Topics

1

21.7 Production Series / Wireguard road warrior (followed default guide) - all work but cant ping clients

« on: November 29, 2021, 05:07:31 pm »

Has anyone else ever had an issue where if you follow the guide to the Wireguard Roadwarrior setup everything works except from a LAN client you cant ping a WG client thats connected?

2

21.7 Production Series / I cant work out how everyone else managed to get mtu of 1500 working on pppoe

« on: November 23, 2021, 02:10:18 pm »

Hi,

Im with an ISP that allows the MTU of 1492 to be brought up to 1500 on a pppoe connection. Its not clear to me how everyone else achieved this. I have read several topics on the forum and tried the suggestions but I cant seem to get it to work on OPNsense 21.7.5-amd64.

I had a pppoe connection on top of em0 interface working on MTU of 1492 and started by setting the MTU to 1508 there which then states "calculated MTU 1500"

This had no effect so I read other posts that said you needed to make a dummy interface of em0 and simply enable it and set an mtu of 1508 there which I also did.

This also had no effect even after rebooting. The pppoe dials and ends up with an mtu of 1492 at the end. What is the method people use to force an mtu as I am clearly missing a step?

Kind regards
P

3

21.7 Production Series / A rule that should not block on the firewall blocked something temporarily.

« on: October 15, 2021, 09:59:12 pm »

Hi there,

I had a strange occurrence. I have rules that block certain IP's on my home network and an allow rule above this block rule that allows certain IP's that I dont want captured in the block.

Last night a netflix CDN IP was blocked . I noticed today (the next day) when reviewing the logs. However this IP was already in the allow rule. The effect this had was momentarily netflix would not work and I refreshed a few times and thought nothing of it. However I noticed today that IP was blocked and so I went to add it to the list of allowed IP's and discovered it was already in the list.

This means temporarily the rules did not function as expected last night. However there were no changes to the firewall and in fact I was not logged onto it at all either at that time or around that time (due to watching netflix).

Why would the firewall temporarily ignore a firewall rule? The problem seems to have resolved itself with no intervention. I have not added this IP later on into the alias of allowed IP's. I can confirm it was already in there and did not require a change to the firewall.

Kind regards
Pete

4

21.7 Production Series / Help with vlan and untagged on 1 interface. Kind of works :(

« on: August 31, 2021, 03:07:47 pm »

Hi there,

I would like to create a vlan and have this run over the same physical cable as my current untagged LAN.
I have configured what I imagine to be an acceptable configuration but it does not work 100%.

The config is as follows:

Physical:
An RJ45 from port em1 (LAN) to a unifi switch.

Configuration OPNsense
Create under interfaces - other types - vlans - VLAN5 on interface em1.
Under assignments create VLAN5 on em1 so it appears as an interface.
Configuring interface vlan5 I set static ip of 192.168.5.1 (Lan is set to 192.168.2.x already).

Create a rule to allow all traffic anywhere to anywhere on vlan5 firewall rules for testing.

Save config.

At this point I can no longer log into the web interface of my opnsense box, although it appears like everything is working.

So to try resolve logging into opnsense I configured other types - bridge - and added vlan5 and LAN as a bridge.

Once saving, this means I can access the web interface again. However the web interface is very slow, and takes about 30 seconds to load up a page when clicking from page to page, as opposed to immediate when I had no vlan5 config at all.

Can someone assist me in explaining where I am going wrong in understanding what I should do and how to achieve 1 physical interface to run both LAN and a VLAN on top of it? Reason for this requirement is I have no other ports available because I have another VLAN thats on a separate cable and dont have this problem with it.

Kind regards
Pete

5

21.7 Production Series / Unable to upgrade from OPNsense 21.1.9_1-amd64 to 21.7

« on: July 28, 2021, 02:39:50 pm »

Hi there,

I have tried updating 2 times (once from the GUI and one time from the CLI after SSH into the firewall and selecting option 12).
Noth times the files are downloaded and the firewall reboots, but after some time when it has rebooted I am still on 21.1.9 and am offered the update again.

