Topics

I just noticed on https://pentest-tools.com/network-vulnerability-scanning/port-scanner-online-nmap
that the auto generated Anti-Lockout Rules (Destination NAT) for port 22 and port 444 (my opnsense gui) are both opened on WAN and can be reached.

Is this my fault and should those 2 Anti-Lockout rules be deleted after installing 26.1 or is this something to look at? I cant see a delete option in the Destination NAT list.

Hi,
I noticed (while watching the logs more closely since updating to OpnSense 26.1 and now on 26.1_4) I saw those below notification errors:
(connection is fiber PPPoE)

Notice kernel [158] [fib_algo] inet.0 (radix4_lockless#948) rebuild_fd_flm: table rebuild failed
Notice kernel 158] [fib_algo] inet.0 setup_fd_instance: radix4_lockless algo instance setup failed, failures=22

Not sure if it is only 26.1x related. Systems runs, but others seeing this also and how to mitigate?

I just took the jump also,
Upgraded and after reboot i have internet connection for a little while. And that stops,
I am not able to get it back up.

After another reboot the same.
I noticed the wan interface was down.

In the log I noticed this:

[357] pf_test: kif == NULL, if_xname pppoe0

Is this the reason?
What can i do?

Thanks for the help in advance!

I just ordered a plus upgrade. I was already using the free api key.
I noticed that after paying for the upgrade, and received confirmation, it stays free.
Than i read that i have to go into the tip-qfeeds account and edit my free api key to change it to plus.

I think it will be very convenient for the user to have this api altered to this paid version automatically, instead of now manually.
Why would a user want its api to stay free when he/she just ordered an upgrade?

p.s. is there a way to check if my qfeeds plugin is getting the plus feed instead of the free? And should i alter my url in Adguard Home for this plus package? or is there another url only for plus to use in adguard home?

Hi,

I have my WireGuard not working after a reboot of opnsense ( looks a lot like this post: https://forum.opnsense.org/index.php?topic=41081.0 and this one https://forum.opnsense.org/index.php?topic=36688.0). When I just hit [apply] on the SYSTEM: GATEWAYS: CONFIGURATION page (without making changes) all starts working with WireGuard.

I'm trying to "fix" this by cloning the Monit alert settings [gateway alert] and in service test settings, execute and something like path:
/bin/sh -c '/usr/local/sbin/configctl interface routes alarm'

What is the cli command for "apply settings gateway, without changing configuration?"

Or is there another way to automate this after an Opnsense reboot?

Thank you for your help with this.

Since a version of 3 back, I have the update to run twice. The first time OPNsense 25.1.6-amd64 completes, it restarts the opnsense box but I have to run update again to have the missing:
os-bind  installed

and with this time the update os-postfix was also missing and installed the second run.

Others having this also?
(n.b. I only use BIND for dns, no unbound or dnsmasq etc)

I'm running the latest OPNsense and Nginx plugin:

OPNsense 25.1-amd64
FreeBSD 14.2-RELEASE
OpenSSL 3.0.15

Nginx log shows this warning:
nginx: [warn] could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size

I tried changing the setting, Nginx - configuration - general settings - global HTTP settings:
Hash Bucket Size : 128 and 256
Server Names Hash Max Size : 1024, 2048 and 4096

But all did not seem to work, and the warning remains the same. It looks like this gui setting does not work (anymore?) or am I changing the wrong settings?

Others having this warning also? How to fix?

Hi, I am wondering if this is possible:
I am running Opnsense with Adguard Home (plugin) and Bind (plugin). So that every DNS/port 53 goes to Adguard home. Adguard Home has 127.0.0.1:5354 as upstream (Bind), bind has no DNS Forwarders. This way every lookup will go to the dns root servers, if not yet unknown/cache. As I have learned in the past from this forum, this gives more privacy while no root dns "has it all" and better than trusting the 1.1.1.1 server or your ISP encrypted dns server who "has it all". This is working great.

However, every local/LAN dns lookup is plain dns / unencrypted. Is there a way to make LAN also DoT? e.g. Adguard Home DoT to Bind? Maybe plain dns is a small risk on LAN, but if it can be secured, why not doing so.

I am eager to learn your solution(s) for this.

I have just updated to OPNsense 24.7.5-amd64
FreeBSD 14.1-RELEASE-p5
OpenSSL 3.0.15

Now WireGuard does not work/does not get an ipv4 address, only showing ipv6 when https://www.whatismyip.com/

Others having this issue also? Is there a Quick fix?

