Topics

1

23.7 Production Series / suggestion: show defaults so people can help themselves..

« on: December 04, 2023, 02:30:38 pm »

There are many posts about asking to improve unbound.. and there are more solutions on the internet about people and their solutions.. but it's possible that it isn't clear what setting goes with which field.. or what is available to tweak in OpnSense unbound..

I came across this:

Code: [Select]

# pkg info unbound
unbound-1.19.0
Name           : unbound
Version        : 1.19.0
Installed on   : Thu Nov 23 23:09:22 2023 EST
Origin         : dns/unbound
Architecture   : FreeBSD:13:amd64
Prefix         : /usr/local
Categories     : dns
Licenses       : BSD3CLAUSE
Maintainer     : jaap@NLnetLabs.nl
WWW            : https://www.nlnetlabs.nl/projects/unbound
Comment        : Validating, recursive, and caching DNS resolver
Options        :
        DEP-RSA1024    : off
        DNSCRYPT       : on
        DNSTAP         : off
        DOCS           : off
        DOH            : on
        DYNLIB         : on
        ECDSA          : on
        EVAPI          : off
        FILTER_AAAA    : off
        GOST           : on
        HIREDIS        : off
        LIBEVENT       : on
        MUNIN_PLUGIN   : off
        PYTHON         : on
        SUBNET         : off
        TFOCL          : off
        TFOSE          : off
        THREADS        : on

which showed me why I could not get ecs going..

* which was great * saved me tons of time and I stopped trying to set something which was never going to work..

Possibly something like this might help:

(picture attached)

My 0.02

2

23.7 Production Series / suggestion: menu option for transparent setup..

« on: December 02, 2023, 06:56:04 pm »

https://docs.opnsense.org/manual/how-tos/transparent_bridge.html

Wifi calling doesn't work through double nat..

So anyone with a consumer 'orbi', 'google', 'linksys', 'eero', etc. mesh setup who then for some reason wants to put a better router in front will then fall into the double nat issue.. and then have wifi calling issues; ie the phones will show vzw-wifi, att-wifi but won't actually be working (some androids seem to be better at this than others.. :dunno:)

having a transparent solution would resolve the double nat issue and all that comes with it..

(unless you had a three legged device.. usb eth adapter, wifi etc..)

Anyway.. having a console menu option like vlan, wan, lan, for creating this bridge.. etc.. might be a good idea.

My 0.02

3

23.7 Production Series / unbound Enable AAAA-only mode and squid dns_v4_first

« on: December 01, 2023, 10:00:48 pm »

squid no longer supports dns_v4_first.. which means that if squid gets an AAAA it will try to use it..

I enabled dnscrypt-proxy to filter out AAAA (made custom dns stamps as well..) records and it made a little bit of a difference in squid..

(not so much you could notice..)

Is there a way to get unbound to filter out AAAA (I know there used to be a python filter for it.. but that was a while ago..)

(the second image is a using the squid proxy to make the same query.. the red is trying to get the dns_v4_first working..)

Also.. any plans to update dnscrypt-proxy2?

Franks github says January 3, 2021 is when 2.0.45 came out..

Open to suggestions..

Thanks in advance..

4

Web Proxy Filtering and Caching / shutdown_lifetime proper way to add?

« on: November 30, 2023, 04:39:50 pm »

Looking to add:

shutdown_lifetime 0 seconds

looks like /usr/local/etc/squid/auth and /usr/local/etc/squid/post-auth look for *.conf files

I added a local.conf in auth

squid -k parse seems to show it correctly..

Does that survive a reboot?

Is there something 'more correct'?

Thanks in advance.

5

23.7 Production Series / 23.7.8 - squid keeps crashing

« on: November 11, 2023, 02:28:26 am »

Code: [Select]

root@OPNsense:~ # dmesg | grep -c squid
19
root@OPNsense:~ # uptime
 8:23PM  up 21:11, 1 user, load averages: 0.06, 0.11, 0.13

