Topics

1

General Discussion / Bridge two ports, not including LAN

« on: October 30, 2023, 04:53:44 am »

I would like to bridge two low-traffic interfaces which have the same essential uses, rules, security requirements.
Documentation and examples I have seen assume that the LAN port is added to the bridge, but that would not be the case here.

Would the general steps be:

• Remove current configuration from the two interfaces (call them Opt2 & 3)
• Create a bridge
• Add Opt2 & Opt3
• Skip steps 3-5 in the documentation
• Set tunables as in step 6
• Set DHCP and rules on the bridge interface

Alternatively for my steps 1 & 6, set those rules on one of the two interfaces added to the bridge.
Thus the question: is configuration set on the bridge or derived by the bridge from one of its interfaces? The former makes more sense to me but discussions seem to imply the second case.

2

Intrusion Detection and Prevention / [Resolved] Crowdsec bouncer error in default rule

« on: October 13, 2023, 11:58:56 am »

Running 23.7.6 with corresponding crowdsec versions.

I can start Crowdsec and Lapi without a problem. If I add the bouncer then System Status turns red and shows the following message:

Code: [Select]

There were error(s) loading the rules: /tmp/rules.debug:137: syntax error - The line in question reads [137]: block in log quick inet from $crowdsec_blacklists to {any} tag .CW label "<some hex>" # CrowdSec (IPv4)This is cleared by disabling bouncer and rebooting OPNsense.

There is a corresponding ipv6 line after that one, not flagged.

The rule pattern looks like valid other lines in /tmp/rules.debug. Any ideas on the problem or where I should look further please?

3

23.7 Production Series / [RESOLVED] Update stalled

« on: October 12, 2023, 11:27:21 am »

I updating to 23.7.6 on the lab box without a problem.

My production box has now stalled during downloading of packages, after 11 of 26, and been stuck there for some time.

I have full, normal, internet access and other operations (this post being an example).

Assuming conversation with the mirror is lost, should I continue to wait, assuming it will continue eventually, or take some action? If the latter, what is the correct, safe action to take?

4

General Discussion / [DEFUNCT] DNS with Unbound and BIND

« on: September 27, 2023, 10:07:01 am »

I want to confirm or otherwise that Unbound and BIND will work together as I think they should. I have read documentation, some threads here, and an external discussion of split DNS servers.

Context
I have an old server running BIND providing authoritative DNS for my domain to internal and external requests, and a mail service. Needing to migrate this to newer hardware/OS I thought it may simplify and improve things if rather than running the current split-brain configuration on BIND, I split the DNS servers. This may offer a security advantage also.

Config and operation
Assume we have LAN and Opt2 as distinct networks below Opnsense. I assume Unbound on Opnsense, and BIND (no split brain) on SVR in Opt2.
Unbound would listen only on LAN network, not on Opt2 or WAN.
Opnsense would NAT all external (WAN) DNS queries directly to SVR in Opt2.
SVR would send all its queries to WAN via Opnsense, Unbound not being involved.
Unbound would use Host Override to send all internal queries from LAN to SVR. For LAN-to-external queries Unbound preferably would speak directly with the internet servers for name resolution rather than sending those to SVR too.

Thus, the two DNS servers would have nothing to do with each other except for LAN local enquiries being passed on to SVR by Unbound. LAN devices would never go directly to WAN or SVR. WAN to SVR or SVR to WAN would not involve Unbound. SVR remains authoritative to external clients for the domain.

Is anyone running this configuration? Is it expected to work, before I start experimenting?

5

23.7 Production Series / 23.7.4 upgrade lost device connection to internet [SOLVED]

« on: September 17, 2023, 06:00:22 am »

After 23.7.4 upgrade I can no longer access the internet from any user device.
1. Devices can ping router and anything else internal, but not on the internet.
2. If logged in to Opnsense in GUI, or via SSH, I can ping anything internal and on internet.
3. Dashboard shows correct static IP after PPOE connection.
4. Checking via a mobile (cell) device, the ISP's web page shows no outage.

My internal test opnsense after the same upgrade can still ping upstream to the main router I upgrade it first in hope of avoiding this sort of problem.

I tried shutting down crowdsec, and rebooting router.
I compared XML of prior config with that now; nothing has changed apart from disabling crowdsec rule as mentioned.

In logs I found no error message since one in late August, from bootup saying “/usr/sbin/ngtl msg igb1:setautosrc 1 returned code 71, the output was, ‘ngctl: send msg: no such directory’". Given everything has operated normally meantime, this does not seem relevant.

I am not familiar with using tools like wireshark so if you advise me to do that then please provide detail or pointers.

Can someone also point me to how to revert to 23.7.3 please? I need this back up quickly.

6

Documentation and Translation / Alias spamhaus - Interface does not accord with documentation

« on: June 02, 2023, 12:36:27 pm »

In the documentation for configuration of spamhaus, it says (as shown in the attachment to this post) to complete Name, Description, Type and Host(s).

I go to Firewall:Aliases

I see no "Add new alias button at top right" as described in the documentation, but there is a "+" at bottom right hinted "Add" so I use that.

On the page which comes up, I fill in Name, Type and Description exactly as specified. However, there is no field called "Hosts", so where does one fill in the required "https://www.spamhaus.org/drop/drop.txt"?

I can create the alias without adding Hosts, but what usefully follows from that?

Any help with setting this up will be appreciated.