Topics

[VLAN Hardware Filtering]

I just deployed a couple of OPNsense 19.1.4 routers. They're the i386 image, that's why it's an older firmware, I believe it's just about the cutoff line where it became 64-bit exclusively. Anyway, I need them only for DHCP/DHCP6 and maybe route a couple of IPv6 networks. They're perfect for the job.

I need FRR though which requires checking for updates first but it won't update. I get:

Code Select Expand

***GOT REQUEST TO UPGRADE***
Updating FreeBSD repository catalogue...
repository FreeBSD has no meta file, using default settings
Unable to update repository FreeBSD
Updating OPNsense repository catalogue...
repository OPNsense has no meta file, using default settings
Unable to update repository OPNsense
Error updating repositories!

I enabled /usr/local/etc/pkg/repos/FreeBSD.conf but still wouldn't work:

Code Select Expand

root@namemaster1:~ # pkg update
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD load error: access repo file(/var/db/pkg/repo-FreeBSD.sqlite) failed: No such file or directory
pkg: http://pkg.FreeBSD.org/FreeBSD:11:i386/quarterly/meta.txz: No address record
repository FreeBSD has no meta file, using default settings
pkg: http://pkg.FreeBSD.org/FreeBSD:11:i386/quarterly/packagesite.txz: No address record
Unable to update repository FreeBSD
Updating OPNsense repository catalogue...
pkg: Repository OPNsense load error: access repo file(/var/db/pkg/repo-OPNsense.sqlite) failed: No such file or directory
pkg: https://opnsense-update.deciso.com/FreeBSD:11:i386/19.1/latest/meta.txz: No address record
repository OPNsense has no meta file, using default settings
pkg: https://opnsense-update.deciso.com/FreeBSD:11:i386/19.1/latest/packagesite.txz: No address record
Unable to update repository OPNsense
Error updating repositories!

The DNS addresses do resolve:

Code Select Expand

root@namemaster1:/usr/local/etc/pkg/repos # drill opnsense-update.deciso.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 41995
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; opnsense-update.deciso.com. IN A

;; ANSWER SECTION:
opnsense-update.deciso.com. 900 IN A 89.149.211.205

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 639 msec
;; SERVER: 10.11.11.36
;; WHEN: Sat Apr  5 02:23:24 2025
;; MSG SIZE  rcvd: 60
root@namemaster1:/usr/local/etc/pkg/repos # drill pkg.FreeBSD.org
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 24707
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; pkg.FreeBSD.org. IN A

;; ANSWER SECTION:
pkg.FreeBSD.org. 240 IN CNAME pkgmir.geo.FreeBSD.org.
pkgmir.geo.FreeBSD.org. 150 IN A 192.158.252.167

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 476 msec
;; SERVER: 10.11.11.24
;; WHEN: Sat Apr  5 02:23:54 2025
;; MSG SIZE  rcvd: 74

There something about a database that sounds like a local issue, but a little latter something about repo meta, which sounds the opposite. So I just came for help before I start tinkering with it.

Are the repos still live?

Also...since I'm here already :) it's been a while since I last used this version, and I can't seem to make static addressing regardless work.
The firewall/natting is off completely off but addresses don't seem to be configured at all (I ran nmap scans from other systems) unless gotten from DHCP. Even after rebooting. Was there an extra step with this firmware?? :O

In Settings→Interfaces, all the offloads were already disabled (all boxes are checked) out of the box and VLAN Hardware Filtering is set to Leave default. Gateway switching is enabled, but made no difference disabled, if I remember correctly— I might need to double check that.

Thanks!

[VMXNET3]

I'm trying to set up an OPNsense virtual appliance but I'm having a hard time getting good performance, especially when it comes to NAT, that's where it really shines, the issue— that is.

Environment

The VM is on vSphere (type 1 hv) with tons of memory and CPU cores to throw around, compared to what it will replace. Disk on very fast vSAN storage. Towards the end I switched to a RAM disk to eliminate it as a potential bottleneck. I had already moved away from FreeBSD-based firewalls but policy routing is a nightmare on Linux, so here I am.

