Topics

1

23.7 Legacy Series / DHCP Relay (multiple scopes)

« on: August 04, 2023, 02:19:25 pm »

I initially posted this feature request in the 19.7 release but since its not really been ackowledged figured I'd post it again.

It would be good if DHCP scopes could be defined for address space outside of the locally connected subnets and the DHCP server respond to DHCP requests which are relayed up from a L3 switched core.

In small deployments where L3 switching is being used for internal routing, it would remove the need for a seperate DHCP server.

Thanks
Tom

2

Virtual private networks / IPSEC traffic in Netflow/inSight shows under WAN.

« on: July 28, 2022, 04:47:17 pm »

I have just noticed when using Netflow into inSight that no traffic from my Office > Datacenter IPSEC tunnel shows under the IPSEC interface within Details. It all shows under the WAN interface?

Looks like a bug. Running 22.1.2

3

21.7 Legacy Series / os-iperf no UDP?

« on: January 23, 2022, 12:40:52 pm »

I have noticed the os-iperf plugin does not open up UDP ports for connection testing using UDP?

4

21.7 Legacy Series / Slow DNS lookups on BACKUP box after changing Unbound outbound interface to LAN

« on: January 21, 2022, 10:08:28 pm »

Hi all,

I recently changed the outbound interface setting of the unbound resolver to one of my LAN side interfaces in order to solve the problem of DNS domain override forward requests not traversing my IPSEC tunnel to the datacenter.

Since changing unbound to use one of my LAN interfaces, DNS requests to that overridden domain now successfully use the IPSEC tunnel to a remote DNS server. However, I have just noticed that during an update of my firewall pair, the box that is currently the BACKUP node suffers extremely slow DNS resolution. I noticed this when it was looking up the package repo etc....

Any ideas why this is?

5

High availability / CARP with IPv6 > Link local default gateway

« on: October 21, 2021, 12:17:51 pm »

Hi all,

I have IPv6 deployed and working in a few VLAN's. RA managed mode + DHCPv6.

All works great except for the failover test I just performed to my second OpnSense box.

I am aware that when using dynamic addressing via RA/DHCP, clients typically get a link local gateway advertised to them, rather than the routable address. However on failover, anything using link local as its GW lost IP6 connectivity. Whereas static clients using my CARP v6 VIP for the respective VLAN GW worked fine.

What's the solution for this? I see no way to pass a gateway via DHCPv6 as this isn't how v6 works. But in that case, whats my option?

6

Documentation and Translation / Multi interface traffic shaper guide incorrect

« on: October 12, 2021, 11:01:36 am »

Hi all,

Just noticed that there is an error in the Multi Interface shaping guide here:

https://docs.opnsense.org/manual/how-tos/shaper_guestnet.html

The rule for the upload traffic entering via the guestnet interface should have its direction set to 'in', rather than 'out' as shown in the document.

Thanks.

7

19.7 Legacy Series / 1:1 NAT Reflection doesn't work

« on: January 20, 2020, 10:58:32 am »

Hi all,

Have recently migrated one of our sites to OPNSense 19.7 from pfSense which I used for the past 5 years.

I have a web server on site hosting a demo with 1:1 NAT configured using one of the IP's in our public subnet.

I have all the NAT reflection boxes ticked however I cannot access the server via its public address from inside the network... The 1:1 NAT and firewall rule on the WAN work as expected, the server is accessible from the outside. However NAT reflection is not working.

This is a L3 switched environment with several VLAN's routed on the switch core. There is an uplink to OPNSense which then goes off to WAN. Static routes are all in place and everything works as expected, except NAT reflection.

Most client PC's are in 172.16.1.0/24 as is the server (172.16.1.183).

I did some googling and found others that have reported NAT reflection not functioning.

I know reflection  isn't a great idea, and internal clients should access internal resources via their internal addresses (so I could do a host override on local DNS forwarder) but NAT reflection is a feature on offer and should therefore work.

Any suggestions?

8

19.7 Legacy Series / Domain overrides in BIND?

« on: November 10, 2019, 12:52:48 pm »

Hi, am I able to add a domain override in BIND on OPNSense to forward all DNS lookups for a domain to different dns servers?

Or do I need to use unbound?

9

19.7 Legacy Series / DHCP For remote subnets (relay receiver)?

« on: November 09, 2019, 09:43:27 pm »

Hi all,

Is OPNSense capable of serving DHCP leases to remote subnets? I.E if there is a L3 routed core with an uplink to Opensense, Can I configure my DHCP helpers to point at the OPNSense DHCP Server?

This would be reliant on creating DHCP pools for subnets that are not directly attached.

10

19.7 Legacy Series / DNS Black holing / black list available yet?

« on: November 09, 2019, 06:32:09 pm »

Hi all,

I am just about to replace pfSense in our datacenter environment and office spaces after a happy 6 years with OPNSense after about 6 months of testing.

I have done a fair bit of googling RE running a DNS blackhole / banlist on OPNSense to replicate the functionality of something like PiHole or pfBlockerNG. However I can't seem to find an officially support package that does it.

I am looking to use the default Unbound as the local DNS Forwarder so would prefer to be able to use that as a DNS black hole for ad blocking.

Any progress?

11

19.7 Legacy Series / CPU Usage in Health>Reporting

« on: July 19, 2019, 11:45:22 am »

Hi all,

Is there not a CPU Utilization metric measured 0-100 or even the load average available in the reporting>health area?

The current metrics under system > processor do not offer a clear picture of actual processor utilisation over time as a percentage.

Tom

12

19.7 Legacy Series / Traffic Shaper Rules interface assignment

« on: July 18, 2019, 02:13:24 pm »

Hi all,

Been testing out the traffic shaper in order to reserve some WAN bandwidth for a VLAN that homes our VOIP phones...

In the guide here https://docs.opnsense.org/manual/how-tos/shaper.html

You will see both inbound and outbound rules specify the WAN interface. Now in the example, rules are being applied based on the IP of the external VOIP server. However I am applying based on the internal subnet.

Logic would suggest my inbound rule applies to the WAN interface, traffic destination set to my internal voice subnet. Outbound would then be applied to the LAN interface, with the traffic source set to the internal voice subnet.

The above configuration works, however I can assign both rules to the WAN interface and it still works.

My assumption would be that the shaper applies after NAT is performed and therefore even though my inbound rule is on the WAN interface, it can see the destination is an RFC1918 internal address.

So to confirm, all inbound/outbound traffic shapers for WAN bandwidth, should be applied to the WAN interface under the rules tab?

Cheers
Tom

13

19.7 Legacy Series / DHCP Multiple scopes (relay receiver)

« on: July 17, 2019, 01:58:16 pm »

Hi all,

Testing out OPNSENSE for a new network deployment here and I have a question.

The network consists of several VLAN's routed by a L3 switch core. One upstream VLAN into OPNSENSE for routing out to the net/vpn's.

Can the DHCP server on OPNSENSE be configured to serve out addresses to inbound DHCP relay messages from the L3 switches. I.E. Can I set up multiple scopes for the subnets in question that arent directly connected to OPNSense?

Thanks