Topics

First, congrats on the new version!

Just did an upgrade at home and I use OPNsense as mullvad client over wireguard and an openvpn client to one of my work clients. After the upgrade, wireguard is offline in the interface monitoring, openvpn shows up, but none of the routes work.

Most of the setup is based on the opensense manual, like https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html and others.

I can't seem to find any hint why none of the VPN routes work anymore. The only logfile entry that seems relevant are build like this:

Code Select Expand


Error firewall There were error(s) loading the rules: /tmp/rules.debug:116: syntax error - The line in question reads [116]: nat log on ovpnc1 inet6 from (igb0:network),fe80::/10 to $vpn_XXX_targets -> (ovpnc1:0) port 1024:65535 # LAN to XXX IPv6 NAT


Any clue what changed from 22.1 to 22.7 that could be related to this?

I've gone through some SMART details and reviews and on a test device I've seen that TRIM is disabled on a DEC750.

Code Select Expand


root@OPNsense:/usr/ports/sysutils # tunefs -p /
tunefs: trim: (-t)                                         disabled


The device itself is of the model TS256GMTE652T2 NVMe and it should support trim.

The current written units are ~680GB after 60 days.

If I work with the web proxy feature, should TRIM be enabled and if so, what would be the correct way to do so?

Hi there,

tried to get a captive portal demo working on a VLAN 30, with the parent being the LAN interface, on a DEC750, OPNsense 22.1.5-amd64.

- I've created the DHCP for guests to be 192.168.111.1/24.
- I followed the setup guide to come up with a reduced "no authentication" / splash screen setup.

Everything works when I do not activate the captive portal, browsing is possible, correct IP is assigned.

I then add a captive portal on the VLAN 30 interface, no auth, no enforced group. The client connects, gets an IP assigned via DHCP, gets redirected to http://192.168.111.1:8000/index.html and runs into a block / hanging connection that times out.

I also add an "allow everything on guest" rule just to be sure.

I can curl http://192.168.111.1:8000 from LAN and on the opnsense shell itself and get the template as response. A curl from the guest client runs into the block.

If I add the client mac to the allowed list of the captive portal, I can browse everything from the client, but still not access http://192.168.111.1:8000.

I've enabled a log for all known firewall rules but there is no relevant entry in the firewall live view.

Any idea what I'm doing wrong?

The upgrade process right now fails on the lighttpd dependency:

Code Select Expand


***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.1.1_3 (amd64/OpenSSL) at Tue Mar  1 17:54:18 CET 2022
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (27 candidates): .......... done
Processing candidates (27 candidates): .......... done
The following 27 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
bind-tools: 9.16.25 -> 9.16.26
glib: 2.70.3,2 -> 2.70.4,2
mpd5: 5.9_6 -> 5.9_7
ntp: 4.2.8p15_4 -> 4.2.8p15_5
openssl: 1.1.1m_1,1 -> 1.1.1m_2,1
opnsense: 22.1.1_3 -> 22.1.2
opnsense-update: 22.1.1 -> 22.1.2
os-ddclient: 1.1 -> 1.2
php74: 7.4.27 -> 7.4.28
php74-ctype: 7.4.27 -> 7.4.28
php74-curl: 7.4.27 -> 7.4.28
php74-dom: 7.4.27 -> 7.4.28
php74-filter: 7.4.27 -> 7.4.28
php74-gettext: 7.4.27 -> 7.4.28
php74-json: 7.4.27 -> 7.4.28
php74-ldap: 7.4.27 -> 7.4.28
php74-mbstring: 7.4.27 -> 7.4.28
php74-openssl: 7.4.27 -> 7.4.28
php74-pdo: 7.4.27 -> 7.4.28
php74-session: 7.4.27 -> 7.4.28
php74-simplexml: 7.4.27 -> 7.4.28
php74-sockets: 7.4.27 -> 7.4.28
php74-sqlite3: 7.4.27 -> 7.4.28
php74-xml: 7.4.27 -> 7.4.28
php74-zlib: 7.4.27 -> 7.4.28
unbound: 1.14.0 -> 1.15.0_1