I found this article somewhere alleging that the issue was FreeBSD drivers in a Linux hypervisor, not the whole Scalar- vs Vector Packet Processing, as I thought it might be. This restarted my efforts to get back on FreeBSD.

QEMU/KVM confirmation

I've read a lot about macvtap being the second coming of passthrough interfaces in the absence of SR-IOV. I tried it and it kind of showed. Throughput was better than before. The last time I did these tests, the [recommended] paravirtual interface driver, VMXNET3, hardly broke past ½Gbit/s.

╭──────────────────────────────────────────────────────────────────────────────╮
  RECAP/PROGRESS SUMMARY
├──────────────────────────────────────────────────────────────────────────────┤
  CHR/OpenWRT/VyOS baseline ☑︎ Excellent.2
  macvtap routing           ☑︎ Good. >900Mbit/s
  macvtap NAT               ☐ (untested)
  SR-IOV VF NIC routing     ☐ (not there yet)
  SR-IOV VF NIC NAT         ☐ (not there yet)
  PCIe NIC routing          ☐ (not there yet)
  PCIe NIC NAT              ☐ (not there yet)
╰──────────────────────────────────────────────────────────────────────────────╯

vSphere

It seemed like there was some true to that article, but I was mostly guessing my way through things on KVM thus I moved back to vSphere. I tried it again with SR-IOV [Virtual Function] NICs: passed the 900Mbit/s mark in Internet speed tests and iperf3. My uplink¹ is only 1Gbits, it's really a bit more than that because my ISP factors in protocol overheads in order to deliver the advertised speed and avoid complaints, I assume.

Almost almost there

The thing is that I can get the full bandwitdh and sustain it with a modest 2-[AMD64]core Linux firewall with just a little over a gig of RAM.

>900Mbit/s is pretty good if you turn a blind eye to knowing that underlying issues are a fact preventing the full throughput of the link, and unfortunately, I was more than willing to do it. This has not been a quick-and-painless journey, exactly. I can't claim sexual abuse if I consent to it, but enough about work (JK).

At this point, another router was handling NAT and the PPPoE session, it was time to hand them over to OPNsense. I just show down a port on a switch and just as fast OPNsense was in control of a public IP address, when I did the tests though it was the worst results I've ever gotten: download throughput didn't reach 300Mbit/s, upload was well over 300Mbit/s on the other hand, well over the max upload speed I get from my ISP last time I checked.  The last part isn't all too surprising bc they keep upgrading the service without warning (though without price hikes either).

NAT rules

My NAT setup is always the same regardless of platform. It's really only outbound (SNAT) on the public interface only and a handful of port forwards to the reverse proxy where the heavy lifting and internal NAT occurs. The forwards weren't set up yet. For the outbound NAT, I undo the rules created by the initial setup wizard, if any, and in its place add two rules:

╭─┬───┬─────┬─────┬─────┬─────────────────┬───────────────┬────────────────────╮
│#│NAT│if   │stack│proto│src:[port/type]  │dst:[port/type]│NAT-to:[port/type]  │
├─┼───┼─────┼─────┼─────┼─────────────────┼───────────────┼────────────────────┤
│1│neg│<wan>│IPv4 │any  │<This Firewall>:*│any:*          │-:-                 │
│2│yes│<wan>│IPv4 │any  │any:*            │any:*          │masquerade-if:static│
╰─┴───┴─────┴─────┴─────┴─────────────────┴───────────────┴────────────────────╯
╭──────────────────────────────────────────────────────────────────────────────╮
  RECAP/PROGRESS SUMMARY
├──────────────────────────────────────────────────────────────────────────────┤
  CHR/OpenWRT/VyOS baseline ☑︎ Excellent.2
  macvtap routing           ☑︎ Good. >900Mbit/s
  macvtap NAT               ☐ (untested)
  SR-IOV VF NIC routing     ☑︎ Good. Slightly better than macvtap's.
  SR-IOV VF NIC NAT         ☒ Bad. ≈300Mbit/s↓ >300Mbit/s↑
  PCIe NIC routing          ☐ (not there yet)
  PCIe NIC NAT              ☐ (not there yet)
╰──────────────────────────────────────────────────────────────────────────────╯

Bare-NIC testing (i.e. like "-metal" but just the tip NIC that goes in the back, a little bare in the back)

The next thing I tried, using the same NIC that I know can handle the traffic because it has done so in Linux firewalls already — easily — I passed it through at the PCIe level to the VM. Full control. I had to shut down everything to do this, you need a career and a psych eval, and security clearance to shutdown a [small] vSAN cluster, I swear.

