Topics

1

Sensei / Is the free version really worth it ?

« on: August 12, 2021, 12:23:58 pm »

I'm trying to understand the level of additional protection that the free version (and the free version only) would provide to OPNsense and I'd appreciate anyone input.

Not talking about the reporting capabilities, for instance, if I look at the security policies, I can enable the block for sites that are responsible for malware, phishing, etc - am I right to say that what Sensei does here is to block access to/from a list of malicious IPs, that is the same I can configure with the blocklist feature in Unbound ?

Or adding rules as for this article https://docs.opnsense.org/manual/how-tos/edrop.html

Tia.

2

21.7 Production Series / Can't get Internet access from 2nd LAN

« on: July 31, 2021, 06:55:14 pm »

Eventually I was able to do fresh install of 21.7 on my APU2 (WAN + 2 LAN ports), but I can't access Internet from the 2nd LAN port: how do I troubleshoot this?

Tia.

3

21.7 Production Series / DNSBL cron job

« on: July 31, 2021, 12:36:24 am »

Trying to add a cron job to update the Unbound blocklists in System-->Settings-->Cron but it's not in the drop-down menu, how possible?

Tia.

4

21.7 Production Series / New install on APU2

« on: July 30, 2021, 06:59:50 pm »

Just complete a fresh install and the WAN doesn't pick up an IP address, never happen before, any suggestions?

Username and password checked, and my spare router connects immediately...

Tia.

5

General Discussion / How to get an alert when the IP address has changed?

« on: June 01, 2021, 03:06:58 pm »

My ISP provide dynamic IP address, so every now and then my IP address changes, and as per post subject, how easy is to set that alert up?

Tia.

6

Hardware and Performance / Enabling hardware offload ?

« on: May 30, 2021, 03:36:02 pm »

Since I don't use IDS/IPS, would I gain any boost performance by enabling the hardware offload settings on my APU2E4?

Tia.

7

General Discussion / Can we install Speedtest CLI on OPNsense ?

« on: April 03, 2021, 09:14:37 pm »

I found the following details on how to install Speedtest on FreeBSD, is there a way to install it on OPNsense?

Code: [Select]

$ sudo pkg update && sudo pkg install -g libidn2 ca_root_nss
$ sudo pkg add "https://bintray.com/ookla/download/download_file?file_path=ookla-speedtest-1.0.0-freebsd.pkg"
https://www.speedtest.net/apps/cli

Tia.

8

General Discussion / How to isolate one port/subnet

« on: March 30, 2021, 09:33:54 pm »

I've got 2x LAN ports and 1x WAN port and I'd want to create firewall rules to 'isolate' LAN2 (which is on a differnet subnet than LAN1) in order to allow only Internet access and no access to LAN1, any advice, please?

Tia.

9

General Discussion / Blacklist for Unbound

« on: March 21, 2021, 06:06:11 pm »

If two or more lists have same domains, is Unbound 'smart' to not include duplicates in the dnsbl.conf file?

Tia?

10

General Discussion / Learning about Unbound

« on: March 21, 2021, 01:31:25 pm »

I read an interesting article here and my current configuration is pretty similar with the one in the article is "example 2", i.e. DoT, recursive caching DNS, TCP port 853 and DNSSEC.

There is an "example 3" (Authoritative, validating, recursive caching DNS) and I've noticed a few differences. i.e. there are no upstream servers, the listening interface/address is only 127.0.0.1, there is no DoT - I'm trying to understand if there is a real benefit in using this third configuration...

How do you configure Unbound ? Keen to hear (and learn) from the experts of this subject, thanks.

11

General Discussion / How to use fsck ?

