Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - GiantJack

Pages: [1] 2

22.1 Legacy Series / Lenovo won't boot with 22.1 on internal ssd (no OS found)

« on: February 28, 2022, 11:37:09 pm »

Hi!

I'm struggling with my lenovo m720q to boot on internal SSD (PCI NVME) with 22.1.
it was working fine for months before with older version.

Install works fine but I tried several bios & install settings without success: when reboot, it says error 1962, no operating system found (boot loop).
I though ssd was dead so I tries a new one: same issue.

As a temporary work around it does boot and reboot fine with installation on external USB HDD (an old 80GB I had in my drawer)

ideas welcome...

General Discussion / What's the issue with the poor man bridge aka the dmz double nat ?

« on: January 27, 2022, 04:03:52 pm »

Hi !

I have read several times that double nat in principle is bad and I understand the issues that it can brings.

But it's less clear when it comes to use double nat through DMZ (sometimes called the poor man bridge mode).

Let's assume that I have 2 routers:
- ISP router, connected to internet on one side, providing a DMZ lan RJ45 on the other side.
ie: all incoming traffic from internet will be forwarded to a defined RJ45
- An Opnsense router with WAN port connected to DMZ RJ45 mentionned above and my LAN on the other side.

What could go wrong exactly ?
or what would work fine with ISP router in bridge mode that would not work with the DMZ trick ?

if it matters:
- I use VPN to access my LAN from my smartphone when I'm away (using vpn server in opnsense).
- I have some playstations (those devices are sensitives to NAT topics).

General Discussion / humble suggestion:change or record default number of items listed from 7 to all.

« on: April 26, 2021, 09:31:38 am »

Hi!

Would it be possible to change or remember the default items displayed in lists ?

I mean this:

7 is pretty small for modern screen and it's often needed to spend a little time to "where's my ryles? oh I forget there's only 7 displayed, let's change it".

if it's possible to consider this, I would be happy to have a tuning somewhere to change default value to "All".
Or it may be even easier just to keep last change: once I set "all" (or 50 or whatever), it should keep it for next visit.

What do you think ?

General Discussion / Share internet bandwidth amongst users UN-evenly

« on: April 23, 2021, 11:12:05 am »

Hi!

I would like to make my full WAN bandwidth available to some devices when it's available, but I want to create priority when it's overloaded.

Here is an example of situation:
- My work laptop shall have full priority & bandwidth when using it.
- My TV steam shall have less priority than laptop but more than my NAS
- My NAS shall have lowest priority: ie sync backups in background when I sleep (no laptop, no TV).

Can I use this howto: https://docs.opnsense.org/manual/how-tos/shaper_share_evenly.html

but with following modifications to make it 'unevenly' :

1- create more queues, with different weight: say 100 for work laptop, 50 for TV, 5 for NAS.
ex: "QueueUp-1Mbps_100", "QueueUp-1Mbps_50", "QueueUp-1Mbps_5"
2- create rules for each device and use IP address of the device for source (UL) and dest (DL) ?
ex: "ShapeUpload_NAS" shall have source as 192.168.2.65 if it's my NAS IP ?

Would this make the job ?

And then: how can I set a "default" weight for other devices that are not managed in a rules?
Can I set a default rules "192.168.2.0/24" at the bottom of the list?

20.7 Legacy Series / Real time traffic monitoring (kbps) per LAN IP

« on: April 22, 2021, 06:17:19 pm »

Hi !

In past version (not sure which one, probably later 19.x or earlier 20.x), I was able to see the current data-rate per IP in the Reporting / Traffic section.
Currently in 20.7 I'm not able to find similar information.

I'm interested in real time datarate (graph or numbers) per IP on my LAN (in our or), like for example "172.16.2.10 : 892kbps out"
So, when my connexion is slow, I am able to easily find the guilty :-).

Is there any available mean I may have missed? (or plugin? or in version 21.x?).

Best regards,

General Discussion / Cannot connect RTSP camera between interfaces/subnets

« on: April 23, 2020, 08:56:23 pm »

Hi there!
I have some trouble with my IP cameras.

I setup some (little) time ago a VLAN 5 interface for my IoTs.
I wanted to move my IP camera to this VLAN5.

VLAN5 subnet is 192.168.5.0/24
LAN subnet is 192.168.1.0/24

For tests, I have setup rules in the VLAN5 firewall to all open:
VLAN5 net to LAN net, any protocol, IPv4&v6, any ports (so I expect all open between VLAN5 & LAN).
LAN is open also to VLAN5.