I did the tests again, (1.) offloaded NAT and PPPoE to the other router, it improved minimally. (2.) Performance tanked again while natting.

╭──────────────────────────────────────────────────────────────────────────────╮
  RECAP/PROGRESS SUMMARY
├──────────────────────────────────────────────────────────────────────────────┤
  CHR/OpenWRT/VyOS baseline ☑︎ Excellent.2
  macvtap routing           ☑︎ Good. >900Mbit/s
  macvtap NAT               ☐ (untested)
  SR-IOV VF NIC routing     ☑︎ Good. Slightly better than macvtap's.
  SR-IOV VF NIC NAT         ☒ Bad. ≈300Mbit/s↓ >300Mbit/s↑
  PCIe NIC routing          ☑︎ Good. No different than SR-IOV's.
  PCIe NIC NAT              ☒ Bad. No different than SR-IOV's.
╰──────────────────────────────────────────────────────────────────────────────╯

Overall, I learned OPNsense can reach pretty close to the full gig of my uplink which is also the speed of the slowest link in my wired network, so it's good enough. It just needs not to use [para]virtualized NICs. Resource-, or hardware-wise it must be able to NAT at that speed too, other systems are natting much faster than that already, case in point: the reverse proxy that hosts a bunch of virtual IP addresses so it NATs what it can't be proxied and might be conflicting in some way, such as TCP port 22.

Notes

 1. i.e. the connection, not the actual bit rate
 2. Bursting briefly past 1Gbit/s (1.1) w/test well underway. No dips below 1G. Results are consistent in iperf3 tested:
 ↳.1 server ←←← <this-router> ←←← client
 ↳.2 <server/this-router> ←←← client
 ↳.3 <server/this-router> →→→ client(-R)
 ↳.4 server ←←← <client/this-router>

I'm attempting to migrate to OPNsense and I need to add a ton of virtual IP addresses.

The UI is a little cumbersome and has it makes me get lost/lose focus of the text some reason so I edited a backup file to add them quicker and sure enough I finished it but without noticing the uuid key until the end.

Can I just omit it? Is it okay for the VIPs not to have a uuid?  Can OPNsense supply it automatically if I omit it, if not, will it crash if the XML schema isn't matched perfectly?

It's been rough moving to OPNsense with so many things broken/undocumented. I'm on day 2 importing aliases as it is. :( And I still have to plan static routes bc FRR broke completely. I have no idea how to do ECMP statically but I'll get there when I get there. :/

But, on my previous router firewall which has been being deconstructed as functions are moved to the new one but I still have enough restore points to get back to a working network, I really want the extra features of OPNsense but I'm still on time to get back to the needed features for the network, just barely.
Are there any other basic features serialized? Or is this it? — Thanks

[no RIP or OSPF exchanged with OPNsense]

Hey all, :)

A while back I set up FRR from the GUI, but the lack of options and this problem where it would stop respoding to config changes (which I can only fix by reinstalling OPNsense and restoring an edited config backup without FRR) drove me FRR proper, v8 on the CLI/console.

However, after setting it up, enabling the daemons ([/usr/local]/etc/frr/daemons), and verifying it (along with watchfrr) would start; vtysh would create the config file and everything but in the end it always starts with the same configuration:

Code Select Expand


Building configuration...

Current configuration:
!
frr version 7.5.1
frr defaults traditional
hostname f.q.d.n
!
line vty
!
end


It completely ignores the config created on vtysh (written to /usr/local/etc/frr/frr.conf).

I searched for days for the config files or init script or whatever that was persisting that but I don't know much about FreeBSD so I couldn't come up with anything.

I found references to some files under an rc.d directory — I'm not sure which, given the they're a ton of these on repeated over several levels — but those files referenced didn't exist.

