Topics

1

24.7 Production Series / Migrating to vlans

« on: October 28, 2024, 01:42:50 pm »

Hello all,

it's my second attempt at migrating, the first one wasn't very successful, probably due to lack of preparation.

I have a very simple network, with 192.168.1.0/24 (and IPv6, but let's just consider IPv4 for this, I think I can extrapolate IPv6 config from there). I intend to make this VLAN1. I know best practice is to have a separate VLAN for mgmt, but we're talking about a home, I don't want to switch SSID just to connect to a device in my home – and many of my IoT are unable to separate mgmt and user traffic anyway...

Requirements:
1. keep existing IP/DHCP config and make this VLAN1 / native VLAN.
2. introduce a vlan for guest wifi (VLAN10, 192.168.1.10/24)


I don't really need a LAGG interface, I don't expect more than gigabit on the network (it's a home network).
The switch in front of the opnsense is managed, it's running a recent openwrt and I configured one port to tag both VLAN1 and VLAN10

So far, what I plan:
* remove LAN2/igb2 assignment
* create VLAN intf "vlan0.10" with parent interface igb2, and static IPv4 192.168.10.1
* assign igb2, interface will be now named "igb2_vlan10_GUEST"

Now I'm a little stuck as to how I assign VLAN1 (192.168.1.0/24) to igb2 as well.

Currently, all traffic is coming via LAN1/igb1, which is also part of a bridge. What would be the recommended approach to move this to igb2 as well?

2

General Discussion / UniFi controller cannot access keystore after ACME cert update

« on: October 21, 2024, 06:10:15 pm »

My opnsense letsencrypt cert renewed 2 days ago, and the ACME automation updates the cert in the UniFi keystore, as it always does.

I recently update the UniFi plugin, maybe that's related.

These are some logs I can see under /usr/local/share/java/unifi/logs/server.log:

[2024-10-21T17:37:45,968+02:00] <main> INFO  system - [internal] unable to set file permission on /usr/local/share/java/unifi/data/keystore: /usr/local/share/java/unifi/data/keystore: Operation not permitted
[2024-10-21T17:37:45,984+02:00] <main> INFO  system - [internal] unable to set file permission on /usr/local/share/java/unifi/data/keystore_original: /usr/local/share/java/unifi/data/keystore_original: Operation not permitted
[...]
[2024-10-21T17:39:42,557+02:00] <ble-load-keystore> WARN  blebridge - unable to load local keystore for BLE bridge /usr/local/share/java/unifi/data/keystore (Permission denied)


I noticed the keystore is owned by root:wheel somehow, while other files in the same directory are owned by user unifi:

Code: [Select]

root@opn:~ # ll /usr/local/share/java/unifi/data/
total 86
drwx------  3 unifi wheel     5 Oct 15 14:03 backup/
drwx------  4 unifi wheel   365 Oct 21 17:55 db/
drwx------  3 unifi wheel     4 May 18 03:54 firmware/
-rw-------  1 unifi wheel 26177 Oct 21 17:40 firmware.json
-rw-r-----  1 root  wheel  3029 Oct 19 00:01 keystore
-rw-r-----  1 root  wheel  3029 Oct 19 00:01 keystore_original
-rw-------  1 unifi wheel  1424 Oct 21 17:39 model_lifecycles.json
drwx------  3 unifi wheel     3 May 19 10:06 sites/
-rw-------  1 unifi wheel  1393 Oct 21 17:39 system.properties
-rw-------  1 unifi wheel  1393 Oct 21 17:39 system.properties.bk
-rw-------  1 unifi wheel 76067 Oct 19 01:03 uidb.json

I ran

Code: [Select]

chown unifi:wheel /usr/local/share/java/unifi/data/keystore
chown unifi:wheel /usr/local/share/java/unifi/data/keystore_original

restarted the unifi service and it seems to fix the issue.

My problem is, the next cert renewal in 2 months will cause this to fail again I expect.

I would like to check the command used to update the keystore but I'm not sure where this is defined. Pointers welcome.

