Topics

After installing the Dec 697 yesterday everything appeared to work until I found I could not pass DNS queries from one interface. I have as outgoing rules
- LAN any to any - this works
- IoT and Servers - pass anything not to local - appears to work for servers, not for IoT, with a further wrinkle.
- Unbound listens on all ports.
- An override in Unbound allows LAN access to the servers.
- DHCP is Kea.
- Crowdsec is off.

I added a prior rule to IoT to allow port 53 to the firewall, trying by a DNAT rule as advised, and as a direct "pass port 53" which also appeared to allow the traffic to pass but without allowing DNS queries.

Testing Servers to see why it worked but IoT did not with otherwise the same rules, I found something really weird.

I have three computers on the Servers net, all connected to the same unmanaged switch. Using SSH into each and trying

Code Select Expand

dig au.archive.ubuntu.com I found the following results:

• Box 1 answered correctly, from 127.0.0.1
• Box 2 answered correctly from root servers
• Box 3 said servfail from 127.0.0.1

These are identical commands on the same subnet through the same rules.

Are the simple rules sound? What sort of configuration might lead to different behaviours or responses? I have "Use system servers" unchecked. The previous router did not use Kea or Unbound but rules are otherwise copied across.

I can try checking what might be configured in the three boxes. Other than that one is MacOS and the other two Ubuntu Linux they should be the same. My query here is firstly to make sure that there is no immediate flaw in the firewall rules model or related configuration that someone is aware might produce this oddity.

Given I am currently uncertain whether to continue with the new Business edition or switch back to Community, I thought I had better familiarise myself with possible serial installation on the DEC697, having done only VGA before. I am aware I can switch between current editions via the GUI, and have already tested that. This exploration is in case of need for a clean install.

When I booted into the BIOS I saw this:

Code Select Expand

Press ESC for boot menu.

Select boot device:

1. NVMe NS 1: 244198 MiB (500118192 512-byte blocks + 0-byte metadata)
2. USB MSC Drive Verbatim  1100
3. Payload [memtest]
4. Payload [coreinfo]

Booting from Hard Disk...
BIOS drive C: is disk0
BIOS drive D: is disk1
|␈/␈-␈\␈

/boot/config: -S115200 -h


FreeBSD/x86 boot
Default: zfs:yes/ROOT/default:/boot/zfsloader
boot: 1

Can't find 1
There is no Setup menu as described at the bottom here or under Installation Instructions here.

Further, selecting a number of an option results in "Can't find 1" (or whatever I try) as shown above, nor could I find any random-adjacent route out other than pulling the plug.

How would I find a Setup menu on this box, and how might one navigate even the limited options above, please?

I have a 24.10.1 installation about to be configured. LAN is active and WAN currently set to DHCP to the existing (to be superseded) 24.7 router. Nothing else is set up yet beyond assigning two more interfaces. The CPU and Traffic Dashboard widgets do not show any activity other than the background grid on the CPU widget sliding across. All else looks normal, with load averages present in System Information,  traffic visible under Reporting/Traffic.

Is there something I need to touch or trigger to get the information displayed as it is for 24.7?

I have two routers running 24.7.5 happily. I have upgraded a newer (intended replacement) box from 24.1_10 to 24.7.1 but it wishes to go no further. Upgrade starts then produces the following message:

Code Select Expand

[1/53] Fetching php82-session-8.2.23.pkg: ..... done
pkg-static: cached package php82-session-8.2.23: missing or size mismatch, fetching from remote
[2/53] Fetching php82-session-8.2.23.pkg: ..... done
[2/53] Fetching php82-session-8.2.23.pkg: ..... done
pkg-static: cached package php82-session-8.2.23: missing or size mismatch, cannot continue
Consider running 'pkg update -f'

I duly tried

Code Select Expand

pkg update -f to no avail; it simply said my packages were up to date:

Code Select Expand

Updating OPNsense repository catalogue...
Fetching meta.conf: 100%    163 B   0.2kB/s    00:01   
Fetching packagesite.pkg: 100%  240 KiB 246.0kB/s    00:01   
Processing entries: 100%
OPNsense repository update completed. 848 packages processed.
All repositories are up to date.

Including with a reboot, the GUI still shows 24.7.1 as would be expected after the error.

Preferably without doing a new installation from scratch, what should I check or how do I get past this please?

Reading the XML file for my configuration (what else do you do on a Sunday?) I came across this:

Code Select Expand

<item>
      <descr>
        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
        It can also be used to probe for information about your internal networks. These functions come enabled
        as part of the standard FreeBSD core system.
      </descr>
      <tunable>net.inet.ip.sourceroute</tunable>
      <value>default</value>
...
      <tunable>net.inet.ip.accept_sourceroute</tunable>
      <value>default</value>
    </item>

Checking the manual, I did not discover mention of source routing or such tunables. The description above is unclear, in that it says the tunable is on by default in FreeBSD but not what is the default value in OPNsense.

I know what source routing is, but what is the setting for it here, should I consider this an issue in a home network, and where is it set anyway (other than importing a modified configuration)?