I just updated my box to opnsense 24.7.4. Reboot hung so I did a manual power off and on,
Opnsense won't start. Connected a monitor to it and I see: failed to load kernel.
What should I do to get it back ?

Thank you very much for the help!

Hi,
I have my own email server running and I use postfix on opnsense as a mail gateway as described here:
https://docs.opnsense.org/manual/how-tos/mailgateway.html
This works great for port 25 SMTP to enable communication between the sending and receiving servers to my local hosted email server.

Now I wonder if opnsense-postfix can (and should?) also be used for port 587 (SMTP-STARTTLS), so that all email clients (pc, iphone, laptop, etc) can sent email by first going to port 587/postfix and sending emails from our local email server.

Currently I have port 25 pointing to and using postfix, while for port 587 and IMAP i use a port forward to the local email server. Can this be postfix also for the same reason of using port 25? And if so, how can I configure that using the postfix-GUI?

Thanks for explaining and help in advantage

Hi, I have just updated my applience to OPNsense 24.7.2 and noticed the red square / not running of APCUPSD. pressing the start or doing start in the plugin menu using - Enabled check, does not help.

in the log I see this error:

2024-08-21T18:22:47   Error   apcupsd   apcupsd error shutdown completed   
2024-08-21T18:22:47   Error   apcupsd   Lock file data error:   
           please stop it and run this program again.   
           If apcupsd or apctest is already running,   
           Unable to create UPS lock file.   
2024-08-21T18:22:47   Error   apcupsd   apcupsd FATAL ERROR in apcupsd.c at line 221   
2024-08-21T18:22:47   Error   apcupsd   Lock file data error: 

Others having this issue also?

Hi, I am using Bind plugin and noticed this error in the log:

2023-12-22T14:58:37.242000   general   Warning   checkhints: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints
2023-12-22T14:58:37.241000   general   Warning   checkhints: b.root-servers.net/AAAA (2801:1b8:10::b) missing from hints
2023-12-22T14:58:37.241000   general   Warning   checkhints: b.root-servers.net/A (199.9.14.201) extra record in hints
2023-12-22T14:58:37.241000   general   Warning   checkhints: b.root-servers.net/A (170.247.170.2) missing from hints

I updated the /usr/local/etc/namedb/named.root file with this latest one:
https://www.internic.net/domain/named.root

and got the error fixed. Others using Bind experienced the same error? seems that our default 2017 named.root file in opnsense needed an update?

I have Bind running and Adguard home. In Adguard I get a green-lock when an external domain of mine is validated with dnssec.
Is there an how to, on thow to do this with localdomain in bind? for localdomain.com ?
I would like this to avoid dns sniffing on local connections, has someone experience with this?

thanks for the help!

I just noticed that on the interfaces-overview page - wan the virtual ip's of IPv4 are not showing there under the main wan IP (under IPv4 address), where the virtual ip's of IPv6 are still all mentioned as used to be (IPv6 address).
It looks like the virtual ipv4 virtual ip's are gone on this overview. The virtual ip's are working perfect, so it is a cosmetic bug. Others have this issue also?

p.s. I used this https://forum.opnsense.org/index.php?topic=21207.0 as my interface setup PPPoE

I have, for some weeks now, running Postfix on opnsense. It was working perfectly with IPv4 and IPv6.
Now after the update to OPNsense 23.7.4, postfix IPv6 is not working. IPv4 is still good
I checked with https://www.hardenize.com

And there I saw the error with TLS. See attached picture.
Others using Postfix and ipv6 have the same errors? Or is there something changed with the update to 23.7.4 or something that broke my config wat was working perfectly before 23.7.4?

When I do the port forward to my mailsever directly instead of postfix, the mail is working. So it has something to do with postfix or opnsense(?)

Solved it: somehow my trusted network ipv6 was missing.

Hi,

I have a weird DHCP and BIND problem running on:
OPNsense 23.7.3-amd64
FreeBSD 13.2-RELEASE-p2
OpenSSL 1.1.1v 1 Aug 2023

I see on the main GUI screen of OPNsense about every minute that DHCPv6 Server turns RED and than restarts and is back up to green. After that BIND Daemon turns RED and than restarts.