Installed packages to be REINSTALLED:
lighttpd-1.4.64_1 (direct dependency changed: pcre2)

Number of packages to be upgraded: 26
Number of packages to be reinstalled: 1

7 MiB to be downloaded.
[1/3] Fetching lighttpd-1.4.64_1.txz: .......... done
pkg-static: cached package lighttpd-1.4.64_1: size mismatch, fetching from remote
[2/3] Fetching lighttpd-1.4.64_1.txz: .......... done
pkg-static: cached package lighttpd-1.4.64_1: size mismatch, cannot continue
Consider running 'pkg update -f'
Starting web GUI...done.
Generating RRD graphs...done.
***DONE***


Doing a

Code Select Expand


pkg update -f


on the root shell did not fix it.

Hallo, gerade etwas am Verzweifeln.

Hat jemand ein funktionierendes Beispiel mit einem wechselnden IPv6-Prefix der Telekom als WAN? Hatte gerade einen Download über Steam über IPv6 der die gesamte Bandbreite gefressen hatte und kein Ansatz konnte das unterbinden. Ich hatte es ursprünglich nach dem offiziellen Wiki probiert und nun noch ein weiteres Tutorial probiert, doch die App frisst weiterhin 99% der PipeDown. Über IPv4 lief es nach dem Wiki einwandfrei.

Seltsam ist auch das im Shaper-Status mit "Show active flows" jeglicher IPv6-Traffic als Source ::/0 und Destination ::/0 auflistet, während bei IPv4 die entsprechende Quelle/Ziel korrekt mit der genauen IP aufgelistet wird.

Hat jemand ein ähnliches Setup bei dem es funktioniert, was mache ich falsch?

[Hyperscan is supported]

Hi there,

just got here and was looking for any kind of documentation on what the recommended/supported settings are. Sadly I could not find any indication in the documentation or the GUI itself. I'm currently working with a DEC750, but I guess/hope all DEC-devices share common components/nics.

Examples would be:

- IDS/IPS > Pattern matcher, is Hyperscan supported? (Yes, answered by support)
- Interfaces > Hardware CRC, TSO, LRO, VLAN hardware filtering, are they OK to use on this hardware if IPS is not required?

Are there other configurations that should have specific settings to use the built-in hardware better?

Edit after two months, digging through stuff

Hyperscan is supported got that info via Decisio support.

TRIM was not activated by default

Control it via:

Code Select Expand

tunefs -p /

Enable it with:

- Connect via serial console.
- Reboot the device via web or console.
- Spam space bar (which will pause the 2s countdown on the important menu) until you get to the boot menu. I had to spam, due to the console not reacting to any key input in 50% of the cases. Getting into the paused boot menu means it reacts to keys. Hit "s" for single user mode.

Code Select Expand


# Ensure filesystem is clean
fsck -y

# Enable it
tunefs -t enable /

reboot


noatime was not set

According to the docs, the access time of files should be disabled, but it was not with the default install that the device shipped with.

Code Select Expand


# Control it, /dev/gpt/rootfs should have noatime
cat /etc/fstab

# Set it, change "rw" to "rw,noatime" inside /etc/fstab


Ubiquiti / Unifi APs DNS errors

Detected it: Thousands of DNS misses and lots of Name resolution traffic in zenarmor on the hostname "unifi". Maybe because you take the Unifi Network App online only to provision changes and turn it off again, like me.

The Ubiquiti APs try to resolve "unifi.", but can't. You can not create that record through the web GUI, so you have to do it on the shell.

Code Select Expand


# Create a file that is injected into the config creation, prefix name of the file is important, must be "server_".
# Example /usr/local/etc/unbound.opnsense.d/server_manual_hosts.conf

# Insert something like this that points to the machine that runs the unifi network app or machine
local-data: "unifi A 192.168.1.10"

# Save and test configuration
configctl unbound check

# Login to one of your APs and run a nslookup unifi


Want some quality of life tools?

I missed htop and ncdu, thats how I go about it:

Code Select Expand


# Log into root console
opnsense-code tools ports src

# htop
cd /usr/ports/sysutils/htop
make install

# ncdu
cd /usr/ports/sysutils/ncdu
make install