Yesterday I installed Opnsense on a spare little Intel 3160 box for use internally, 4x1Gb ports, 8GB / 32 GB memory and storage.

Dashboard, du and zfs list all show 20GB total available. While that is ample for my purposes (96% free before any logs), I am wondering what happened to the other 12 GB??

Does FreeBSD not "clear out" the disk before installing, eliminating existing partitions? It did not present an option. Is there some overhead in zfs or reading of zfs information I am missing?

I can try a reinstall or any shell or console actions that might help to inform or to fix.

I would like to bridge two low-traffic interfaces which have the same essential uses, rules, security requirements.
Documentation and examples I have seen assume that the LAN port is added to the bridge, but that would not be the case here.

Would the general steps be:

• Remove current configuration from the two interfaces (call them Opt2 & 3)
• Create a bridge
• Add Opt2 & Opt3
• Skip steps 3-5 in the documentation
• Set tunables as in step 6
• Set DHCP and rules on the bridge interface

Alternatively for my steps 1 & 6, set those rules on one of the two interfaces added to the bridge.
Thus the question: is configuration set on the bridge or derived by the bridge from one of its interfaces? The former makes more sense to me but discussions seem to imply the second case.

Running 23.7.6 with corresponding crowdsec versions.

I can start Crowdsec and Lapi without a problem. If I add the bouncer then System Status turns red and shows the following message:

Code Select Expand

There were error(s) loading the rules: /tmp/rules.debug:137: syntax error - The line in question reads [137]: block in log quick inet from $crowdsec_blacklists to {any} tag .CW label "<some hex>" # CrowdSec (IPv4)
This is cleared by disabling bouncer and rebooting OPNsense.

There is a corresponding ipv6 line after that one, not flagged.

The rule pattern looks like valid other lines in /tmp/rules.debug. Any ideas on the problem or where I should look further please?

I updating to 23.7.6 on the lab box without a problem.

My production box has now stalled during downloading of packages, after 11 of 26, and been stuck there for some time.

I have full, normal, internet access and other operations (this post being an example).

Assuming conversation with the mirror is lost, should I continue to wait, assuming it will continue eventually, or take some action? If the latter, what is the correct, safe action to take?

[Context]

I want to confirm or otherwise that Unbound and BIND will work together as I think they should. I have read documentation, some threads here, and an external discussion of split DNS servers.

Context
I have an old server running BIND providing authoritative DNS for my domain to internal and external requests, and a mail service. Needing to migrate this to newer hardware/OS I thought it may simplify and improve things if rather than running the current split-brain configuration on BIND, I split the DNS servers. This may offer a security advantage also.

Config and operation
Assume we have LAN and Opt2 as distinct networks below Opnsense. I assume Unbound on Opnsense, and BIND (no split brain) on SVR in Opt2.
Unbound would listen only on LAN network, not on Opt2 or WAN.
Opnsense would NAT all external (WAN) DNS queries directly to SVR in Opt2.
SVR would send all its queries to WAN via Opnsense, Unbound not being involved.
Unbound would use Host Override to send all internal queries from LAN to SVR. For LAN-to-external queries Unbound preferably would speak directly with the internet servers for name resolution rather than sending those to SVR too.

Thus, the two DNS servers would have nothing to do with each other except for LAN local enquiries being passed on to SVR by Unbound. LAN devices would never go directly to WAN or SVR. WAN to SVR or SVR to WAN would not involve Unbound. SVR remains authoritative to external clients for the domain.

Is anyone running this configuration? Is it expected to work, before I start experimenting?

After 23.7.4 upgrade I can no longer access the internet from any user device.
1. Devices can ping router and anything else internal, but not on the internet.
2. If logged in to Opnsense in GUI, or via SSH, I can ping anything internal and on internet.
3. Dashboard shows correct static IP after PPOE connection.
4. Checking via a mobile (cell) device, the ISP's web page shows no outage.

My internal test opnsense after the same upgrade can still ping upstream to the main router I upgrade it first in hope of avoiding this sort of problem.

I tried shutting down crowdsec, and rebooting router.
I compared XML of prior config with that now; nothing has changed apart from disabling crowdsec rule as mentioned.

In logs I found no error message since one in late August, from bootup saying "/usr/sbin/ngtl msg igb1:setautosrc 1 returned code 71, the output was, 'ngctl: send msg: no such directory'". Given everything has operated normally meantime, this does not seem relevant.

I am not familiar with using tools like wireshark so if you advise me to do that then please provide detail or pointers.

Can someone also point me to how to revert to 23.7.3 please? I need this back up quickly.

In the documentation for configuration of spamhaus, it says (as shown in the attachment to this post) to complete Name, Description, Type and Host(s).

I go to Firewall:Aliases

I see no "Add new alias button at top right" as described in the documentation, but there is a "+" at bottom right hinted "Add" so I use that.

On the page which comes up, I fill in Name, Type and Description exactly as specified. However, there is no field called "Hosts", so where does one fill in the required "https://www.spamhaus.org/drop/drop.txt"?

I can create the alias without adding Hosts, but what usefully follows from that?

Any help with setting this up will be appreciated.