3

24.7 Production Series / Huge current_arp_table6.txt full of redundant lines

« on: October 11, 2024, 10:28:27 am »

I noticed that there's a "sort -u /tmp/current_arp_table6.txt" process that is often shooting up in terms of CPU usage on my opnsense, so I checked the size of the file.

it appears there is 110 unique entries (checked using "sort /tmp/current_arp_table6.txt | uniq | wc -l") but there is 1.7 millions lines in total, so there's some cleanup not working.

Any idea where I can do some manual cleanup to start?

4

24.7 Production Series / rc.conf not starting cloudflared at bootup anymore

« on: October 07, 2024, 12:51:57 pm »

This used to work and stopped somewhen in the last month or two, not entirely sure when.

I have configured cloudflared service to start at boot up in rc.conf:

Code: [Select]

cloudflared_enable="YES"
cloudflared_mode="tunnel --no-autoupdate run --post-quantum --token <my_token>"
But it does not seem to work. If I manually start it, it works fine:

Code: [Select]

/usr/sbin/daemon -o /var/log/cloudflared.log -p /var/run/cloudflared.pid -f /usr/local/bin/cloudflared tunnel --no-autoupdate run --post-quantum --token <my_token>
Has something changed in 24.7 in regard to rc.conf?

5

24.7 Production Series / SSH to opnsense broken on macOS sequoia

« on: September 27, 2024, 11:49:04 am »

This is not an opnsense issue I think, it just happen on to only affect opnsense in my environment.

I get "Bad packet length" or "Connection corrupted" very quickly and my ssh connection drops. This only happens since upgrade to macOS 15.0 sequoia (yes, I shouldn't have, what came over me to upgrade to a .0 release, I don't know...)

"Good" hosts (stable ssh) have different ssh version (OpenSSH_8.2, dropbear...), that's what I can observe so far.

I'm just posting this in here in case anyone is having the same issue, maybe we can cross reference our findings and narrow it down quicker.

6

24.7 Production Series / GeoBlocking while keeping sane table sizes

« on: August 15, 2024, 09:15:43 am »

Hello all,

I noticed geoBlocking can very quickly make the fw tables grow into something my DEC695 will not support (max 1000k entries).

Any tricks on how to optimize?

I currently have two aliases:
* block all outbound to certain geographies (IPv4 and IPv6)
* only allow inbound from certain geographies, applies to specific ports which are open on my fw, both for IPv4 and IPv6.


That alone is already ~500k entries in my case.

Is there a smarter way to do geoblocking? I know geoBlocking is no panacea in security, but I do like it as some additional line of defense if you want, kind of keeps the "dumb brute force" stuff out.

7

24.7 Production Series / 52 packages "updates" available

« on: August 12, 2024, 07:56:46 am »

Something is wrong with the way my opnsense checks for updates it seems. After successfully upgrading to 27.1 (pretty nice so far, except integration with Home Assistant broke again), when I click "check for upgrades" it shows me 52 "updates", of which:
* 6 reinstall (no new version)
* 46 new install (package not installed as of now)
and there's a lot of packages from the mimugmail repository somehow as well, most of them new.

Hence, I think these are not updates at all and something is not working.

Anyone has had this yet?

8

Hardware and Performance / How to best troubleshoot rare and short CPU spikes

« on: June 05, 2024, 03:50:35 pm »

Since a week, from time to time, once a day or once every two days, it appears opnsense is locking up.

Symptoms are:
* it lasts for 10-20s
* network down – I can't ping outside anymore, I can't ping opnsense anymore
* Home Assistant looses connection to opnsense, when opnsense API comes back, CPU is still very high.

By the time I log into the GUI, CPU is back to normal.

I have a DEC695. What would be the best approach to understand what is happening during this brief moments?

9

24.1 Legacy Series / restic package

« on: May 28, 2024, 11:08:57 am »

I find restic quite interesting for backing up specific files (local plugin backups, etc.).

While "pkg install restic" is the way to install it on freeBSD, it does not work on opnsense, I assume it's expected at the moment.

Is there an alternative method to install restic? If not, is there a process to request addition of restic to the available packages in opnsense?

10

24.1 Legacy Series / Migrating to vlan

« on: May 21, 2024, 08:10:23 am »

Hello everyone,

I am planning on introducing a guest wifi and I'd like it to be separated with its own vlan.

