Topics

1

23.7 Production Series / Connectivity audit using weird packet sizes ...

« on: November 23, 2023, 05:37:20 pm »

IPv4:

Code: [Select]

Currently running OPNsense 23.7.9 at Thu Nov 23 17:29:33 CET 2023
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes
1508 bytes from 89.149.222.99: icmp_seq=0 ttl=55 time=32.805 ms
1508 bytes from 89.149.222.99: icmp_seq=1 ttl=55 time=32.682 ms
1508 bytes from 89.149.222.99: icmp_seq=2 ttl=55 time=32.782 ms
1508 bytes from 89.149.222.99: icmp_seq=3 ttl=55 time=32.610 ms

--- 89.149.222.99 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
OK, working - but why oversized packets which will have to be fragmented?

And IPv6:

Code: [Select]

Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
PING6(1548=40+8+1500 bytes) 2003:a:d59:3800:3eec:efff:fe00:5433 --> 2001:1af8:5300:a010:1::1

--- 2001:1af8:5300:a010:1::1 ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
No fragmentation in IPv6, so of course:

Code: [Select]

17:26:53.546530 IP6 opnsense.ettlingen.hausen.com > 2003:a:d59:3800:3eec:efff:fe00:5433: ICMP6, packet too big, mtu 1492, length 1240


This is a 23.7.10 lab installation connected to my LAN as uplink ("block private networks" disabled) and with the regular interface MTU of 1500 bytes. The real Internet firewall has got an MTU of 1492 bytes on WAN (PPPoE).


What's the reasoning behind sending large packets instead of just regular ICMP echo? And is there possibly a bug in the size calculation?


Kind regards,
Patrick

2

General Discussion / Large number of alias addresses in a HA setup - to CARP or not to?

« on: November 16, 2023, 09:34:31 am »

Hi all,

we are in the planning stage for a HA pair protecting a web server farm. We will have something from a /26 to a /24 IPv4 externally.

Does one create a CARP VHID per address or is there another method to add them for inbound proxying? Of course they should all switch over to the standby node should the active one fail.

I have always worked with all CARP VHIDs in the past but I never had more than a handful of addresses to manage.

Thanks
Patrick

3

23.7 Production Series / Inbound permit on WAN not working when on same network

« on: October 19, 2023, 07:58:33 pm »

Hi all,

now I've been hacking OPNsense for quite a while and I thought I understood the product quite well, but I must be missing something.

WAN
From: any
To: WAN addess
Destination Port: 22

Does not work if the PC I use to access the firewall is connected to the WAN network - a regular /24, firewall getting its address and other configuration via DHCP. Access from *remote* outside the WAN network works!

What's going on?

Thanks,
Patrick

4

23.7 Production Series / Can OPNsense delegate an IPv6 prefix to another router/firewall?

« on: September 01, 2023, 12:03:32 am »

Hi all,

subject says it. Most threads here and the docs are concerned with OPNsense getting a proper prefix delegation from an ISP or an upstream router. Question is: can OPNsense server as an upstream router and delegate an e.g. /62 to another router behind it?

Thanks,
Patrick

5

23.7 Production Series / Anyone running OPNsense in bhyve? Reboot hangs

« on: August 10, 2023, 01:01:49 pm »

Hi all,

I just installed an OPNsense 23.7 in bhyve in a TrueNAS CORE 13.0-U5.3. 2 network interfaces via PCIe passthrough and generally everything is working great.

Only minor problem: when I try to soft reboot the VM, the filesystem buffers are flushed and the last message I see is "ix1 changed state to DOWN" - then the guest system hangs until powered off from the host and powered on again. Identical for soft power off. The system shuts down but the virtual/emulated power off does not happen.

I vaguely remember that occasionally people have this problem running on real hardware too and that you can twiddle the reset method via loader.conf somehow (ACPI vs. ... what?)

All hints greatly appreciated. I'm running this on a tiny Supermicro system. That would make a great chimera for travel - TrueNAS and OPNsense all in one box.

6

23.7 Production Series / Strange error message while updating 23.7 --> 23.7.1

« on: August 08, 2023, 06:35:37 pm »

Code: [Select]

Configuring system logging...Error opening plugin module; module='examples', error='/usr/local/lib/syslog-ng/libexamples.so: Undefined symbol "random_choice_generator_parser"'
Any ideas?

Kind regards,
Patrick

7

Virtual private networks / Wireguard interface numbers

« on: July 31, 2023, 03:25:55 pm »

Hi!

Since when do the WireGuard interfaces start with wg1 instead of wg0? And why? Drives me up the walls. Network engineers count from 0.

Seriously this is just cosmetic but I spent a good half an hour searching for some leftover wg0 or some other mistake ...

8

German - Deutsch / OPNsense HA Paar bei Hetzner?

« on: July 20, 2023, 05:10:54 pm »

Hallo,

hat jemand ein HA-Paar - entweder in VMs oder auf "Blech" bei Hetzner in Betrieb und könnte mir was zum Setup erzählen? Normalerweise gibt es ja pro phys. Host (wenn man mal bei Blech bleibt) eine IPv4-Adresse. Zusätzliche /29, /28, ... werden auf dieselbe MAC-Adresse geroutet. Meine Frage ist, wie man das mit VIPs macht?