How can I view what is going wrong with the update/what logs can I check?

Pete

6

General Discussion / Unbound advanced configuration has been removed.

« on: July 14, 2021, 08:01:09 pm »

From announcements:
Unbound advanced configuration has been removed.  Local override directory /usr/local/etc/unbound.opnsense.d exists.


Does anyone know why this has been removed. Im sad it has been removed because I used that page when setting up unbound. Will it still be easy to set the options that were on that page for me? I ask out of ignorance as I dont know why it was removed or how to configure the same options going forward. Im hoping it will be easy.

P

7

21.1 Legacy Series / Wireguard kmod issue I had to overcome.

« on: July 12, 2021, 02:57:25 pm »

Hi there,

I saw everyone said the wireguard kernel version was faster/better than using the wireguard go option in opnsense. I had attempted to use it and found the opposite, and it was unstable so I tried to find the cause.

As it turns out I have a pppoe connection and noticed that MTU on my pppoe interface was 1492. On wireguard interface the MTU was set to 1420 which would be acceptable on an 1500 wan interface setup.

However I found it was impossible to change the MTU on the WG interface. I set 1412 as the MTU on my wireguard interface and it rebooted the Firewall but found even after reboot the overview area showed MTU of 1420 still on the WG interface.

This was causing some timeouts on speedtest on my phone and also WG to run slow.

So I had to go to Firewall - Settings - Normalization and set a Max mss of 1412. This resolved the issues and brought wireguard back to normal.

I did not experience these issues on the WG-go implementation.
Also I dont understand why setting an MTU on the WG interface did not change the MTU after a reboot.

Lastly, while I can see the wg-go service is stopped in the gui, is there a command I can run to check which module is being used from the CLI (ie either go or kmod) in case I need to do so from the CLI easily?

Kind regards
Pete

@franco

8

21.1 Legacy Series / Is it possible to change to libressl if I use wireguard

« on: June 21, 2021, 09:04:29 pm »

I would like to change to libressl but worried it would break my wireguard setup. Does anyone know if this can be changed?

9

Zenarmor (Sensei) / os-sensei-1.9.1: checksum mismatch for /usr/local/sensei/userdefined/policy/Defi

« on: June 17, 2021, 02:15:53 pm »

Hi there,

What does this error mean in the request to audit health.

os-sensei-1.9.1: checksum mismatch for /usr/local/sensei/userdefined/policy/Definitions/systemdefault.policy

Kind regards
Peter

10

Zenarmor (Sensei) / Will the release notes page be updated with 19 or 19.1 changes soon?

« on: June 16, 2021, 05:06:19 am »

Last update was 1.8.2 on the release notes page.

11

21.1 Legacy Series / Outbound Nat Rewrite - how to monitor in logs?

« on: May 20, 2021, 09:52:28 pm »

Hello,

I have an outbound NAT rewrite rule that captures devices that ignore DNS and forces them to go via my internal pihole. For example if a client such as my Roku TV attempts to connect to 8.8.8.8 on port 53 this is captured and sent correctly internal to my pihole.

See figure 1:

My issue is the logs do not tell me what ip this device attempted to access externally. I would like to know how to capture this information. Eg: I can see that 192.168.2.51 tried to access an IP on port 53 as the rewrite rule kicked in. But would like to know what that IP is (ie was it 8.8.8.8 or some other Ip etc).

How can I know this?

Here is the rewrite rule:

Here is the LAN FW rule:


Thanks in advance

Pete

12

Zenarmor (Sensei) / Blocking some things and reporting others. Is this possible?

« on: April 09, 2021, 12:40:45 am »

I have the default policy which has the things I want to block, but some things I only want to report but not block. If I create a new policy I can only seem to block things there is no way to only report on the additional things I am wanting to monitor.  Is this possible to achieve?