I removed FRR 8 and returned to the GUI version (os-frr), set it up but once again it won't send or receive any traffic. I noticed on neighboring routers there is no RIP or OSPF exchanged with OPNsense in their routing tables, only with other routers. And in OPNsense itself, the routing table lists only connected routes; it doesn't receive information either. The firewall is wide open on all affected interfaces.

I need to reset FRR, I think. But the file structure in FreeBSD in infinitely confusing even before getting to OPNsense's own customizations and I'm also trying to make OPNsense my main firewall, so reinstalling — that's full reinstallation or cloning VM template or reverting VM (not system-)snapshot. Otherwise it doesn't fix anything — each time there's a problem won't be an option anymore.

Could you guys give me some pointers how to do this, please? Finding out all related system files used by FRR.

Thanks.

[definition name]

I think I know the answer to this already, so it's more like a feature request than a question.
However, if you have an answer/suggestion/advise, I'm all ears and open to anything. :)

I keep around an OPNsense instance ZeroTier and a few other light tasks. I've a few issues with OSPF in this system so I tried updating before getting down to vtysh.

It didn't but I was just advised to use GUI-less FRR, problem solved. With that done, I explored a little to see what was in the long list of changes and I found out that ASN-based aliases are now supported on OPNsense. If they're the same thing as using pfBlockerNG on pfSense that's amazing news.

There were a few reasons why OPNsense would never fully replace pfSense: ASN filters, HAProxy's GUI, log views, and (somewhat for) the forward proxy and VRF. VRF isn't available of pfSense either, ASNs are done, next was HAProxy's GUI's modularity nightmare.

I get that making it modular could in theory make it more practical, I do. Assembling the final proxy from dropdowns does feel sleek in its own right, however, getting there is so much non-repeatable/-usable/-cyclable disorienting work that's harder to diagnose. The level of modularity is only justifiable by needs that go beyond what an in-firewall reverse proxy should safely have, probably better served by a first-party-supported, dedicated Aloha appliance. HAProxy's rules, matches/fetchers, conditions, monitors are tightly focused in scope and hardly ever reused; all of these need to be defined, each with their own character-constrained definition name which translates into several more components per proxied service to keep track of and hunt around from screen to screen. A giant blank box without any instruction whatsoever (to paste in config files standard well-documented HAProxy syntax) would be much more helpful, easy, and clearer. Even without instructions. Fortunately you can just NAT it or if coming for straightforward-UI-HAProxied pfSense you can just put it inline in a transit network.

That leaves out the forward proxy — I've mixed feelings on this — on one hand OPNsense allows customization of the error pages. I love designing dumb stuff so this is a perfect fit for me. On the other I'm also pragmatic (see: HAProxy above) and good looking error pages, that are errors in the end, aren't nearly as useful as the live log view on pfSense. Additionally neither implementation has usable/maintained block lists which is kind of strange more so now than ever.

With DoH and DoT mainstream, they're readily used to maliciously bypass our network policies. Case in point, I use the Yahoo! website to test network connectivity (because otherwise I'd never visit it, so I know it isn't cached); the other day I found that the website embeds some sort of DoH client that was making requests for yahoodns.net or similar. This can be dealt with a proxy, except that few of them support multi-WAN, the ones that do, have basically no support for de/re-encryption of the traffic. I've been looking non-stop for a good proxy to help with this since I have six DNS server hosts, each has one or two DNS servers (Active Directory, Pi-hole, Dnsmasq, Unbound and BIND) running to filter, proxy, route the traffic to keep tight control over those rogue DoH clients, DNS (filtering not domain-related) is easily 60-70% of my network issues.

But given OPNsense for a long time has done some weird voodoo (shared forwarding) to support splitting traffic among captive portal and other of its otherwise-conflicting components, I'm wondering: has the proxy service been worked on as well? A proxy can be extremely memory hungry to deploy one each upstream.

UNSUBSTANTIATED
I've given it some thought to this not just on OPNsense but using a variety of systems, just using a single OPNsense system though; I have a theory that it could be done if: in transparent proxy mode, use NAT to force-policy-route the traffic running in a first/second instance using the jails subsystem on xBSD. It would still need a lot of memory but they can share kernel and storage and free memory and don't need to send traffic over the network since they'd be in-host. And, were VRF be supported, even NAT could be skipped as well. But, unfortunately none of this is even hinted in the GUI nor mentioned in the documentation other than some dev-level stuff. I wanted to try this but not being as familiar with FreeBSD as am with Linux, macOS; it'll be a while before I find the time to I learn jails to test it out. On paper it seems very plausible though, a good enough solution for cases where a dedicated proxy isn't needed, for beefy multi-WAN/multi-tunnel firewall with a small 100GB-ish disk cache.

