Topics

1

23.1 Production Series / Installer serial keyboard input stops right after Please login...

« on: March 14, 2023, 09:10:53 pm »

I'm currently in the progress of installing OPNsense under kubernetes using kubevirt (kvm)

I can boot the VM just fine and connect to it via serial.

The boot menu responds to input, the startup scripts e.g. configure interfaces all respond to input and works just fine.

The input works just until :

Code: [Select]

Welcome!  OPNsense is running in live mode from install media.  Please
login as 'root' to continue in live mode, or as 'installer' to start the
installation.  Use the default or previously-imported root password for
both accounts.  Remote login via SSH is also enabled.

Right after it's printed input stops working, I can not login as root or installer nothing happens if i type.

However output still works as is, so the serial console is just fine, doing a aacpi shutdown prints

Code: [Select]

>>> Invoking stop script 'beep'
..................
Syncing disks, vnodes remaining... 0 0 0 0 done
All buffers synced.
Uptime: 6m30s

I'm now going to install via VNC but I really want this VM to run headless if possible.

Any solution to this bug ?

2

Documentation and Translation / WireGuard MullvadVPN Road Warrior Documentation Wrong

« on: December 04, 2022, 04:10:00 pm »

So I just followed https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html which broke my internet.

Wireguard will install a 0.0.0.0/1 route following the documentation which will override the default route.

It is important that under VPN -> Wireguard -> Local -> Configuration:  "Disable Routes" is checked.

The step2 in documentation is how to setup dynamic routing, so the disable routes is clearly missing in it, otherwise makes no sense.

3

21.1 Legacy Series / Unbound leaks all subnets

« on: June 03, 2021, 09:58:22 pm »

I noticed unbound leaks all subnets configured in opnsense.

Just query the firewall host, can be easily found out with a ptr lookup.

Is there some way to prevent unbound from returning all the addresses ?

Code: [Select]

# check dns server
user@docker1:~# nslookup docker1
Server:         192.168.1.1 <- used dns server
Address:        192.168.1.1#53

Name:   docker1.example.com
Address: 192.168.1.11

# ptr on dns server
user@docker1:~# nslookup 192.168.1.1
1.1.168.192.in-addr.arpa        name = firewall1.example.com.

# get all subnets
user@docker1:~# nslookup firewall1.example.com
Server:         192.168.1.1
Address:        192.168.1.1#53

Name:   firewall1.example.com
Address: 192.168.1.1
Name:   firewall1.example.com
Address: 192.168.2.1
Name:   firewall1.example.com
Address: 192.168.3.1
... (removed entries)
Name:   firewall1.example.com
Address: 10.10.1.0
Name:   firewall1.example.com
Address: 10.20.2.0
Name:   firewall1.example.com
Address: 10.20.0.2
... (removed entries)
Name:   firewall1.example.com
Address: 2a02:****
Name:   firewall1.example.com
Address: 2a02:****
Name:   firewall1.example.com
Address: 2a02:****
... (removed entries)


4

21.1 Legacy Series / Kubernetes best load balancer setup ?

« on: March 17, 2021, 08:42:29 pm »

Has anyone a kubernetes setup with opnsense ?

There is barely content about it so I did some research and testing myself.


Opnsense does not come with load balancing by default but offers 3 plugins: os-relayd, os-nginx and os-haproxy

os-relayd was deprecated in the past, solely for load balancing.

os-nginx and os-haproxy are mainly for http reverse proxying, os-haproxy has some more load balancing options but lacks udp load balancing if required.

os-nginx lacks load balancing algorithms, round robin is the only one but that's a limitation of the opnsense gui.

Best option for future support seems to be os-haproxy.

5

20.7 Legacy Series / New Traffic Reporting useless

« on: December 20, 2020, 03:46:19 am »

The new traffic reporting graph looks nice and all, but for usability it's useless.

The old table with traffic per host was much cleaner and more informative.

Why would you remove such a basic feature ?

6

20.7 Legacy Series / unbound static override TTL

« on: November 20, 2020, 12:03:40 am »

To my surprise unbound static dns overrides have a fixed TTL of 3600 = 1 hour

It would be great if this could be changed in advanced settings, like it's possible for dhcp leases already

Static overrides are not changed often but when they are a TTL of 3600 is quite high.

7

20.7 Legacy Series / ipv6 wan stops working after a while

« on: November 09, 2020, 02:55:37 pm »

I have a ipv6 wan dhcp setup which works fine except it stops working every 3-6 weeks.

