Topics

1

22.1 Legacy Series / ddclient invalid reply talking to Namecheap

« on: June 07, 2022, 06:34:31 am »

I'm setting up OPNsense to update dynamic DNS at provider Namecheap. In this case, the dynamic address is assigned to my base domain (e.g. example.com), so at Namecheap I have that configured as "@". In ddclient on OPNsense, I have configured the base domain (example.com).

In my logs I'm seeing that the domain is not found. I'm unable to set "@.example.com" in ddclient so I'm guessing that the base domain name is correct. My logs show the following errors. Can anyone tell me what I'm doing wrong?

Code: [Select]

2022-06-06T21:28:26-07:00 Notice ddclient[50858] 63477 - [meta sequenceId="78"] FAILED: updating EXAMPLE.com: Invalid reply.
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="77"] WARNING: </interface-response>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="76"] WARNING: <debug><![CDATA[]]></debug>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="75"] WARNING: <Done>true</Done>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="74"] WARNING: </responses>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="73"] WARNING: </response>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="72"] WARNING: <ResponseString>Validation error; not found; domain name(s)</ResponseString>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="71"] WARNING: <ResponseNumber>316153</ResponseNumber>
2022-06-06T21:28:26-07:00 Notice ddclient[50858] 62791 - [meta sequenceId="70"] WARNING: <Description>Domain name not found</Description>

2

22.1 Legacy Series / WAN DHCP on IPv4 - retry until it gets an IP?

« on: June 03, 2022, 06:39:07 am »

We had a power outage a few days ago, and OPNsense came up fine after the outage, but only had a IPv6 gateway to my ISP. I manually disabled the WAN interface and then re-enabled it, and after that both IPv4 and IPv6 came up.

Is there a setting I need to do to force IPv4 to keep retrying to come up on WAN?

Also is there magic (such as firewall rules or otherwise) to let my internal IPv4 network use the IPv6 gateway to my WAN? thanks a lot.

(Edit: Renamed the subject for clarity)

3

22.1 Legacy Series / [SOLVED] Firewall rules to allow OpenVPN access to my LAN

« on: March 31, 2022, 07:38:41 pm »

I'm a relatively new convert from pfSense to opnsense. I've been happy with it, but I'm still unsure how to get my firewall rules configured correctly.

First, when I navigate to Firewall -> Rules, I have a ruleset for "OPENVPN" and a second ruleset for "OpenVPN". Is this correct? The all-caps one is from the Interface that I created that maps to "ovpns1". I'm unsure what the ruleset for "OpenVPN" came from, nor how/if to delete it.

Both of these rule sets are empty, except for some default rules on the OPENVPN for blocking bogon networks. When I connect to the VPN, I find that I can't even connect to the VPN's gateway (192.168.x.1) to get to opnsense. It feels like it's a firewall block, since the telnet command gets hung.

Is there some obvious thing I'm missing? Thanks much.

I've put a few screenshots showing the interfaces, the VPN rules, and the firewall logs, at this link. https://imgur.com/a/98vZ7nX

EDIT: I figured out what's wrong. I needed to setup the VPN server to listen on Interface "WAN" instead of Interface "any".

4

22.1 Legacy Series / Setting up AdGuard Home for only some subnets?

« on: February 28, 2022, 05:41:14 pm »

Hi, I'm trying to setup AdGuard Home for my home network, but I have to leave one subnet untouched by AdGuard.

Is the right way to do this to do a few port forwarding rules so that the networks I want protected redirect to AdGuard's DNS port, and the other nets point to Unbound directly? It looks like AdGuard Home has support for mapping individual clients, but I'd prefer to do this with rules of the form:

192.168.1.0/24 --> AdGuard DNS --> Unbound DNS forward
192.168.41.0/24 --> Unbound DNS directly

(I configure the "Unbound DNS forward" as a fallback DNS server in AdGuard Home.)