[1x switch, 1x OPNsense, 2x pfSense]

Hi everyone :)


So... I have had this set of routers running OSPF: 1x switch, 1x OPNsense, 2x pfSense; they were all fully adjacent. Then I switched one of the pfSenses for OPNsense (new setup: 1x switch, 2x OPNsense, 1x pfSense) which happened to be the only one that wasn't directly connected to area zero and things went south fast. It's across an L2 tunnel, thus it's broadcast and should have no problems, on the other hand there's so little in the UI to set this up so I could never get it to work. About 40 or so hours in I thought "f**k it, I'm going on the CLI" I was already a little familiar with it (vtysh) because it used it to make pfSense form adjacency with the switch-router which doesn't have FRR, just "OSPF", As it turns out, the CLI for these areas is nearly if not identical on each vendor (found it too in Ubiquiti and VyOS proper).


Anyway, first I tried FRR8 so the changes I had already done in the GUI wouldn't overwrite things back but there was some conflict so I went back; I shook it a little, wiggled the thingy, put it against my ear and repeated until it sprung to life, forming full adjacency with the nearest peer.


It's done. It works. However, since pfSense is the closest to OPNsense to where guide myself from, I took a significant^{(just 1% more of 99%)} amount from there, pfSense stores data in /var/etc/frr/ and /usr/local/etc/frr/. The official FRR documentation focuses more on the Linux side only /etc/frr so it's clear as saying "see you at seven", without following it by "hours" or "am/pm" and neither pfSense nor OPNsense have the most extensive documentation on this or at least some that unlike the official FRR documentation is targeted at their respective user bases — y'know, one or two^(thousand) levels below "network engineer", referred to by their tribes as He or She Who Runs Not With Cisco.  ;D


/var/etc/frr wasn't on OPNsense, so I assumed this was a temporary location on pfSense to save configuration, it seems to have a ton of these little pockets.


I modified vtysh.conf (because using vtysh the first time around printed something about it being jsut for show) and frr.conf, followed by service frr restart. It didn't seems to make a difference, it printed a lot of stuff of how misconfigured it was. I copied the files I had created on /var/etc/frrto /usr/local/etc/frr next to several other config files already there. vtysh.conf and frr.conf weren't. service frr restart and this time it only printed one warning. It seems like that was the place except when I tried getting information on vtysh, no interface was actually configured.


FRR docu's does say that daemons need to be started and the daemons file was the one missing from OPNsense. I added it and enabled a few daemons (zebra, ospfd, staticd, bfdd), restarted. Nothing.


But, after retrying vtysh with the modifications I had done, write now worked. I'm sorry I made it this long but I wanted to describe the places (paths) I touched to hopefully get a better answer to: where does OPNsense actually stores the files? (because) From another terminal, I saw the modifications being written by vtysh were where I initially thought the were going to be, but as I mentioned, I had already done this before I repeated them on vtysh and when not done via vtysh they were ignored.


Also, what do I need to do to lock the configuration down? So it's not overwritten by an update or a restart or just checking out its status from the GUI. In pfSense the GUI easily overrules the CLI/configfiles all the time, I'm not sure if OPNsense differs in there yet.


I'll just leav--um.. Thanks.

I'm trying to get around filling these boxes:


which are kind of a nightmare since they concatenate whatever you paste in.

I tried editing the file directly in the filesystem: in the example in the shot, BIND; but it turns own BIND doesn't read the config. The GUI seems to override the CLI.

Any idea how to filled this correctly to paste is enabled?

So far I've tried pasting the the line with [,],[;],[\],[\n\n](double new line space) and even [<br>]. Nothing seems to work.