"Hintenrum" das private LAN, da sind die ja völlig flexibel und stellen einem gerne einen 1G oder 10G Switch zu einer Handvoll Maschinen dazu. Das würde mit unserem proServer-Produkt auch großartig funktionieren. Alle gehosteten Container liegen dann in dem privaten Netz und werden über die OPNSensen geroutet, nur die Hosts haben eine Adresse im öffentlichen Netz ...

Sachdienliche Hinweise willkommen - mir reicht auch völlig "Frag bei Hetzner nach Produkt X" - ich bin nicht so ganz unerfahren in Netzwerk-Kram 

9

Development and Code Review / OPNsense Vagrant project updated for 23.7

« on: July 20, 2023, 12:35:30 pm »

I just pushed the necessary changes to my project that let's you easily "vagrant up" a complete OPNsense installation on your desktop/laptop computer:

https://github.com/punktDe/vagrant-opnsense

OPNsense release info:

https://forum.opnsense.org/index.php?topic=34948.0


Enjoy,
Patrick

10

23.1 Legacy Series / BIND improvements in 23.1.6 - what exactly?

« on: April 20, 2023, 03:18:00 pm »

Hi all,

in the announcement @franco wrote:

standalone core DNS support for Bind and Dnscrypt-Proxy plugins

From looking at the UI and the underlying generated config files I assume that RFC 2136 dynamic DNS (DHCP --> BIND) is still not supported. We would need to add dynamic zone support for that. Correct?

So what exactly does "standalone core DNS support" mean?

Thanks!
Patrick

11

Tutorials and FAQs / VLANs, layer 3 (sub)networks & broadcast domains

« on: January 19, 2023, 08:59:46 am »

Hello,

Ivan Pepelnjak just published a really good summary explaining how these concepts fit together and why recommended best practices are what they are.

Many folks on this forum seem to struggle with VLANs and network segregation so this article might prove useful:

https://blog.ipspace.net/2023/01/l2-l3-segments.html

Kind regards,
Patrick

12

23.1 Legacy Series / 23.1r1 - version displayed in UI?

« on: January 13, 2023, 01:01:13 pm »

Hello,

this is what I get when I check for updates, even after explictely setting the mirror to OPNsense, NL:



is this the correct version?

Thanks,
Patrick

13

22.7 Legacy Series / Why does 2FA demand password and token in a single field?

« on: December 15, 2022, 09:54:05 pm »

Hi all,

I am in the process of activating 2FA (TOTP) for all services that offer it. E.g. Github, our self hosted Gitlab, Hetzner, Paypal, ... you name it.

For all of these services the login procedure is the same:

1. Prompt for username and password. Sometimes first only username, <ENTER>, then password <ENTER>.
2. Then I am asked for the 6 digit one time token.

This works great because I have been using password safe software for years and the username and password get filled in automatically. Then I have one more step to enter the OTP. Perfect.

With OPNsense it seems there is only one prompt for username and password and you are supposed to append (or prepend depending on configuration) your OTP to the static password.

How is this expected to work? The password is filled in by the password manager. Visible as a bunch of dots or stars. If I append the OTP in that same field my browser asks me if I want to update the saved password for that service every single time.

WTF? What is the idea behind this completely insane user interface? Unless I get one prompt for fixed username and password and then a second one for the OTP, 2FA on OPNsense is unusable. Every other service I have ever used with TOTP does this.

Kind regards,
Patrick

14

22.7 Legacy Series / Another error while updating to 22.7.3_2

« on: September 01, 2022, 08:55:19 pm »

Hi all,

i just successfully updated my home system and our office in Frankfurt to the latest release. Unfortunately for my office in Karlsruhe things did not turn out well.

This is the last thing my browser has cached for some reason:

Code: [Select]

Fatal error: Uncaught Error: Class "phpseclib3\Crypt\Common\AsymmetricKey" not found in /usr/local/share/phpseclib/Crypt/RSA.php:73 Stack trace: #0 /usr/local/etc/inc/certs.inc(34): require_once() #1 /usr/local/etc/inc/config.inc(40): require_once('/usr/local/etc/...') #2 /usr/local/www/guiconfig.inc(39): require_once('/usr/local/etc/...') #3 /usr/local/www/index.php(31): require_once('/usr/local/www/...') #4 {main} thrown in /usr/local/share/phpseclib/Crypt/RSA.php on line 73
But the firewall is not online at all. I can't reach it.

Seems like beginning of work really early tomorrow, like 7:00 or so ... I have all the config in git, not that big a deal, but definitely annoying.

Any ideas? What can I expect once I have console access? Fixable without reinstall (and without Internet access)?

Thanks,
Patrick

15

Development and Code Review / Inconsistent "Advanced Options/Mode" toggle?

« on: August 22, 2022, 09:47:30 am »

There are (at least) two different ways some advanced settings are shown or hidden in the UI. Is this intentional? Anything that is on the roadmap?

Variant 1:


Variant 2:


Kind regards
Patrick