I'm running AdGuard Home via the os-adguardhome-maxit community plugin, btw.

thanks

5

22.1 Legacy Series / [SOLVED] DMZ web server inaccessible from LAN, but fine from WAN

« on: February 27, 2022, 03:47:32 am »

I've got a box setup as a web server for both internal and external services. nginx uses the HTTP host to route to the correct apps. The internal services work fine, and the externally-visible services work but only if I'm not on my LAN (meaning only if I come in from a public IP).

If I'm on the LAN, and I try to access a service from the external host (e.g. myapp.mydomain.com), it looks like it redirects to the webserver which runs on the opnsense box, rather than port forwarding to the correct machine.

My WAN rejects rfc1918 addresses, but I'd think if I'm trying to access something at my proper domain name, the source would be the WAN address.

I'm guessing the problem is actually something in unbound, but I don't really know what to look for. I had this all working well on the exact same hardware a few days ago when I was running pfSense, and I've tried to mimic the firewall rules, etc. as best as I can.

Any suggestions are very welcome!

EDIT: Solved by Firewall -> Settings -> Advanced, enable the 3 NAT settings

6

22.1 Legacy Series / [SOLVED] CPU utilization much higher than with pfSense

« on: February 26, 2022, 11:28:46 pm »

I've just gotten Opnsense 22.1.3 up and running on my router box, which is based on a 4-core Intel Pentium 3700 running on a 4-NIC Supermicro motherboard. The hardware is old-ish (built in 2016) but I've been using it with pfSense for years with no problem. It's only serving up my home network, so the actual traffic through the box is normally not very high.

With pfSense (2.5.2) I never noticed the CPU running at > 40%. With Opnsense I'm seeing the CPU running at roughly 70%. From reading the XML of my pfSense backup it looks like I had both Segmentation Offloading and Large Receive Offloading. pfSense doesn't have an obvious equivalent of the Hardware CRC Checksum control (Opnsense Interfaces -> Settings -> Hardware CRC.

Not sure what else I should be looking at? It's not like network traffic has shot up much in the past couple of days. I do run a few (6) VLANs but I'd guess this is something based on network traffic. I haven't enabled Intrusion Detection and it is indeed off. My firewall rules are quite basic, it's just 1-3 rules per VLAN.

7

22.1 Legacy Series / [SOLVED] New to opnsense, can't get DHCP IP address on WAN

« on: February 23, 2022, 07:16:48 pm »

Hi, I've just decided to migrate from pfsense due to their new 2.6 licensing. I'm pretty experienced with pfsense, having been a user for 5+ years.

I've just migrated my box to opnsense and I can't for the life of me figure out how to get the WAN interface to get a DHCP license from my cable modem. I had one for a little while, but once I started trying to setup firewall rules and VLANs, I've now lost DHCP and I can't see what the heck I'm doing wrong.

I've confirmed with my internet provider (Comcast) that they don't lock to a specific MAC address. I have confirmed that I can get a DHCP license from the cable modem when I direct connect my Mac. I have my WAN interface set to DHCP (for IPv4) and no IPv6 just to keep things simple for now. The interface is enabled, but when I go to Interfaces -> Overview -> WAN and click Reload (or Release+Reload) I end up with no DHCP license.

I have several VLANs all running on LAN1 but not a lot of firewall complexity. Basically, either my VLANs should be fully open (allow all IPv4 traffic) or I allow the firewall, then block private networks, then allow all other connections. There shouldn't be anything tricky here, and much of it looks almost exactly like what I'd had setup on my pfsense box.

I've also seen that apparently opnsense can't directly let me get to the cable modem IP, since it uses a private IP address (192.168.100.1) and the WAN interface doesn't expect to see private networks but if I hook my Mac directly up to the cable modem it looks like it's properly connected to Comcast so I don't think the problem is within the modem.

What's the best way to troubleshoot this? Any suggestions are very welcome.

----

EDIT: I ended up wiping the system and reinstalling from scratch and it now works. I'm not really sure what the problem was before.