Any ideas? :)

I use BIND as some sort of DNS router between AD domain controllers and in-box Unbound, both listen on :53. The firewall has two interfaces; Unbound works exclusively on one of them, BIND doesn't have the option to choose interface but it set to use the addresses from the other. It had been working great for a long time until I had to change the IPv6 prefix.

That is the only thing different since it stopped working, at least. No other changes have been made. The logs are very... not really useful. The addresses are available, one of each family to each resolver/nameserver, and they are all responding, I'm testing from another subnet; ruling out gateway issues in the process. The "firewall" is not really a firewall, it's in router-only mode, filtering+NAT off.

I composed a little screenshot collage to best illustrate things — you might need to pan around on a laptop display.

Here's the link in case there are issues showing it: https://i.imgur.com/jcyCsUv.png


Any ideas what's wrong?

Why are there multiple simultaneous interfaces for NAT rules? Are group-type rules supposed to be a no-no —specially NAT rules— because they'd get no reply-to?

[is]

Playing with the FreeRADIUS plugin I discovered it was accepting just about every device that would connect to the test wireless network configured with it for auth, or so I thought. As it turns out I had [absentmindedly] configured every possible setting I could use at some point, including remote MySQL database and LDAPS.

When I unchecked the LDAP boxes the devices stopped connecting to the MAC-based authenticated network. As that was sorted out a million questions replaced it though, like why isn't the FreeRADIUS plugin able to use the users synced from Active Directory (over secure LDAP). It'd be nice to use the built-in users with the same pasword and just augment their profiles with just the needed settings*. I also noticed that even while making its own LDAPS connection to the servers, it would still fail to authenticate supplicants requiring the more secure methods, like the tunnel within a tunnel PEAP, TTLS, all that.

I know that this is basically because LDAP is insecure so it doesn't work with the tunneled EAPs, but by that logic, shouldn't LDAPS work? It is encrypted so nothing is in the clear at any stage. Furthermore,  since the users are synced, the authentication is local anyway, therefore, it is secure.

Then there's the actual tunnels, IPsec, Is IPsec able to use the synced users for authentication or is it limited as well? It's got its own section for secrets, two actually, it already hints at No.

What packages/areas (first and/or third party) can use the local directory service fully besides the system's auth and the cert manager?

Thanks!


*: a little later I discovered this can't be done even with the manually addded users anyway. :( I tried settings IP addreses, routing info, VLANs... Only VLANs work. Thankfully this works great on pfSense's FreeRADIUS (where ironically LDAP, secure or not, ain't much of a success) and I can keep that only for my MAC-based auth which is much nicer to manage in either of the two firewalls than in AD Users and Computers or AD Administrative Center or Windows Admin Center.

Following the setup guide of the documentation it says to select no backend for the authentication. The problem is it won't let you do that:



If you leave the page whatever you saved in there is lost so the tunnel will get no network infrastructure info which  is all in there, DNS servers, domain name, addresses for the client...

Should leave the authentication source blank in the phase instead?

Thanks!

Can OPNsense receive Netflow data from external sources?

I added it as a Netflow collector on a vSphere Distributed Switch using the default port number it prepopulates (2056) and added a NAT rule to redirect to the prepopulated address as well, since it's 127.0.0.1. I figured otherwise it would not reach it.

I just did this, but so far I've seen no difference. OPNsense is a secondary firewall, it doesn't have a direct connection to anywhere on the network, it's only connected to an isolated virtual switch for which the only exit is through another firewall, any traffic/data should be fairly easy to spot.

Thanks. :)

[Where could I look for more information for this in the box?]

[See the attached diagram]

[Ready?... OK. Last time I was told I should attrach screenshots or something :)]

Hey all,

What you're seeing there is a rough approximation of the network. I'm moving from another platform where the firewall was responsible for maintaining a site-to-site link to a remote firewall. The purpose of this is getting a static IPv4 address, which my ISP no longer offers.

Anyway, S2S works, there's full communication and I'm even collecting SNMP data from the interfaces on the remote site. The problem is that OPNsense doesn't let traffic go out. I located the states and only one side is established. subsequent states are waiting. The only thing I could come up with is allowing traffic out from the interface where the server is, but it makes no sense, there's should be no need to allow traffic out if there's a inbound rule/port-forward that should allow the server reply if requested.