In the DHCP log i see this every time:
Informational   dhcpd   Server starting service.   
Informational   dhcpd   Sending on Socket/8/igb1/2a10:xxxx:xxxx:1::/64   
Informational   dhcpd   Listening on Socket/8/igb1/2a10:xxxx:xxxx:1::/64   
Informational   dhcpd   Bound to *:547   
Informational   dhcpd   Wrote 0 NA, 0 TA, 0 PD leases to lease file.   
Informational   dhcpd   Wrote 0 new dynamic host decls to leases file.   
Informational   dhcpd   Wrote 0 deleted host decls to leases file.   
Informational   dhcpd   For info, please visit https://www.isc.org/software/dhcp/   
Informational   dhcpd   All rights reserved.   
nformational   dhcpd   Copyright 2004-2022 Internet Systems Consortium.   
Informational   dhcpd   Internet Systems Consortium DHCP Server 4.4.3-P1   
Informational   dhcpd   PID file: /var/run/dhcpdv6.pid   
Informational   dhcpd   Database file: /var/db/dhcpd6.leases   
Informational   dhcpd   Config file: /etc/dhcpdv6.conf

In the BIND log i see this:

general   Notice   running
general   Notice   all zones loaded
zoneload   Informational   zone x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.2.ip6.arpa/IN: loaded serial 2308140935
zoneload   Informational   zone 0.ip6.arpa/IN: loaded serial 42
zoneload   Informational   zone localhost/IN: loaded serial 42
zoneload   Informational   zone mydomain.com/IN: loaded serial 2308182130
zoneload   Informational   zone 1.168.192.in-addr.arpa/IN: loaded serial 2308182144
zoneload   Informational   zone x.x.x.x.x.x.x.x.x.x.x.x.x.x.2.ip6.arpa/IN: loaded serial 2308151502
zoneload   Informational   zone 127.in-addr.arpa/IN: loaded serial 42
zoneload   Informational   zone 10.x.xin-addr.arpa/IN: loaded serial 2308140934
zoneload   Informational   managed-keys-zone: loaded serial 6493
general   Notice   exiting
network   Error   automatic interface scanning terminated: end of file
general   Notice   stopping command channel on 127.0.0.1#9530
general   Informational   shutting down: flushing changes
network   Informational   no longer listening on 127.0.0.1#5354
network   Informational   no longer listening on 2a10:xxxx:xxxx:1::#5354
general   Informational   received control channel command 'stop'

Others having this issue also? Any clues on how to fix this?

This week I have been setting up and tested with Postfix / Rspamd / Redis.
The system is running and I have the Rspamd GUI available for tweaking and monitoring (thanx to this thread: https://forum.opnsense.org/index.php?topic=17569.msg119574 )

Now I came across this site with info about spammers/backscatter : http://www.postfix.org/BACKSCATTER_README.html

How to config this

To block such backscatter I use header_checks and body_checks patterns like this:

    /etc/postfix/main.cf:
        header_checks = pcre:/etc/postfix/header_checks
        body_checks = pcre:/etc/postfix/body_checks

    /etc/postfix/header_checks:
        # Do not indent the patterns between "if" and "endif".
        if /^Received:/
        /^Received: +from +(porcupine\.org) +/
            reject forged client name in Received: header: $1
        /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
            reject forged client name in Received: header: $2
        /^Received:.* +by +(porcupine\.org)\b/
            reject forged mail server name in Received: header: $1
        endif
        /^Message-ID:.* <!&!/ DUNNO
        /^Message-ID:.*@(porcupine\.org)/
            reject forged domain name in Message-ID: header: $1

    /etc/postfix/body_checks:
        # Do not indent the patterns between "if" and "endif".
        if /^[> ]*Received:/
        /^[> ]*Received: +from +(porcupine\.org) /
            reject forged client name in Received: header: $1
        /^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
            reject forged client name in Received: header: $2
        /^[> ]*Received:.* +by +(porcupine\.org)\b/
            reject forged mail server name in Received: header: $1
        endif
        /^[> ]*Message-ID:.* <!&!/ DUNNO
        /^[> ]*Message-ID:.*@(porcupine\.org)/
            reject forged domain name in Message-ID: header: $1

How to config this in Postfix GUI on opnsense?
Does it work as:

    Services: Postfix: Header Checks

adding e.g. Expression: .* <!&!/ DUNNO REJECT
for [while receiving mail]

or how should i do this?

Just did a [run an audit - Upgrade] and noticed the below conflicts. How to solve this?