« on: March 20, 2021, 01:26:10 pm »

After a sudden outage, I've run the command fsck:

Code: [Select]

root@hush:/ # fsck
** /dev/gpt/rootfs (NO WRITE)
** Last Mounted on /mnt
** Root file system
** Phase 1 - Check Blocks and Sizes
INCORRECT BLOCK COUNT I=2006612 (20672 should be 20608)
CORRECT? no

** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
UNREF FILE  I=2007178  OWNER=root MODE=100644
SIZE=197 MTIME=Mar 20 12:22 2021
RECONNECT? no


CLEAR? no

** Phase 5 - Check Cyl groups
FREE BLK COUNT(S) WRONG IN SUPERBLK
SALVAGE? no

SUMMARY INFORMATION BAD
SALVAGE? no

BLK(S) MISSING IN BIT MAPS
SALVAGE? no

71680 files, 1015643 used, 26972945 free (4945 frags, 3371000 blocks, 0.0% fragmentation)
root@hush:/ #
Is there anything to worry about? How to correct the block count error?

Tia.

12

21.1 Legacy Series / Unbound service doesn't start anymore

« on: March 16, 2021, 12:42:42 pm »

I've updated to 21.1.3_3 and suddenly Unbound stopped running + I can't make it running again, i.e. I start the service and after a few seconds it stops: is anybody experiencing a similar issue?

Bottom line with Unbound not working I cannot surf the Internet and I had to exclude it from the network 

Tia.

13

General Discussion / How to make communicating with each other clients on different subnet ?

« on: March 13, 2021, 02:35:05 pm »

I need a client on subnet 192.168.0.1/24 (LAN) being able to ping another client which is on subnet 192.168.10.1/24 (LAN2) - and viceversa.

LAN and LAN2 are on two different physical Ethernet ports of the OPNsense router.

I'm playing with Firewall --> NAT --> Outbound, but no luck s far 

Can someone help, please?

Tia.

14

21.1 Legacy Series / NTP error: clock unsynchronized

« on: March 11, 2021, 10:57:22 am »

Does anybody have got the same error message? Rebooting the router didn't make any difference.

Code: [Select]

2021-03-10T22:49:58 ntpd[99842] kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
2021-03-10T22:49:58 ntpd[99842] kernel reports TIME_ERROR: 0x41: Clock Unsynchronized
2021-03-10T22:49:58 ntpd[99842] Listening on routing socket on fd #26 for interface updates
2021-03-10T22:49:58 ntpd[99842] Listen normally on 5 pppoe0 51.x.x.x:123
2021-03-10T22:49:58 ntpd[99842] Listen normally on 4 pppoe0 [fe80::20d:b9ff:fe55:a4e8%8]:123
2021-03-10T22:49:58 ntpd[99842] Listen normally on 3 lo0 127.0.0.1:123
2021-03-10T22:49:58 ntpd[99842] Listen normally on 2 lo0 [::1]:123
2021-03-10T22:49:58 ntpd[99842] Listen and drop on 1 v4wildcard 0.0.0.0:123
2021-03-10T22:49:58 ntpd[99842] Listen and drop on 0 v6wildcard [::]:123
2021-03-10T22:49:58 ntpd[99842] restrict: 'monitor' cannot be disabled while 'limited' is enabled
2021-03-10T22:49:58 ntpd[99842] gps base set to 2021-01-17 (week 2141)
2021-03-10T22:49:58 ntpd[99842] basedate set to 2021-01-13
2021-03-10T22:49:58 ntpd[99842] proto: precision = 0.418 usec (-21)
2021-03-10T22:49:58 ntpd[78182] ----------------------------------------------------
2021-03-10T22:49:58 ntpd[78182] available at https://www.nwtime.org/support
2021-03-10T22:49:58 ntpd[78182] corporation. Support and training for ntp-4 are
2021-03-10T22:49:58 ntpd[78182] Inc. (NTF), a non-profit 501(c)(3) public-benefit
2021-03-10T22:49:58 ntpd[78182] ntp-4 is maintained by Network Time Foundation,
I'm on the latest 21.1.3

And is there an easy fix for this?

Tia.

15

General Discussion / Can't delete cron job for proxy ACLs

« on: February 28, 2021, 08:35:01 pm »

Can someone please advise how to understand which service is using proxy ACLs?

I'm trying to delete the cron job "download and reload external proxy ACLs" but I get an error.

Tia.