The subnet where the server lives has rules to allow only traffic to RFC1918 and RFC1918v6 (a misnomer for my /48) networks and ICMP to everywhere. It has no specific blocks, none of the interfaces have. I skipped using the interface that's autodesginated as "LAN" by the setup wizard because it's sort of unclear if it blocks by default as secondary LANs do.

Where could I look for more information for this in the box? -- I already made basic troubleshooting, checked that the servers have a the correct gateway, that they can reach the Internet via the tunnel (allowing traffic temporarily) and locally and the other tunnel, firewall optimization is set to conservative. Everything checks out, I'm lost here. :/ The only thing I noticed is that latency  (gateway monitoring) is off the charts, about 400-550ms, it was never this high before. But, there is no packet loss and actually doing pings FROM a server reports something like 30-40ms.

[HAP]

I'm moving (again...) from pfSense to OPNsense. I've tried this several times in the past but it is HAProxy which is crucial for me the part that never lets me complete the migration. I've never been particuraly skilled at HAP in the but I've gotten a little better, I now knoww what stuff means and does and thought about giving it one last shot.

It didn't quite work out like planned... It's not that it's hard--I understand it now--it's just that the OPNsense UI breaks it in soo many steps for the sake of modularity (I assume) but it ends up more complicated than actually writing the config file uncommented from scratch.. That was exactly the thought that brought me here, to ask you guys if you by chance know where is it and if it's editable by hand (pasted and adapted accordingly in my case). I noticed ordinary things like the aliases are exported in serialized config files now.

It would be super helpful because then I would be able to use the official docu that I will likely need. using OPNsense's HAProxy I'm not sure I'll be able to set loopback backend to do it all with a single port like before. I've been dying for years to use the flexibility OPNsense offers with its bleeding edge (as firewalls go) plugin selection and unlocked pkg repos, contrary to pfSense, but it all becomes irrelevant if I need to keep the pf machine just for the proxy with extra NAT running  for the proxy with an extra NAT layer in addition to OPN's VM. :( I just need to know where the files are, FreeBSD is weird how it sort of follows Linux dir structure but with stacked on top of something even weirder like /var/db/etc <--Whatthef--that makes no sense! I can never find any "standard" UNIXy location in FreeBSD or macOS. :/

I'm rambling now. If you now about this please share! :D

I'm trying to return to OPNsense but my aliases have changed quite a bit  since the last time I tried using it. I got a backup from them that I uploaded into the firewall and downloaded again so I would get the newest format, from then my plan was going to use and IDE or something like that to edit quickly the alias list and reapply.

It was everything going fine until I noticed the JSON entries in the file appear to be serialized. No only that, this new value appears to some sort of key for the whole entry. And, because I am no dev, I understand zeropercent of what's going on. :)

Am I aware that I'd be at risk of losing all of my edits or maybe crashing the firewall if there's like some conversion to generate that serial if I enter something else arbitrary. I don't know if simply copying an existing serial will merge the source with the entries, half of the time I'm struggling just to escape JSON correctly,,

Can the alias tables be edited outside of OPNsense anymore? If so, are there guidelines for it?

Thanks!

[@]

For a very long time I've been trying to setup FreeRADIUS for full Active Directory integration but when I always manage to get something wrong and I run back to Windows Server NPS. If it's not setting up NTLM auth –something I've never been able to do– it's some random bug that makes the exact same settings work in an OPNsese config work in one install but not on the next.

Binding FreeRADIUS to LDAP won't work because "passwords are sent on the clear" ...even though the connections are made over LDAPS, i.e; ldaps://...:636/. Since OPNsense's users can be also synced with AD, I figured these could be used locally by FreeRADIUS and be augemented with the proper attributes for a given user. Being already local, any authentication method should be available. But again I was wrong, or at least couldn't figure out how to set it up.

The most I managed to set up has been EAP-TLS. It's a strong method so I'm more than happy to settle for a single method if that's the one. However, I can also do that on Network Policy Server; the main appeal of OPNsense+FreeRADIUS are the per-user attribute settings. The way I setup EAP-TLS, although it validates OCSP it really doesn't associate the certificate with a directory user, so no user attributes configurable; I tried adding the information manually on FreeRADIUS's Users area but it won't allow me entering the @ symbol, necessary to write UPNs, used for the CN and SAN on certificates, leaving me back a square 1.