Checking integrity... done (23 conflicting)
- php82-pear-Crypt_CHAP-1.5.0_1 [OPNsense] conflicts with php81-pear-Crypt_CHAP-1.5.0_1 [installed] on /usr/local/share/pear/Crypt/CHAP.php
- php82-zlib-8.2.8 [OPNsense] conflicts with php81-zlib-8.1.20 [installed] on /usr/local/etc/php/ext-20-zlib.ini
- php82-dom-8.2.8 [OPNsense] conflicts with php81-dom-8.1.20 [installed] on /usr/local/etc/php/ext-20-dom.ini
- php82-pdo-8.2.8 [OPNsense] conflicts with php81-pdo-8.1.20 [installed] on /usr/local/etc/php/ext-20-pdo.ini
- php82-mbstring-8.2.8 [OPNsense] conflicts with php81-mbstring-8.1.20 [installed] on /usr/local/etc/php/ext-20-mbstring.ini
- php82-ldap-8.2.8 [OPNsense] conflicts with php81-ldap-8.1.20 [installed] on /usr/local/etc/php/ext-20-ldap.ini
- php82-phpseclib-3.0.19 [OPNsense] conflicts with php81-phpseclib-3.0.19 [installed] on /usr/local/share/phpseclib/Common/Functions/Strings.php
- php82-gettext-8.2.8 [OPNsense] conflicts with php81-gettext-8.1.20 [installed] on /usr/local/etc/php/ext-20-gettext.ini
- php82-ctype-8.2.8 [OPNsense] conflicts with php81-ctype-8.1.20 [installed] on /usr/local/etc/php/ext-20-ctype.ini
- php82-pear-1.10.13 [OPNsense] conflicts with php81-pear-1.10.13 [installed] on /usr/local/bin/pear
- php82-session-8.2.8 [OPNsense] conflicts with php81-session-8.1.20 [installed] on /usr/local/etc/php/ext-18-session.ini
- php82-simplexml-8.2.8 [OPNsense] conflicts with php81-simplexml-8.1.20 [installed] on /usr/local/etc/php/ext-20-simplexml.ini
- php82-curl-8.2.8 [OPNsense] conflicts with php81-curl-8.1.20 [installed] on /usr/local/etc/php/ext-20-curl.ini
- php82-pecl-radius-1.4.0b1_2 [OPNsense] conflicts with php81-pecl-radius-1.4.0b1_2 [installed] on /usr/local/etc/php/ext-20-radius.ini
- php82-phalcon-5.2.3 [OPNsense] conflicts with php81-phalcon-5.2.2 [installed] on /usr/local/etc/php/ext-30-phalcon.ini
- php82-google-api-php-client-2.4.0 [OPNsense] conflicts with php81-google-api-php-client-2.4.0 [installed] on /usr/local/share/google-api-php-client/CODE_OF_CONDUCT.md
- php82-sockets-8.2.8 [OPNsense] conflicts with php81-sockets-8.1.20 [installed] on /usr/local/etc/php/ext-20-sockets.ini
- php82-8.2.8 [OPNsense] conflicts with php81-8.1.20 [installed] on /usr/local/bin/php
- php82-sqlite3-8.2.8 [OPNsense] conflicts with php81-sqlite3-8.1.20 [installed] on /usr/local/etc/php/ext-20-sqlite3.ini
- php82-xml-8.2.8 [OPNsense] conflicts with php81-xml-8.1.20 [installed] on /usr/local/etc/php/ext-20-xml.ini
- php82-pecl-mcrypt-1.0.6 [OPNsense] conflicts with php81-pecl-mcrypt-1.0.6 [installed] on /usr/local/etc/php/ext-20-mcrypt.ini
- php82-opcache-8.2.8 [OPNsense] conflicts with php81-opcache-8.1.20 [installed] on /usr/local/etc/php/ext-10-opcache.ini
- php82-filter-8.2.8 [OPNsense] conflicts with php81-filter-8.1.20 [installed] on /usr/local/etc/php/ext-20-filter.ini

I have been running wireguard-go for quite some time with no problems at all. I use it as always on, on our mobile devices like the iPhones (iOs) (everywhere using dns/adguard home).

Now I have been trying to use the wireguard-kernel version. At first it works flawlessly. But after some time (after the mobile device / iphone have not been used for some time / 10 mins, and start using again) the vpn connection is still there, but there is no data, no internet data. Seems like the tunnel stalls..

I found out that when configuring Endpoints - Keepalive Interval set at 25, the wireguard-kernel keeps working (just like the go version).

Now I wonder, why is it I have to add a keepalive in the kernel version? Is this a bug? The go version has, i think, the default setting of Keepalive Interval = 0, but i can not enter 0 in the endpoint config.

If the only solution is using a Keepalive Interval, what is the best interval setting to use? e.g. 25 or other number?

Others having this issue also? Thanks for the help!