P

13

Tutorials and FAQs / How to: Bypass Bell HH3000 fiber with basic unifi US-8-150W switch the easy way.

« on: March 26, 2021, 04:27:29 pm »

Hi there,

There was no good write up online so I am making one on how to avoid using a media converter and instead only use the home switch from Unifi for the SFP conversion.
I have a physical OPNSense box, and a Unifi switch. The fiber is supplied by bell via a mac address authorized SFP+ module that can work in the SFP ports of the Unifi US-8-150W switch, allowing you to not use the supplied router from bell. Location is ON, Canada where vlan 35 is used.

--------
KNOWN LIMITATIONS:
The 8-150W switch SFP port only syncs at a maximum of 1G so if you have an internet connection from bell faster than 500/500 you can forget about it. Thats about the max you will get (I think you would get about 600/600 on this method). For higher speeds you will need to buy and use a media converter, that should get you to about 800/800 with a 1.25G media converter. I have both the media converter and the switch but wanted to ditch the media converter as its more power efficient for my UPS. The speeds are the same if you have the 500/500 package so for this reason just using the switch is an option for me. True speeds can be achieved with a 2.5G sync but this is only available on expensive equipment such as Unifi Edgerouters/switches or whatever and Microtic's etc which I dont have and dont really want to have to buy.
--------

Setup Layer 1:
Plug appropriate cable from FW WAN to switch and the Fiber to the SFP module on the switch as pictured in example.

Port 1 is WAN on FW and first SFP port is 'Fiber'.


Setup Layer 2:
In ON the Bell network runs on VLAN 35. Additional VLANS are needed for the TV service if you use this but I only get internet from Bell. As such only internet setup is shown below. You can adapt to your use case as required.

In the switch you will need to configure a few things. Start by accessing the networks section n the controller and make a new VLAN as per below:


Next make 2 switch profiles. BellVlan35SFP is to be used for the SFP port and FWVlan35Native is for the FW Wan port. Please note that the FW port has a native network set. This is important as it means we do NOT have to tag packets with a VLAN ID on the OPNSense box, as we are specifying the default VLAN for untagged traffic is 35 on this port. This means you can bypass the buggy vlanning on pppoe in opnsense entirely (ie what I found was inconsistent and did not work well). In theory you should be able to vlan tag on the pppoe connection but I found it did not always connect and the unreliability meant it was not a solution for me:



Next assign the relevant profiles to the relevant ports on the switch:


Layer 3:

Finally we can now authenticate via PPPoE on the Opnsense Router:
This is exceedingly basic. If you already have PPPoE working to the homeHub3000 no changes are required. If you previously had VLAN tagging you just need to remove it. So the settings are super simple. Assign your WAN interface to the relevant interface in OPNsense and setup PPPoE as per example like this (replace relevant username/pass with your credentials):


As you can see no vlanning now required on the OPNSense. Here are example speeds on my 500/500 connection:


To conclude, using this method you just need 2 pieces of equipment, your OPNsense FW and your Unifi Switch. No more Bell HH3000. All equipment can be restarted and auto reconnects as one would expect automatically with no user intervention at any point with this setup. Tested multiple times, no issues and get my expected full speeds.

Any questions just let me know

Pete

14

Zenarmor (Sensei) / Additional platforms - how does that work?

« on: March 18, 2021, 12:33:19 am »

I see the latest release says it supports additional platforms. How does that work exactly? It seems heavily integrated into opnsense.

Pete

15

21.1 Legacy Series / How to create a new service that starts automatically in OpnSense?

« on: March 03, 2021, 08:56:38 pm »

Hi All,

I have a couple static arp entries set in /etc/rc.conf.
I can once the server is up start the service by typing 'service static_arp start' and the entries get added to OpnSense.

How can I make this service start on boot, and/or appear in the services in the GUI? I tried service static_arp enable but it didnt help.

Is there a way to make this automatic?

Kind regards
Peter