Do you have some insight you could share setting this up? Any advice/commentary is welcome. :)

I just reinstalled OPNsense and set only basic rules as I config other areas and the rest of the network for the change. I had set a block (reject, actually) rule for some hosts that shouldn't connect out, I did it same as always, inverting the match for the destination to the nonroutable space (RFC1918) and put it above the allow any to any rule, usually that's enough; just now I added a new address to the alias of blocked sources and realized it has been allowing the hosts to connect out all the time.

I tried reordering the rules so the Apply button would appear and do so, then reorder them back and apply again. It didn't work. I checked if I didn't inadvertently enabled some sort of bypass, like the proxy, but I didn't.

I'm on version 19.1.10, I applied the update today, I believe. Like I mentioned earlier, I just noticed this happening; I don't know if this was happening before the update. Is this a bug or did I miss something?

I have no floating rules. My LAN interface is an LACP LAGG interface and the public-facing interface is OPT1 because WAN got somehow locked up and when I select it in the sidebar it takes me to the interface assignment page but it is on the LAN default group at least. :)

Thanks !

I'm having issues with the firewall not obeying my ruleset. All the rules are the clone of the first one so either they should all work or they should all not work. Some do, some don't. These are port forwards, BTW.

I don't know what's wrong. In the live view I can see the connections are blocked by the default ruleset, meaning for some reason it's not matching them but, like I said, not all of them: I checked them several times finding nothing wrong with them.

Is this a bug? I also added a ZeroTier interface, the firewall pings the only client I have at the other end, and the client also pings the firewall but the firewall doesn't route  the subnets.

Is this a known bug?

I've been trying without luck to setup FreeRADIUS with Active Directory for a while now, apparently that'll never happen for me. LDAP both OPNsense's FreeRADIUS and OPNsense itself is setup correctly; I tried starting in another system and learned in the documentation that LDAP is useless for the tunneled EAP types anyway.

But since the users from LDAP were imported into OPNsense itself, I'd be using local users, therefore tunneled EAP should work, right? That's what I hope for anyway. I don't know how exactly instruct FreeRADIUS to use the system userbase, I don't think it's automatic because I can't authenticate with any of the imported accounts.

I figured, maybe I need to add users into FreeRADIUS, but when I go there within the information I'm also asked for a password to proceed. I don't know if by entering this value the previous is going to be changed for the account in question, or if it's going to set a different password altogether which sort of defeats the purpose of the integration.

Is it doable? Are the settings elsewhere? Thanks!

I was designing a UI for a local system and playing random stuff of YouTube as whitenoise on another computer when both suddenly lost their connection. The one playing YouTube was the odd one since usually YouTube/Netflix/... can keep on going for a while on their buffer when the network is lost. I had an IP address, but I couldn't ping my immediate gateway, not anything above it. I could still connect to another computer on the same subnet which is doubled homed and from there see what's up, I connected to the upstream router, pfSense, which basically does most of the networking, it connect via a transit network to OPNsense, and that to the first core switch, at least logically--it's all virtualized.

I logged into vCenter to get the consoles from both firewall systems, the upstream could ping out, OPNsense on the other hand showed the network interface reading "watchdog timeout on queue 0" filling the whole screen. It would keep printing that. I restarted it and as soon as it got back it wasn't finished booting when it was printing that again. Like I said, the edge firewall was doing most of the work anyway, OPNsense I was just starting to deploy to play with the things it has pfSense lacks, I just made the switch take its IP address of the /30 transit network and I got back where I was.

I'm quitting OPNsense for now, I've tried to deploy it several times but I just can't get it to be stable--and it's not like mundane things, it's a little more serious with potential for data loss, like not starting up on the update to 19.1; or connectivity problems on multi-WAN with the same ISP (hence same gateway)--I was able to spoof the gateway with another router in between, BTW, but it sort of defeat the purpose of such an advanced system. :/

Anyway, I thought I should report it. I hope it helps somebody. Also found out that to boot a failed EFI-based 19.1 upgrade, you can just change it to BIOS without reinstalling! I reported that on Github, though.