2023/11/10 20:22:13 kid1| Accepting HTTP Socket connections at conn3 local=10.20.245.42:3128 remote=[::] FD 11 flags=9
    listening port: 10.20.245.42:3128
2023/11/10 20:22:13 kid1| FATAL: assertion failed: stmem.cc:98: "lowestOffset () <= target_offset"
    current master transaction: master129
2023/11/10 20:22:13| Removing PID file (/var/run/squid/squid.pid)

root@OPNsense:~ # squid -k check
2023/11/10 20:25:27| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2023/11/10 20:25:27| Processing Configuration File: /usr/local/etc/squid/pre-auth/40-snmp.conf (depth 1)
2023/11/10 20:25:27| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2023/11/10 20:25:27| Processing Configuration File: /usr/local/etc/squid/pre-auth/parentproxy.conf (depth 1)
2023/11/10 20:25:27| Processing Configuration File: /usr/local/etc/squid/auth/dummy.conf (depth 1)
2023/11/10 20:25:27| Processing Configuration File: /usr/local/etc/squid/post-auth/dummy.conf (depth 1)
2023/11/10 20:25:27| Set Current Directory to /var/squid/cache
2023/11/10 20:25:27| FATAL: failed to open /var/run/squid/squid.pid: (2) No such file or directory
    exception location: File.cc(191) open

 grep -c FATAL /var/log/squid/cache.log
13


ten locations all doing the same thing..

before the update everything was working..

6

23.7 Production Series / dhcp relay - opnsense to receive; possible?

« on: September 18, 2023, 11:14:37 pm »

is this possible?

Can provide more details if anyone is interested.. but hopefully the question is clear enough.

I have core router with 15 networks that I would like to relay the needed dhcp requests to opnense as it seems there's a working dhcp/dns registration..

I was going to relay to an openwrt edgerouter 6 b/c it was running dnsmasq.. but that is it's own problems..

Thanks in advance.

7

23.7 Production Series / Enable registration of DHCP client names in DNS

« on: September 18, 2023, 04:18:57 pm »

Is there a part of the docs that cover this?

I know it needs a BIND9 server..

I've been trying to get it working and unsuccessful so far..

Thanks in advance

I know within dnsmasq this is a trivial feature..

But I also think there is no way to swap out isc-dhcpd for dnsmasq..

Or is there?

8

23.7 Production Series / three out of nine sites.. just had an unbound problem..

« on: August 29, 2023, 07:12:06 pm »

All forwarding to NextDNS.. serving people via squid.. three sites all went down at the same time..

Unbound still running, but not resolving..

Restarted unbound brought dns back to the network..

Will check on other sites.. but was same problem - no idea why..

OPNsense 23.7.2-amd64

9

Web Proxy Filtering and Caching / squid graphs?

« on: August 21, 2023, 04:55:15 pm »

I came here looking for squid information.. but I think haproxy in front of squid might also be an answer..

But is there a squid gui section that gives access to the proxy protocol?

And is there a suggestion for squid logs digestion?

Can I syslog them somewhere else and then generate graphs?

Is that the better suggestion?

After mulling it over.. haproxy might not be a solution.. might just add more complexity..

Suggestions?

10

23.7 Production Series / BUG? Clone nat rule does not make new filter rule..

« on: August 03, 2023, 11:19:44 pm »

hey all..

Setting up a bunch of new opnsense installs here..

setting up the hijacking dns/ntp rules..

(https://forum.opnsense.org/index.php?topic=9245.0)

Cloning the nat > port forward rules did not give me new rules > interface rules.. it just over wrote the original rule.

ie. they all shared the same 'filter rule association' and the last one won..

Can provide more information if this is not clear.

( I didn't understand why the rules weren't working - they always have.. then upon inspection.. figured out what was going on )

I have multiple virtual IPs and was cloning the rule for each virtual address.. (just what's left of a /29)

Thanks in advance.

https://imgur.com/a/Yjp9kHZ

11

23.1 Legacy Series / telegram api or otherwise.. smtp2telegram

« on: April 23, 2023, 07:29:43 pm »

Searching brings up old posts regarding this..

Is there a way that I could get notifications about my system status? reboots, update results, etc.?

Reporting section of the manual seems to be about system services.. but I would like the system to reach out and let me know an event happened..

Is there a plugin that possibly I missed that already does this?

Or is the suggestion to setup postfix and relay to my smtp2telegram instance?

Thanks in advance

12

23.1 Legacy Series / Netgate 6100 w/ OpnSense ix[0-1] no go?

« on: April 13, 2023, 10:14:59 pm »

I was able to get a 6100 and put OpnSense on it..

By default the installer takes the ig[0-3] lan ports and makes ig0 LAN and ig1 WAN

ix0 and ix1 are combo ports, but plugging copper into the ix0 does get link light but does not register link. Status stays as 'no carrier'.

Is there an ethtool equivalent.. or some way to enable/force the copper portion?

