Topics

Anyone else noticed that the spinners regargless where they are shown are not all "still" and not "rotating" anymore?
This is very irritating in BE Manager where you get no idea which of the 50 Firewalls is still scanned or already waiting for updates....

We have a HA-Pair Deciso-Appliance here where Zenarmor is currently being evaluated.
We use CARP VIP with unicast, but this issue exists also when multicast was used.
About 12 VLANs and ZA is configured to protect only few of them and at least one dedicated interface.

Every few days and sometimes multiple times a day the firewalls get into split-brain or at least master stops processing traffic for some endpoints. For example 2 server in a subnet can communicate normal while other in the same subnet can not and are also not reachable per ping.

When we set Zenarmor to bypass everything returns to normal. Anyone had this issue already?

Hi,

we have a pair of Deciso-Appliances here running in HA-Setup for about 12 VLANs. All are configured for CARP/VIP in Unicast-Mode and have the configured the IP of the Slave for direct CARP.

However, when we do a traffic capture, we can still see that one last interface continues to send VRRP Announments to 224.0.0.18. This should not happen in Unicast mode right?

Code Select Expand

1 0.000000 192.168.201.3 224.0.0.18 VRRP 70 Announcement (v2)

Hi,
how to update RPSAMD to 3.91.
opnsense repository still gives RSPAMD 3.8.4 which is quite old. We want to evaluate openAI integration, but need at last 3.9.1.

We are heavily using GRE-Tunnels for some remote opnsense-systems just to get some unimportant status-information from remote-systems. The data itself is already encrytped, so we just want some routes to the remote-sites with GRE.

We have 2 sites where the IP is not static, so it would be nice to use DDNS-Name for the GRE-Endpoint.

However, webGUI still does not allow this. Is this something that we can work around without the need to create extra WG, OVPN, IPSEC or whatever-Config?

Wir haben hier folgendes Szenario:

Server-Netz am HQ 192.168.1.0/24.
OpenVPN-Client mit Tunnel-Netz 10.10.0.0/24
Netz beim HomeOffice-User hinter FritzBox 192.168.178.0/24

Hier steht ein Windows-Laptop und ein Netzwerkdrucker. Der Windows PC hat den openVPN-Client 3.x und baut die Verbindung auf.
Kann ich die openVPN-Config für den Client in der opnsense so erstellen, das der Drucker für das Server-Netz erreichbar wird?

Als IPV4-Remote-Netzwerk haben wir das HomeOffice-Netz schon hinterlegt und es wird auch eine entsprechende Route an der opnsense angelegt. Die FBOX hat Routen zum Windows PC für das Zielnetz 192.168.1.0/24 und 10.10.0.0/24. Der Windows PC hat ip-forwarding aktiviert. Der Drucker als Gateway die lokale FBOX.

Trotzdem kommen wir nicht durch bis zum Drucker vom Netz 192.168.1.0/24.

Vielleicht kann uns da jemand erleuchten, was fehlen könnte?

When we create a new challenge type or change an existing one, the changes are not honored on renewal.
For example we had PowerDNS Challenge using internal IP and changed the config to have a public DNS name used.

However, ACME client does still use the internal IP on renewal. Looks like the config file never gets updates in some cases.

Hi,

based on this https://forum.opnsense.org/index.php?topic=21154.msg99523#msg99523 we had our Exchange-Server published with BASIC-Auth. This was working for about a year or two. In fact including Version "OPNsense 23.10_2-amd64", but when we now update to a newer Version "23.10.1" or "23.7.9 community version " Outlook does no longer work. We then roll back the VMs to older Version and it is working again.

I believe something in NGINX Config Templates or NGINX-Version gets overwritten.

Anyone with this issue or using Exchange Publishing who has an idea?

Hi,

we have about 90 certificates configured with Lets Encrypt. While renewal is working in general, changing the settings for a certificate "challenge type" from "old" DNS to our "new" DNS does not get adopted until we reboot the whole opnsense.

Debug log shows that renewal jobs continue to use the old settings until the whole opnsense is rebootet. Stopping/disabling the Plugin does not help....

Can anyone confirm this?

Thank you.

Hi,

we couldn't ding a way to "Whitelist" or "Lower-Score" a complete E-Mail-Adress. You can whitelist an E-Mail-Domain, but that is not the best Idea for "Mail-Providers" like GMX or comparable.