My PC and my phone on LAN can ping & access web admin page of the camera on 192.168.5.81
But RTSP connexion with VLC or with my NAS won't work.

If I connect my PC or phone on the VLAN5 directly: VLC can catch the RTSP stream !

I have a second and different camera, that is still on my LAN for now (192.168.1.80).
When my PC and phone are on LAN, I can ping, access admin page and RTSP without troubles.
But if my PC or phone are on VLAN5, I can still ping or access admin page of the second camera, but RTSP is down!

$:-\$

Is there anything with RTSP that I could have forgot to allow connection between my 2 interfaces/subnets ?

General Discussion / Confused with rules "direction" in/out meaning ?

« on: April 18, 2020, 12:28:09 pm »

Hi!

I am a bit confused with this "direction" field in firewall rules.

I currently have a VLAN (for guests) and a LAN.

I wanted to set some rules to isolate guests from LAN so I set the following rules (attached pic) in the VLAN section of the firewall.

If I try to access LAN from Guest, rule 1 blocks the traffic
If I try to access Guest from LAN, rule 3 blocks the traffic

Rules 2 & 4 are kind of not used.

When looking at the manual, I made the following understanding:

So because I set all those rules on my VLAN interface section of the firewall:
- vlan to lan is "in"coming to the firewall from VLAN interface (and so blocked by rules 1)
- lan to vlan is "out"coming of the firewall (from LAN) toward my VLAN (and so blocked by rules 3)

And my rules 2 & 4 could be used if I moved them to LAN section of firewall instead of VLAN ?

In case I would move rules 2 & 4 to LAN interface section of firewall
rules 2 would be traffic "out"coming the firewall from vlan to lan and so would block connexion attempt from VLAN to LAN
rules 4 would be traffic "in"coming the firewall from LAN to VLAN and so would block connexion attempt from LAN to VLAN.

Does it sounds correct ?

Does my rules 2 & 4 have any kind of mind currently placed in VLAN section? I was not able to figure out what it does exactly.

General Discussion / Strange "breach" between WAN & LAN during reboot ??

« on: April 14, 2020, 04:45:32 pm »

Hi!
I face a very strange behavior I wanted to share.

I have a DSL connexion using a so called "freebox" (a "modem" provided by my ISP).
The service offer some multimedia player and the system is in 2 piece, the so called "server" (include modem) and the "player" connected on TV.

The player use VLAN100 to receive the TV broadcast from the server.
Following a howto, I have created some time ago a VLAN100 bridge from WAN to LAN so that I can see TV with player connected on my LAN.
I have also firewall rules to have this bridge fully opened.
The setup looks like this:

Please forgive me that the picture shows a pfsense device

The VLAN100 bridge worked some monthes but is now broken, I have no more TV
While trying to figure out how to make the TV work again I notice this:

When I reboot opnsense, I briefly have a working connexion from the modem to the player
On last test, the connexion worked fine during 1min 28sec.

Here is my record today:
I connected to opnsense by SSH, press 6 for reboot:
16:06:00 : I pressed "y" to confirm reboot.
16:06:11 : my freebox player succeed to connect to the freebox server.
16:07:39 : my freebox player lost connection to freebox server.

in the system.log, I found this, but does not help so much: (for privacy, I replace my ipv4 public address by xx.xx.xx.xx)

Code: [Select]

Apr 14 16:06:08 OPNsense opnsense: /usr/local/etc/rc.linkup: Clearing states for stale wan route on igb1 
Apr 14 16:06:09 OPNsense opnsense: /usr/local/etc/rc.filter_configure: Ignore down inet gateways : WAN_FBX_IPV6 
Apr 14 16:06:09 OPNsense opnsense: /usr/local/etc/rc.filter_configure: ROUTING: removing /tmp/igb1_defaultgw 
Apr 14 16:06:09 OPNsense opnsense: /usr/local/etc/rc.filter_configure: ROUTING: creating /tmp/bge0_defaultgw using '192.168.9.1' 
Apr 14 16:06:09 OPNsense opnsense: /usr/local/etc/rc.filter_configure: Ignore down inet6 gateways : WAN_FBX_IPV6 
Apr 14 16:06:11 OPNsense kernel: pflog0: promiscuous mode disabled
Apr 14 16:06:11 OPNsense kernel: igb1: link state changed to UP
Apr 14 16:06:11 OPNsense kernel: igb1_vlan100: link state changed to UP
Apr 14 16:06:11 OPNsense kernel: pflog0: promiscuous mode enabled
Apr 14 16:06:12 OPNsense opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for VLAN_100_WAN(opt2) but ignoring since interface is configured with static IP (0.0.0.0 ::) 
Apr 14 16:06:13 OPNsense opnsense: /usr/local/etc/rc.linkup: DEVD Ethernet attached event for wan 
Apr 14 16:06:13 OPNsense opnsense: /usr/local/etc/rc.linkup: HOTPLUG: Configuring interface wan 
Apr 14 16:06:13 OPNsense dhclient: Starting delete_old_states() 
Apr 14 16:06:13 OPNsense dhclient: Comparing IPs: Old: xx.xx.xx.xx New:  
Apr 14 16:06:13 OPNsense dhclient: Removing states from old IP 'xx.xx.xx.xx' (new IP '') 


(....)


