Topics

1

23.1 Legacy Series / Unable to access some sites but not blocked in firewall

« on: April 23, 2023, 07:06:14 pm »

I'm running 23.1.6 but was having similar issues before

I've noticed if I try to access https://en.avm.de which is for the fritzbox routers the webpage times out, I'm also getting similar on other sites as well.

I've checked and even disabled zenarmour and that is not blocking the sites, checked firewall and that doesn't seem to be blocking either. No geoip settings enabled

If I switch device to use mobile internet it works fine, other than fully remove opnsense or rebuild it I'm not sure where the issue is.

Any ideas?

2

23.1 Legacy Series / Strongswan vunberability

« on: March 05, 2023, 01:02:13 pm »

So I've upgraded from 22 to 23 and says on latest version 23.1.1_2 yet when checking security audit under updates it's still returning the following

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.1.1_2 at Sun Mar  5 11:50:38 GMT 2023
vulnxml file up-to-date
strongswan-5.9.9_1 is vulnerable:
  strongSwan -- certificate verification vulnerability
  CVE: CVE-2023-26463
  WWW: https://vuxml.FreeBSD.org/freebsd/3f9b6943-ba58-11ed-bbbd-00e0670f2660.html

1 problem(s) in 1 installed package(s) found.
***DONE***

the vunerability reports the following
A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected.

If we don't use the vpn's within OpnSense, do we need to be worried

3

Zenarmor (Sensei) / Scheduled Reports

« on: January 15, 2023, 12:46:10 am »

I've recently rebuilt my opnsense system (not used since july 2022) and performed a clean install, setup zenarmour again and enabled the scheduled reporting.

When I perform a test I get the pdf report without any issues, but if I leave it to run overnight the report is 1k in size and when open it, it shows 504 gateway error.

I know the pdf's are generated using an API in Sunny Valley Networks Datacenter, which suggests there is an issue on their network, can SVND confirm if there is a timescale to resolve this problem and if we have to just stick with html version of the reporting.

4

General Discussion / Is it worth reinstalling from scratch

« on: August 16, 2022, 09:43:03 am »

So we had some internet issues recently where a fault on landline was causing my g.fast connection to drop. the isp required me to put on their own router for testing purposes to ensure it was not my router (opnsense on qotum pc) causing the problem, even though I stated it was the DSL light on the g.fast modem itself that was going off.

While performing the testing we had tried different routers (opnsense, fritzbox, deco m5 and Asus Zenwifi XT8) - one of the things we noticed was that when the connection dropped all the routers except the opnsense router were able to function correctly with DHCPv6 and routing was immediate.

The only way we got routing working for IPv6 on opnsense was to switch to static ipv6 instead of tracking wan with dhcpv6 as otherwise we constantly had to restart routing after the drops. there was also occasions where we constantly had to restart radvd.

I'm in two minds on whether to return back to opnsense in case we start having similar issues with routing, especially as the Asus Zenwifi XT8 is performing well. If we do decide would it be best just to reinstall from scratch the latest version (was previously updated from early version and had had many configuration changes along the way) and import any settings, or would it be best to also do them from scratch

5

22.1 Legacy Series / PPPoE drops, no routing of IPv6 afterwards unless recycle routing

« on: July 15, 2022, 06:50:31 pm »

Hi,

Is there a way of recycling system routing after a PPPoE drop as whenever it drops, I still have IPv6, DHCPv6 Server is running, but can't route ipv6 unless I recycle system routing. Is this the same as restarting radvd or does radvd do more?

Current settings for RA
Router Advertisements - Assisted
Router Priority - Normal
Source Address - Automatic
Advertise Default Gateway - Ticked

I'm not always available to manually recycle this, so need to get it to recycle routing when the connection is re-established

6

Zenarmor (Sensei) / Do I need Suricata IDS running if using Zenarmor (Sensei)

« on: June 24, 2022, 03:45:31 pm »

Hi,

I've now got Sensei (free version) fully working on my setup and wondered if I still need to use Suricata at the same time?

Regards

7

22.1 Legacy Series / Switching to static IPV6 and dhcpv6 server - help/advice needed

« on: June 12, 2022, 08:18:13 pm »

Hi,

Currently I'm with Zen and have my IPv6 configured to track wan and setup a dhcpv6 with some values

I'm now looking at setting up to use static addressing (got static details from zen)

I've gone through the online docs but some bits threw me off as the info didn't match the screenshots

So I've written down roughly what I need to do (i've changed all my ipv6 details I got from Zen)

Info from Zen
ND Prefix: 1234:1235:1234:89a::/64
PD Prefix: 1234:1234:1234::/48

Need to manually configure wan as
Ipv6 address   1234:1235:1234:89a:4262:31ff:fe03:db00/64
Ipv6 DP      1234:1234:1234::/48
Ipv6 Gateway   1234:1235:1234:89a::1

Lan Interface:
Ipv6 Configuration Type = Static IPv6
Ipv6 Address: 1234:1234:1234:0:4:3:2:1 (or should this be the ND Prefix)
Prefix: 64 bits

DHCPv6 Server
Enable
Subnet: 1234:1234:1234
Available Range
From: 1234:1234:1234:: to 1234:1234:1234:0:ffff:ffff:ffff
Range
From 1234:1234:1234::0000:0000:0000:0001
To: 1234:1234:1234:0000:ffff:ffff:ffff

If I'm not using subrouters and just opnsense along with no vlans, do I need to configure the prefix delegation range.