Code: [Select]

dmesg | grep ix0
ix0: <Intel(R) X553 N (SFP+)> mem 0x80400000-0x805fffff,0x80604000-0x80607fff at device 0.0 on pci9
ix0: Using 2048 TX descriptors and 2048 RX descriptors
ix0: Using 4 RX queues 4 TX queues
ix0: Using MSI-X interrupts with 5 vectors
ix0: allocated for 4 queues
ix0: allocated for 4 rx queues
ix0: Ethernet address: 90:ec:77:29:03:26
ix0: eTrack 0x8000084b PHY FW V65535
ix0: netmap queues/slots: TX 4/2048, RX 4/2048

uname -a
FreeBSD OPNsense.localdomain 13.1-RELEASE-p7 FreeBSD 13.1-RELEASE-p7 stable/23.1-n250411-85724e9ce22 SMP amd64
I found this from 2020.. but this does not seem to be related..

https://forums.freebsd.org/threads/intel-x553-driver-support-for-freebsd-12-1.75588/

Code: [Select]

root@OPNsense:~ # sysctl dev.ix.0 | grep driver
dev.ix.0.iflib.driver_version: 4.0.1-k
dev.ix.0.%driver: ix

Any suggestions?

Thanks in advance.

13

22.7 Legacy Series / netgate 6100 / igcX no link..

« on: August 20, 2022, 12:08:40 am »

I have a netgate 6100 to use for a little while.. Install went fine detected everything.. igc0 for LAN had link, igc[1-3] never could get link on anything except igc0..

no vlans, etc..

It was a bummer, had to go back to pfsense plus to use the device..

I still have it for a few more days..

Suggestions?

14

21.7 Legacy Series / Full Router on a stick and other questions..

« on: December 01, 2021, 03:36:52 pm »

I have an OptiPlex 9020 with an onboard em0 (disabled) and a dual bce0/1 pcie card in use.

wan0 is bce1

vlan10, vlan20, vlan172 is bce0

I keep getting interface errors on the bce0/1 card..

I've done all the hardware troubleshooting and disabling tso and such.

Can I put wan0 on a trunk interface as well?

Can I remove the dual bce card, enable em0, and reconfigure vlan10, vlan20, vlan172, wan0 to all be on em0?

Obviously configuring another port/vlan tag for wan0..

wan0 is currently a self purchased cable modem compatiable with Optimum Online..

I'm not ruling out the self purchased cable modem, I have had the modem for 3+ years and is still the current "non Altice service" given out today.

Service is 200/35 (<rant> currently costs $95 a month with no modem rental, which is a sin because the latency and reliability of the service is horrid, but it is our only option.. </rant>) (insert monty python song every sperm is sacred.. ) Every packet is sacred..

I was thinking if em0 was trunked and the add-on card removed, then that would rule out possible irq conflicts, which might be the cause of the errors..

screenshot is.. rebooted machine, and watched a YT video and listened to something on Spotify while downloading a small iso and doing a wifi speed test.. pushed 1G of traffic and got 71 input errors.. (wan0 bce1)

Opinions?

(thanks in advance for taking the time to read.. )

15

21.7 Legacy Series / New user confusion & questions

« on: November 03, 2021, 01:36:37 pm »

I had a pfsense setup that I thought I could migrate to opnsense.. (skipping the rest of the story around how that all didn't work.. )

At some point I just reset the configuration and decided to just rebuild all the needed portions of the config.. It was at this point that my system had *seven* major upgrades which needed to happen.. I didn't understand why as I just downloaded the latest available that morning.. and after a few hours of having no stable connectivity I decided to reset - this is when the many major upgrades were required.. 

Now I have this:

os-dmidecode (misconfigured)   1.1_1   2.83KiB   OPNsense   Display hardware information on the dashboard   
os-dyndns (misconfigured)   1.25   170KiB   OPNsense   Dynamic DNS Support   
os-git-backup (misconfigured)   1.0_1   14.2KiB   OPNsense   Track config changes using git   
os-iperf (installed)   1.0_1   24.6KiB   OPNsense   Connection speed tester   
os-maltrail (misconfigured)   1.8   45.3KiB   OPNsense   Malicious traffic detection system   
os-net-snmp (misconfigured)   1.5_1   27.5KiB   OPNsense   Net-SNMP is a daemon for the SNMP protocol   
os-wireguard (installed)   1.7   47.2KiB   OPNsense   WireGuard VPN service

Aside from the words 'misconfigured' I'm not sure what to do about those..

I was going to simply backup my config, download 21.7.1, reinstall and upload my config.. but I wasn't sure if that would bring these issues forward as well..

I've seen in the 'Google Wifi' app that it has a nightly speedtest for historical purposes.. Is something like that available? (I tried to attach a screenshot, not sure if it's going to show.. preview not giving me the warm fuzzies..)

I see there is a Interface Stats available on the dashboard, but is there something for daily/weekly/monthly accruals/accounting?

Thanks in advance