So we created a section in multimap.conf template and an inc-file in maps.d/
it is working, but we can not edit that file from RSPAMD WebGui, which we exposed to the LAN.

Is is "read" only. What could be wrong here?

Indeed the Rspamd-plugin is a bit limited, compared to what is possible in Rspamd itself, but even some basics are missing, which makes it hard to give it to "hands" which are less, console trained....

Regards

Hi,

we are in progress migrating spamfilter from "Proxmox Mail Gateway" to Rspamd for about 30 opnsense-customers.

Rspamd is cabable of using a central Redis-Database, so that each Spam-Filter can learn and use a central database. Can this be accomplished with opnsense also? Where should configuration take place?

Regards

Hi,

in the RSPAMD Docs there is the option to enable the Neural Processing Engine.

https://rspamd.com/doc/modules/neural.html

How to enable/accomplish this in opnsense-Plugin?

Regards

Hi,

I have about 15 VIPs configured with CARP. But "Virtual IPs: Status" shows 16.

2 with same IP.
        8 (freq. 1/0)   100.64.0.1     INIT
   WiFiGuest   10 (freq. 1/0)   100.64.0.1     MASTER

VHID 8 has been deleted and should not be there. Also in config.xml export VHID does not exist. What did I wrong?

Hi,
we have several opnsense-setups with Maltrail in Sensor-Only-Mode. We then use a "central" opnsense as Maltrail-Server. From time to time we see following error on console:

sonewconn: pcb 0xfffff804244869b0 (0.0.0.0:8338 (proto 6)): Listen queue overflow: 8 already in queue awaiting acceptance (2 occurrences)

Changing the tunable for sonewconn does not help. I guess we have to much sending "sensors" for the server, but how to allow the server to accept more connections in opnsense?

Hi,

maybe someone can say something about this.

We publish Nextcloud with NGINX. Response-Buffering and Request-Buffering is already disabled.

We can upload and download files and use Webfrontend in Nextcloud flawlessly.

However when we download a larger file from Nextcloud we have massive MBUF-Exhaust and the opnsense freezes at least.

Already put kern.ipc.nmbclusters to 2000000 but they still get exhausted by a simple download. We also see that even setting kern.ipc.nmbclusters to 6 or 12 millions does not help, as opnsense will never use more than about 2.2 millions even there is still plenty of RAM available. And the freeze or stop traffic flow at all.

It looks like NGINX is loading the 2.x Gigabyte file directly to the MBUFs while client has only limited bandwidth and can not get the data fast enough to release the MBUFs again.....

We already tried with shaping in opnsense and also with request-limits in NGINX, but both have no real effect. The Downloads slow down, but the "upstream" saturation still goes 900Mbit and more and kills the opnsense within 2 or 3 minutes....

Anyone has an idea where to start?

Hi,
we have about 20 VMs with same configuration and want to change some Tunables for all of them.
Is it possible to import these Tunables from command line instead of create them manual one by one in webgui?

Thx....

We had a Location/Server where we applied an ACL with one Subnet and 3 additional IP-Adresses.
Access from these adresses does work. We then added another IP and get 403 from nginx even after complete reboot of the whole firewall the change is not honored. Where to look?

Logs / Global Error says all good.

We have some smaller VMs running ZENARMOR where the Dashboard does not display anything. (See attachment)

Sometimes it helps to reset reporting data but not always. The VMs have limited RAM and use sqlite or mongodb, but at least there are only a few clients, so not much data flow.

Any hint on this?

From https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/opnsense_snmp?at=release/6.0
we configured to get SNMP-Data for States and State table limit.

But even after configuration in snmp.conf we get OID not found.
snmpget -v 2c -c private 10.168.178.55 1.3.6.1.4.1.12325.1.200.1.3.1.0
SNMPv2-SMI::enterprises.12325.1.200.1.3.1.0 = No Such Object available on this agent at this OID

Any idea what we are missing here?

OPNsense 22.10.2-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023

Hi,

we habe a site 2 site ipsec-tunnel and want to publish a website with haproxy or nginx where the target server is on the far site of the ipsec.

Source IP then is the Public IP of Site A which does not flow through the tunnel. So Webserver is not reachable.

How can this be solved?