Has what I gathered correct and if setting static ipv6 on wan must I drop the connection to configure this first as if I try setting the one I get automatically it says already in use.

thanks in advance for any guidance on this

8

22.1 Legacy Series / QOS with IPv4/IPv6 setup

« on: June 11, 2022, 11:06:49 am »

Hi,

I'm on a 310/50 Gfast connection and trying to setup QOS, so have followed the tutorial and also this post - https://forum.opnsense.org/index.php?PHPSESSID=l6ksdi82278q8t3n3a1j8ucvda&topic=7423.0

On following that post and performing a test using the bufferbloat site, it always says my latency is not brilliant.

I've set the download pipe as follows
Bandwidth: 275 Mbit/s
Scheduler: FlowQueue-CoDel
(FQ-)Codel ECN: Enabled

Upload pipe, used same settings but with 45 for the bandwidth

Queues
Download/Upload
Weight: 100
Mask: source
(FQ-)CoDel ECN enabled

Rules
Interface: WAN
Protocol: ip
Source: Ipv4 - Destination: Any (upload rule)
Source: Any - Destination: IPv4 (download rule)
Target: Points to the relevant queues

How do I get these rules to also work with IPv6 addresses and to also improve the latency, etc

thanks in advance

9

Zenarmor (Sensei) / Lost DHCPv6 after installing plugin

« on: May 28, 2022, 03:43:30 pm »

I've installed Zenarmour (Sensei) on my OpnSense 22.1.8_1-amd64 system and immediately after activating I lose ipv6 addressing on my lan.

The dashboard reports that dhcpv6 server has stopped and can't be restarted.

IPv6 is working on my WAN, just now not accross my lan network.

If I disable Sensei and reboot Opnsense i have no issues and dhcpv6 and npt are working again

Does Sensei actually work with users who use ipv6 or is it something we should not use

10

General Discussion / GeoIP Setup - help needed

« on: April 07, 2022, 08:02:11 pm »

Hi,

I'm following the instructions to set this up using the latest version of OpnSense but when go to maxmind to create the licence key, how do i know which version to configure for.

I've looked on OpnSense and can't see any details regarding the version number

11

22.1 Legacy Series / Ipv6 and Zen

« on: April 07, 2022, 06:43:36 pm »

I currently use Ipv6 on Zen and and whenever they have maintenance and connection is severed, when it comes back up the IPv6 does not work, even though radvd and dhcpd6 are both showing as running. I can recycle radvd but still no IPv6 connection and if I then try recycling dhcpd6 it then shows that it's stopped.

Dropping the connection and then reconnecting doesn't always solve the problem and in the end I have perform a full reboot of the opnsense box.

If I switched to manual dhcpv6 settings and configured opnsense to hand out ip's to clients will I have the same issues, if not how hard is it to configure the ipv6 settings for this so all network devices can get an ipv6 address

12

21.7 Legacy Series / Maltrail just stops working

« on: January 15, 2022, 11:55:34 am »

I installed Maltrail and noticed after about 3 days it stops working and recording information. At first I thought it might be down to the connection dropping but this is not the case.

I've tried stopping and restarting the sensor and server, but it then takes a while for it to start again

Is there a way to get this to stop both sensors and server every night and restart it

update: found can restart sensor through cron, is there any point on restarting the server as well if it on the same machine?

thanks

13

21.7 Legacy Series / Unable to save administration changes

« on: November 03, 2021, 11:59:07 pm »

I recently upgraded to 21.7 and if I try to make a change on the administration page and save it, i get the following error

The following input errors were detected:
Certificate Web GUI SSL certificate is not intended for server use.

Even if I try switching to HTTP connection I get the same error. I've never installed a certificate and use the defaults applied when installing the system.

When looking at the certificate it says CA: Yes, Server: No and the dates for validity is mar 2019 to mar 2020

Does opnsense not update its certificate, is this the cause of the problem and if so how do i update it?

14

21.7 Legacy Series / Connection Uptime Plugin?

« on: September 24, 2021, 09:20:12 am »

Is there any plugin that will keep a log of when a PPPoE connection was initiated and disconnected with length of time it was active for.

I know you can look in the interfaces for the current connection time, but if the link drops for any reason you don't get a record of this stored anywhere

15

21.1 Legacy Series / DHCP v6 Server fails after reboot of switch

« on: September 01, 2021, 10:44:57 pm »

I had to reboot my switches today and after doing so I found later that the DHCPv6 Server was in a stopped state.

My setup is that my OPNsense is connected directly to my modem for the internet connection and then a switch for all my local devices.

RADVD was still running and even though my connection had not gone down, I only lost the DHCPv6 service on my network and only way to get the service back was to disconnect internet and reboot the server.

Surely should not need to do this when you've rebooted a switch, seeing that OPNsense is handing out the leases