Apr 14 16:06:31 OPNsense opnsense: /usr/local/etc/rc.filter_configure: Ignore down inet gateways : WAN_FBX_IPV6 
Apr 14 16:06:31 OPNsense opnsense: /usr/local/etc/rc.filter_configure: ROUTING: keeping current default gateway 'xx.xx.xx.xx' 
Apr 14 16:06:31 OPNsense opnsense: /usr/local/etc/rc.filter_configure: Ignore down inet6 gateways : WAN_FBX_IPV6 
Apr 14 16:06:33 OPNsense kernel: pflog0: promiscuous mode disabled
Apr 14 16:06:34 OPNsense kernel: pflog0: promiscuous mode enabled
Apr 14 16:06:34 OPNsense opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for VLAN_100_WAN(opt2) but ignoring since interface is configured with static IP (0.0.0.0 ::) 
Apr 14 16:06:35 OPNsense opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb1_vlan100' 
Apr 14 16:06:35 OPNsense opnsense: /usr/local/etc/rc.newwanip: On (IP address: ) (interface: VLAN_100_WAN[opt2]) (real interface: igb1_vlan100). 
Apr 14 16:06:35 OPNsense opnsense: /usr/local/etc/rc.newwanip: Failed to detect IP for VLAN_100_WAN[opt2] 
Apr 14 16:07:30 OPNsense shutdown: reboot by root:  
Apr 14 16:07:30 OPNsense shutdown: reboot by root:  
Apr 14 16:07:30 OPNsense syslogd: exiting on signal 15
Apr 14 16:11:12 OPNsense syslogd: kernel boot file is /boot/kernel/kernel

The good point is that I am maybe close to find how to make my VLAN work.
The worrying point is that this occur during reboot...like an unexpected hole between WAN & LAN during this sequence.

I hope someone can help a little ? $:-\$

If some more information or logs are needed, let me know !

General Discussion / How to know, detect or set IPv6 addresses for firewall use ?

« on: April 02, 2020, 08:38:40 am »

Hi There !

I use opnsense on my dsl connexion.
My modem is a special one provided by my ISP (it's called freebox for those who know it).
It does provide IPv6 addresses and I have setup opnsense following an howto to manage it.
As far as I understood, it uses SLAAC.

I have also read several times that android devices are not DHCPv6 friendly....but there are several way to use DHCPv6 maybe some works ?

So now: how am I supposed to handle IPv6 firewall rules with this SLAAC process ?

Is there a way to get opnsense to grab and identify the ipv6 addresses on my LAN ?

French - Français / Freebox player ne fonctionne que quelques secondes pendant le boot d'opnsense ?!

« on: March 29, 2020, 10:18:57 pm »

Bonjour !!

J'ai une freebox V6 en bridge avec opnsense derrière.
J'avais suivi ce tuto avec succès pour faire fonctionner le freebox player sur mon LAN:
https://blog.les-titans.com/2016/08/03/connecter-une-freebox-v6-en-mode-bridge-avec-la-freebox-tv-au-travers-de-pfsense/

En 2 mots, c'est connecté comme ca, avec un bridge VLAN100 entre WAN et LAN:

Mais depuis quelques temps, il refuse de fonctionner...

J'ai finalement appris qu'il fallait se connecter sur le port 1 de la freebox pour avoir les VLANs TV...c'est chose faite.
Je sais pas si c'est moi qui a changé le port il y a quelques temps ou si c'est un comportement nouveau.

Aujourd'hui J'ai noté un truc plutôt surprenant, encourageant mais aussi inquiétant

Pendant qu'opnsense reboote: le player arrive à se connecter à la box, j'ai toutes les infos de connexion et même la TV pendant quelques secondes et puis paf ca coupe !!

La prochaine fois je vais essayer de noter précisément la seconde (à 2-3 secondes près) pour chercher à quoi cela correspond dans les logs d'opnsense.

