it to start. I don't know why. In the log it only says: "HAProxy failed to start" and "returned exit status 1". Amazingly helpful. So if anyone has some pointers, I am all ears.

I had HAProxy problems before, here an update to the latest version did the trick. However, this latest version does not seem to be working for me again. Probably something stupid that I did or did not do, but no idea what.

-- update: 2019-02-02 --

I finally got HAProxy to start. The issue was the listen address in the public pool. I had it set to 127.0.0.1, and it should have been 0.0.0.0. The help description provided is thus very misleading since it suggest the following: "Configure listen addresses for this Public Service, i.e. 127.0.0.1:8080 or www.example.com:443". This should really be adjusted.

Found the solution by going through a few tutorials I found.

What else hasn't worked so far?

- DHCP instabilities:
-- Setting a DHCP range from x.x.x.5 to x.x.x.20 and having the client work with x.x.x.4 (??), even after disconnecting or forcing a reconnect to get a new IP via DHCP
-- Static DHCP leases not being used/detected (lease is added, but when the client asks for an IP, DHCP does not seem to realize it is a lease and give another IP (probably related to above)... and yes, the MAC address was correct, I checked multiple times.
- Wifi on the laptop switched between internet/no internet connection. The network stays connected, but all of a sudden a ping won't work or a website won't load. After a few seconds it works again for a short time, then it starts all over. I do not have this on my cellphone and only had it on my laptop since I use OpnSense as firewall/dns. It seems like the firewall crashes or it can't route to the internet anymore, ... something like that.

-- update: 2019-02-02 --

It appears I had an IP conflict on my network which caused most of the strange behavior mentioned above. Once I got that resolved everything seems to be much more stable.

- Getting DHCP hostname registration in DNS (or at least the resolving of them) to work
- NetBIOS resolving (still need to look into this, but probably the same as above?)

-- update: 2019-02-02 --

Switching to DnsMasq, seems to work now, but it might have been a misconfiguration in Unbound DNS. Not sure, but don't care. It's working

What's next?

I don't know what else I will encounter. I still have quite a lot of things to set up:
- Configure HAProxy (once it feels like starting) --> DONE - no issues
- Setting up Let's Encrypt
- Setting up VPN
- Routing RDP from LAN to DMZ --> DONE - no issues

Haven't even touched on:
- Intrusion Detection
- Clam AV
- Port forwarding

Obviously I am not "a linux guy", but I have managed before. Either way, to me this feels like an awful lot of issues/problems for the little I have been able to set up in 2 days time.

Anyone experiencing issues like this or know about any solutions to these issues? I am really getting frustrated with this, especially since I am hosting a few websites and I obviously haven't been able to get them online.

Some final specs:

OPNsense 18.7.10_3-amd64
FreeBSD 11.1-RELEASE-p18
OpenSSL 1.0.2q 20 Nov 2018

OPNSense is running as a virtual machine under Proxmox version 5.2-7.
WAN, DMZ and LAN are separate hardware NICs, each bridged to their own virtual NIC on OPNSense

4

General Discussion / VLAN Routing - How to get it to work?

« on: November 20, 2018, 10:43:51 am »

Hey everyone,

I am running OpnSense as a VM under Proxmox. I am trying to segregate my network between WAN, DMZ and LAN using VLAN's, however, I am having some trouble getting the routing configured correctly.

This is the setup:

I have a modem running to a router, then from the router I connect to a switch on (at the moment) the LAN VLAN. The switch is set up to host 3 VLAN's:
WAN -> 192.168.33.0
DMZ -> 192.168.23.0
LAN -> 192.168.13.0

On Proxmox I have 3 NIC's:
NIC 1 -> LAN -> Bridged -> Bridged IP = 192.168.13.20 (Proxmox UI)
NIC 2 -> DMZ -> Bridged -> No IP
NIC 3 -> WAN -> Bridged -> No IP

Then, in OpnSense I also have 3 virtual NICs configured, one for each VLAN:
NIC 1 -> LAN -> 192.168.13.15
NIC 2 -> DMZ-> 192.168.23.20
NIC 3 -> WAN-> 192.168.33.20

These are also configured as single gateways (with the same IP address), and I have created a static route from the DMZ Gateway to the LAN network. Also I have set an allow rule in the firewall for everything in the DMZ zone.

However, currently pinging google.com from the DMZ works, but I cannot load any internet pages.

Maybe a more visual representation:


(https://drive.google.com/file/d/1q7fub043lXDO-V25HIVskYFBOFcbQ5z-/view)

---

The goal:

What I am trying to accomplish at this point is to have internet connection on the DMZ VLAN. Once that is working I would like to add limitations so that I can access the DMZ machines from the LAN (RDP), but the DMZ machines cannot do the reverse.

Eventually I would like to get rid of the router and connect the modem directly to the WAN side of the switch and from there to the WAN side of OpnSense. OpnSense will then establish the PPPOE connection to the modem. All my internet facing machines will then be put on DMZ and all my own devices on the LAN. Also HAProxy will need to be reconfigured to the new network setup. And of course, allow for my LAN devices to cross over into the DMZ using RDP, but not the opposite direction.

Any advice on how I can, in this step, at least get the internet working on the DMZ side? That would already be a big step forward for me.

Thanks in advance,

Stitch