Topics

1

General Discussion / Nextcloud backups when the Nextcloud is inside

« on: October 12, 2021, 09:05:51 am »

Probably obvious to most but for those like me who backed their head on it a bit before the light dawned, if your Nextcloud instance is internal to the firewall you're backing up it won't work unless you add a DNS override for the URL of your Nextcloud. In this case the internal Nextcloud was also behind reverse proxy so the override was URL -> proxy IP, but I'm assuming a direct to NC internal IP would also work where it's a direct port forward.

2

19.7 Legacy Series / [Solved] Tar segfault upgrading to 19.7

« on: July 24, 2019, 12:08:19 pm »

Hi

Trying to upgrade to 19.7 from 19.1.10_1. Having unlocked the upgrade I get web UI output of

Code: [Select]

***GOT REQUEST TO UPGRADE***
Fetching packages-19.7-OpenSSL-amd64.tar: ... done
Extracting packages-19.7-OpenSSL-amd64.tar...***DONE***

and CLI output of:

Code: [Select]

Proceed with this action? [19.7/y/N]: 19.7

Fetching packages-19.7-OpenSSL-amd64.tar: ... done
Extracting packages-19.7-OpenSSL-amd64.tar...Segmentation fault (core dumped)

*** OPNsense.ourpack.eu: OPNsense 19.1.10_1 (amd64/OpenSSL) ***


Locating the downloaded file and manually running tar -xf successfully extracts the contents.

Any ideas?

3

19.1 Legacy Series / [SOLVED] Tuning ipsec for fastest (re)negotiation

« on: June 08, 2019, 06:13:33 pm »

We've got a setup with several offices, with VPNs between each site (fixed IPs, dedicated FTTP) which are used among other things for monitoring kit on each site from a central server. We're noticing that when the VPN lifetime expires the tunnel drops and then there's an odd delay before it re-establishes. For most purposes it wouldn't be an issue but the disconnect is long enough to make the monitoring send a bunch of alerts - and can disrupt inter-site backups.

Lifetimes are set at 28800 seconds for phase 1 and 2 at each end.

Are there any settings we could tweak to cause the renegotiation to take less time?

4

19.1 Legacy Series / Papercut: VIP VHID gateway/password seen as firewall user/password

« on: May 30, 2019, 09:29:14 am »

When creating or editing a Virtual IP (Firewall -> Virtual IP -> Settings) the Gateway and Virtual IP Password boxes are seen as the firewall user/password boxes respectively, and the password manager (via FF66 and earlier) auto-completes them. Could this be changed so that doesn't happen?

Should the VHID password even be treated as something that needs hiding? I'm guessing that if it's not called/defined as "password" that it won't be seen as one.

5

19.1 Legacy Series / LAN default deny rule - when there's an allow rule

« on: February 21, 2019, 08:23:33 am »

Scratching my head over this one. Newly installed firewall, after rules added to restrict outgoing LAN traffic to a few ports, denies everything outgoing on the default deny rule - and continues to do so when an allow all rule is added back in at the top. The only LAN rule that is "working as expected" is the anti-lockout rule. Rules added to the WAN interface work as expected.

What circumstances could result in this scenario? All input welcome!

6

19.1 Legacy Series / DHCP in Layer 3 networks

« on: February 14, 2019, 02:04:05 pm »

I realise a variant of this topic has come up before, but is there a reason that the DHCP server is limited to providing addresses in the interface subnet? It's reasonably common practice in networks to have per subnet VLANs and then use "IP helper" configurations to relay DHCP requests to a central service - often a firewall outside of Windows AD setups.

If this is something that OPNsense will never provide in the UI, will a manual edit of the DHCP conf survive reboots/upgrades?

All input welcome.