Si vous avez des idées sur comment procéder (quel log regarder? je suis pas familier de BSD) ou bien directement sur mon problème, je suis preneur !!

20.1 Legacy Series / Dashboard gateways issues (disappearing or appear offline)

« on: March 29, 2020, 10:05:16 pm »

Hi!
I have some trouble with 2 of my gateways (from DSL) in the lobby.

1/ The gateway ipv4 disappear from lobby/dashboard/gateways when my modem is down.
I would expect to have still display as offline or something...how can I improve this ?

2/ The gateway ipv6 is stuck offline even when it's back only.
At the same time, dpinger service for this gateways seems off (red square instead of green triangle) in lobby / dashboard /service.
When I switch on again dpinger, the gateways turns green and online.
How can I make dpinger for this gateways to stay "on" ?

ideas welcome

19.7 Legacy Series / How to block internet access for one device vs IPv6 ?

« on: December 01, 2019, 12:14:52 pm »

Hi there!
I have an device that I wish to block internet access.

For IPv4, not problem, I just add a rule to block any traffic from 192.168.1.xx (xx is my device) to internet.
I have a static IP in DHCP for this device.

Then come IPv6...I could disable it on this device, but let's be modern and learn how to deal with it.

I do not have IPv6 DHCP...my ICP provide me a full range of IPv6 and to be honest, I followed an howto and I do not 100% understand how it works.
My modem is somewhat distributing IPV6 to my devices on LAN.

I assume I have to add an IPv6 rule to block internet access from IPv6, but how can I check if my IPv6 is static or not ?

General Discussion / How to manage LTE USB modem disconnect,reconnect and avoid crashing OPNsense

« on: November 07, 2019, 01:39:29 pm »

Hi There!

I have setup my OPNsense with 2 gateways: main (default) one is a DSL modem.
The second one is an LTE USB modem e3372h (hilink mode).

The LTE gateway helps to speed up a bit my not very fast DSL.
Both gateway works fine.

But I still face a couple of issues:

1- I may want to take the USB modem with me sometime (holidays, business trip...)

If I just take the modem out of the USB port of OPNsense => It does crash OPNsense !!
DHCP is dead, ping give no answer....all I can do is a reboot!

How can I avoid this ?

I would have expected that OPNsense should just set offline my LTE gateway...

2- This e3372h Hilink modem need to do a "usb_modeswitch" command when reconnected to the gateway.

I was thinking I could maybe "cron-ize" the command every five minute (it will just get with error message if the modem is always switched)...But that sounds a bit not clean.
is it possible to set this command "on connection" of the modem only?

I notice also that after reconnection & modeswitch command, I may need to manually disable/enable the interface to have the gateway online again...and there, I have no clue how I could make this automatic...?

19.7 Legacy Series / [Solved]LTE gateway remain offline avec upgrade from 19.1 to 19.7

« on: November 06, 2019, 02:45:46 pm »

Hi There!
A few days ago, I succeeded in adding a e3372h modem as gateway in hilink mode and it was working fine.

Yesterday I upgraded my OPNSense from 19.1 to 19.7.
Upgrade seems to worked fine. all my settings remains.

Almost all seems to work same as before...except my LTE gateway which stays now offline (in red).
DSL gateway (default one) is ok.

I tried to disable/enable it, reboot...no success.

Lsusb shows the LTE modem as expected.
Ifconfig seems ok, it shows an IP address for "ue0" interface...I think same as before with 19.1

How can I proceed to diagnose what's going on ?

19.1 Legacy Series / [Solved] e3372h Hilink LTE modem as 2nd gateway ?

« on: November 01, 2019, 06:41:34 pm »

Hi there!

I have a running 19.1 OPNsense, connected to my DSL modem. It works fine.

I have an LTE modem e3372h with Hilink firmware. I used it with a TPlink TL MR3020 travel router and it works fine too.

I intend to connect it to my OPNsense firewall to use it as backup gateway or increase my bitrate (my DSL is not so fast).

So far, I was not able to make it work together (the e3372h connected on USB port of my OPNsense).

I'm confused because if the travel router can do it...I assume it should be possible.

I read a few howto's explaining it may require custom firmware to change how my e3372h works (to turn it in 'stick' mode).

I wish to avoid this: so the LTE modem can still be disconnected and used on PC like before when needed (travels etc...)

Is there any solutions ?

as a first step...I would be happy to know how to install usbutils (to run lsusb).

Code: [Select]

root@OPNsense:~ # pkg install usbutils
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
pkg: No packages available to install matching 'usbutils' have been found in the repositories
root@OPNsense:~ #

Pages: [1] 2