Currently my network is flat, everything in 192.168.1.0/24 (except remote wireguard users, which are in 192.168.3.0/24)

As a first step, I'd like to move everything to a single VLAN, before introducing the guest wifi.

I have an opnsense router, a switch and some access points. The switch is running openwrt and can deal with vlans – in theory at least.

Now my question: what is least risky way of introducing vlan? (one that avoid me having to run around with laptop and LAN cable to connect to every device manually to restore connectivity...)

I have configured a lan bridge on opnsense: I know it's no ideal from a CPU point of view, but I have tested with iPerf I can get 1Gbps through this bridge (iPerf server running on device connected to LAN2, iPerf client running on device connected to LAN1), hence I decided I don't need yet another device in my setup.

LAN2 is only my NAS, LAN1 is everything else (switch, access points).

If I configure vlan 1 (for example) with parent interface LAN1, I will basically kill my connection to opnsense I assume, as it will expected tagged traffic and receive untagged traffic from switch. If I configure VLAN on the switch first, it's the same, I will kill my connection as well, as it will send tagged to opnsense which is still expecting untagged.

Is there a way to this without cabling work or do I have to configure a separate untagged port on every device first, so I can connect to it with a laptop and configure vlan after the connection drops?

11

General Discussion / Automatic encrypted UniFi Controller offsite backups

« on: May 20, 2024, 05:45:46 pm »

The UniFi Controller backups are located here: /usr/local/share/java/unifi/data/backup/autobackup/

but I think this question applies to any file on opnsense, it's not really specific to UniFi controller.

I'm effectively looking for something able to encrypt a file on opnsense and upload it to a cloud service, google drive for example.

Does anyone have a recommendation?

12

24.1 Legacy Series / Missing rc.conf

« on: May 14, 2024, 01:22:42 pm »

I know too little about freeBSD and I'm struggling a bit here.

I want to setup a cloudflare tunnel which is launched at startup, which requires cloudflared.

The instructions I found say:

Code: [Select]

vi /etc/rc.conf
add:

Code: [Select]

cloudflared_enable="YES"
cloudflared_mode="tunnel --no-autoupdate run --post-quantum --token your_token_here"

but there is no "rc.conf" file (anymore?) and hence I feel these instructions are outdated.

Should I store these lines in an "/etc/rc.conf.d/cloudflared" file rather?

13

General Discussion / Deploy letsencrypt certs to Unifi plugin

« on: April 23, 2024, 07:45:07 am »

Is it possible? The cert warnings in the browser are getting more and more annoying at each browser release...

So far the only solution I could figure out was deploying a reverse proxy (I'm probably going to select Caddy).

Is there something simpler maybe?

14

24.1 Legacy Series / Pros & Cons – Firewall vs. Reverse Proxy

« on: March 22, 2024, 05:23:56 pm »

Hello, I am trying to setup immich on my home NAS and I am brainstorming what's the best strategy for network connectivity, especially for guests (I regularly share photos with family, friends, etc.).

Immich is setup in Docker on a Synology NAS. I use the Synology reverse proxy already locally.

First, IPv4 vs. IPv6: I am tempted to make it IPv6-only. It simplifies a lot of things when it comes to keeping traffic local when on the home network. This decision is also entangled with the next point.

Second, securing the connection: geoBlock is one idea, what else would you recommend? The problem is, it's TLS up to the Syno reverse proxy.

Alternatively, I enable caddy reverse proxy on opnsense and I daisy-chain caddy and synology reverse proxy (I assume this should work fine), as caddy can then inspect the content of the traffic and probably significantly improve security. IPv4 becomes also a no-brainer if using caddy on opnsense router.

Any experience with having two reverse proxies daisy-chained and with the security benefits of using caddy vs. "just" opnsense?

15

23.7 Legacy Series / List all IPs and info related to a specific MAC

« on: January 20, 2024, 09:55:23 pm »

Hello,

does anyone know a plugin that will collect all IPs and other info related to a specific MAC available in the opnsense logs?

I often find myself struggling to find the different ULA, Link local, GUA, IPv4, etc. associated to a specific MAC. (and any other relevant info, such as hostname, etc.)

Is there maybe a plugin that summarises this?