The system log gets spammed with:
in6_ifadd: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx is already configured

I have to interfaces -> overview -> wan -> dhcp reload, to make it work again.

The ipv6 i get from my isp has a static prefix and i think this messes up the dhcp lease.

Opnsense should ignore if its the same ip and just go with it, right now its killing the interface ?!

8

20.7 Legacy Series / Web gui not working after upgrade

« on: October 13, 2020, 12:22:29 pm »

I just installed the recent upgrade, after reboot the web gui is not reachable anymore, i get a connection timeout, restarted the firewall again issue still persists. There was no change otherwise like firewall rules which could block the web gui, just installed upgrades and reboot. Everything else seems to work. Tried other browser and other hosts to connect, nothing..

How can i trouble shoot ? I have ssh access.

9

Documentation and Translation / help text for shaping pipe source mask is wrong ?

« on: August 15, 2020, 10:41:43 pm »

In Firewall -> Shaper -> Pipes -> Add -> enable full help

The "mask" description says:
Choose source to give every IP in the source field of rules the specified bandwith. Normally this is used for download pipes.

"download pipes" should be "upload pipes" ?!

10

20.1 Legacy Series / wireguard 1:1 nat routes back over wrong gateway

« on: July 14, 2020, 12:27:13 am »

Ive setup a wireguard tunnel for 1:1 nat.

Outbound nat is working fine, but port forwarding from the public ip to local client is not.

The local client receives SYN packets and answers with ACK, but opnsense is sending the ACK over the default wan gateway which drops them. I dont get why, this should be a stateful connection and opnsense should route them back how they came over the vpn. Also for the vpn interface (10.127.127.1) the gateway (10.127.127.2) is set, so it should use it, i dont get why it routes over wan.

I tried checking "Disable reply-to on WAN rules" but it has no effect.

note: port 55555 instead of 80 is used to easily filter it in captures
local client: 192.168.1.50, http server on port 55555
opnsense vpn: 10.127.127.1
gateway: 10.127.127.2 (public ip 45.157.xxx.xxx)

1:1 nat between 45.157.xxx.xxx and 10.127.127.1
1:1 nat between 10.127.127.1 and 192.168.1.50

trying a netcat from 207.246.xxx.xxx to 45.157.xxx.xxx:55555 results in the following capture dump:

Code: [Select]

state dump:
all tcp 192.168.1.50:55555 (10.127.127.1:55555) <- 207.246.xxx.xxx:45046 SYN_SENT:ESTABLISHED

capture:
Interface Capture output
lan
vtnet0 20:52:20.631158 IP (tos 0x0, ttl 52, id 11465, offset 0, flags [DF], proto TCP (6), length 60)
    207.246.xxx.xxx.45046 > 192.168.1.50.55555: Flags [S], cksum 0xb68a (correct), seq 1839892123, win 64240, options [mss 1460,sackOK,TS val 3739768784 ecr 0,nop,wscale 6], length 0
    192.168.1.50.55555 > 207.246.xxx.xxx.45046: Flags [S.], cksum 0xa05b (correct), seq 3704964607, ack 1839892124, win 65280, options [mss 1372,sackOK,TS val 2707705387 ecr 3739768784,nop,wscale 7], length 0   
    # removed duplicates / retries

wg1
wg1
    207.246.xxx.xxx.45046 > 10.127.127.1.55555: Flags [S], cksum 0xeee4 (correct), seq 1839892123, win 64240, options [mss 1460,sackOK,TS val 3739768784 ecr 0,nop,wscale 6], length 0
    # removed duplicates / retries

wan
vtnet0_vlan4
    10.127.127.1.55555 > 207.246.xxx.xxx.45046: Flags [S.], cksum 0xd8b5 (correct), seq 3704964607, ack 1839892124, win 65280, options [mss 1372,sackOK,TS val 2707705387 ecr 3739768784,nop,wscale 7], length 0
    # removed duplicates / retries


wg1 interface overview shows the gateway is set:

Code: [Select]

wg1 interface (opt4, wg1)
Status up
MAC address 00:00:00:00:00:00 - XEROX CORPORATION
MTU 1420
IPv4 address 10.127.127.1 / 30
Gateway IPv4 10.127.127.2


The gateway shouldnt even matter, 1:1 nat should route back as is. and if that doesnt work at least use the gateway set ? 192.168.1.50 also has a pbr to route over 10.127.127.2. There should be no way for traffic to hit wan.

So why the hell is opnsense routing over wan and not wg1 ? did i miss something ?