OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of itngo »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - itngo

Pages: [1] 2 3
1
Zenarmor (Sensei) / Zenarmor causes issues with HA until set to bypass.
« on: November 06, 2024, 07:46:05 am »
We have a HA-Pair Deciso-Appliance here where Zenarmor is currently being evaluated.
We use CARP VIP with unicast, but this issue exists also when multicast was used.
About 12 VLANs and ZA is configured to protect only few of them and at least one dedicated interface.

Every few days and sometimes multiple times a day the firewalls get into split-brain or at least master stops processing traffic for some endpoints. For example 2 server in a subnet can communicate normal while other in the same subnet can not and are also not reachable per ping.

When we set Zenarmor to bypass everything returns to normal. Anyone had this issue already?

2
High availability / opnsenseBE (OPNsense 24.10_7) still sending Multicast while all VIPs are Unicast
« on: October 25, 2024, 07:23:20 am »
Hi,

we have a pair of Deciso-Appliances here running in HA-Setup for about 12 VLANs. All are configured for CARP/VIP in Unicast-Mode and have the configured the IP of the Slave for direct CARP.

However, when we do a traffic capture, we can still see that one last interface continues to send VRRP Announments to 224.0.0.18. This should not happen in Unicast mode right?

Code: [Select]
1 0.000000 192.168.201.3 224.0.0.18 VRRP 70 Announcement (v2)

3
24.7 Production Series / Old RSPAMD Version.
« on: July 31, 2024, 04:41:39 pm »
Hi,
how to update RPSAMD to 3.91.
opnsense repository still gives RSPAMD 3.8.4 which is quite old. We want to evaluate openAI integration, but need at last 3.9.1.

4
24.1 Legacy Series / Still no DNS-Name in GRE-Interface?
« on: May 07, 2024, 10:58:33 am »
We are heavily using GRE-Tunnels for some remote opnsense-systems just to get some unimportant status-information from remote-systems. The data itself is already encrytped, so we just want some routes to the remote-sites with GRE.

We have 2 sites where the IP is not static, so it would be nice to use DDNS-Name for the GRE-Endpoint.

However, webGUI still does not allow this. Is this something that we can work around without the need to create extra WG, OVPN, IPSEC or whatever-Config?

5
German - Deutsch / HomeOffice User mit openVPN-Client und lokalem Netzwerkdrucker im HomeOffice.
« on: April 18, 2024, 01:18:59 pm »
Wir haben hier folgendes Szenario:

Server-Netz am HQ 192.168.1.0/24.
OpenVPN-Client mit Tunnel-Netz 10.10.0.0/24
Netz beim HomeOffice-User hinter FritzBox 192.168.178.0/24

Hier steht ein Windows-Laptop und ein Netzwerkdrucker. Der Windows PC hat den openVPN-Client 3.x und baut die Verbindung auf.
Kann ich die openVPN-Config für den Client in der opnsense so erstellen, das der Drucker für das Server-Netz erreichbar wird?

Als IPV4-Remote-Netzwerk haben wir das HomeOffice-Netz schon hinterlegt und es wird auch eine entsprechende Route an der opnsense angelegt. Die FBOX hat Routen zum Windows PC für das Zielnetz 192.168.1.0/24 und 10.10.0.0/24. Der Windows PC hat ip-forwarding aktiviert. Der Drucker als Gateway die lokale FBOX.

Trotzdem kommen wir nicht durch bis zum Drucker vom Netz 192.168.1.0/24.

Vielleicht kann uns da jemand erleuchten, was fehlen könnte?

6
23.7 Legacy Series / ACME Client does not honor config changes.
« on: January 20, 2024, 08:15:10 am »
When we create a new challenge type or change an existing one, the changes are not honored on renewal.
For example we had PowerDNS Challenge using internal IP and changed the config to have a public DNS name used.

However, ACME client does still use the internal IP on renewal. Looks like the config file never gets updates in some cases.

7
23.7 Legacy Series / NGINX Update broke Exchange Publishing.
« on: January 09, 2024, 01:18:01 pm »
Hi,

based on this https://forum.opnsense.org/index.php?topic=21154.msg99523#msg99523 we had our Exchange-Server published with BASIC-Auth. This was working for about a year or two. In fact including Version "OPNsense 23.10_2-amd64", but when we now update to a newer Version "23.10.1" or "23.7.9 community version " Outlook does no longer work. We then roll back the VMs to older Version and it is working again.

I believe something in NGINX Config Templates or NGINX-Version gets overwritten.

Anyone with this issue or using Exchange Publishing who has an idea?

8
23.7 Legacy Series / ACME Plugin does not use new settings, until reboot.
« on: December 16, 2023, 08:57:30 am »
Hi,

we have about 90 certificates configured with Lets Encrypt. While renewal is working in general, changing the settings for a certificate "challenge type" from "old" DNS to our "new" DNS does not get adopted until we reboot the whole opnsense.

Debug log shows that renewal jobs continue to use the old settings until the whole opnsense is rebootet. Stopping/disabling the Plugin does not help....

Can anyone confirm this?

Thank you.

9
23.7 Legacy Series / Rspamd - Whitelist for Sender-Email-Address.
« on: October 09, 2023, 04:21:02 pm »
Hi,

we couldn't ding a way to "Whitelist" or "Lower-Score" a complete E-Mail-Adress. You can whitelist an E-Mail-Domain, but that is not the best Idea for "Mail-Providers" like GMX or comparable.

So we created a section in multimap.conf template and an inc-file in maps.d/
it is working, but we can not edit that file from RSPAMD WebGui, which we exposed to the LAN.

Is is "read" only. What could be wrong here?

Indeed the Rspamd-plugin is a bit limited, compared to what is possible in Rspamd itself, but even some basics are missing, which makes it hard to give it to "hands" which are less, console trained....

Regards



10
23.7 Legacy Series / Rspamd - Central Redis
« on: October 06, 2023, 07:51:26 am »
Hi,

we are in progress migrating spamfilter from "Proxmox Mail Gateway" to Rspamd for about 30 opnsense-customers.

Rspamd is cabable of using a central Redis-Database, so that each Spam-Filter can learn and use a central database. Can this be accomplished with opnsense also? Where should configuration take place?

Regards

11
23.7 Legacy Series / Rspamd Neural Engine.
« on: October 06, 2023, 07:43:52 am »
Hi,

in the RSPAMD Docs there is the option to enable the Neural Processing Engine.

https://rspamd.com/doc/modules/neural.html

How to enable/accomplish this in opnsense-Plugin?

Regards

12
High availability / Virtual IP Status weird.
« on: July 19, 2023, 11:38:34 am »
Hi,

I have about 15 VIPs configured with CARP. But "Virtual IPs: Status" shows 16.

2 with same IP.
        8 (freq. 1/0)   100.64.0.1     INIT
   WiFiGuest   10 (freq. 1/0)   100.64.0.1     MASTER

VHID 8 has been deleted and should not be there. Also in config.xml export VHID does not exist. What did I wrong?

13
23.1 Legacy Series / Maltrail - Listen queue overflow - 8 already in queue awaiting acceptance
« on: May 01, 2023, 08:18:59 am »
Hi,
we have several opnsense-setups with Maltrail in Sensor-Only-Mode. We then use a "central" opnsense as Maltrail-Server. From time to time we see following error on console:

sonewconn: pcb 0xfffff804244869b0 (0.0.0.0:8338 (proto 6)): Listen queue overflow: 8 already in queue awaiting acceptance (2 occurrences)

Changing the tunable for sonewconn does not help. I guess we have to much sending "sensors" for the server, but how to allow the server to accept more connections in opnsense?

14
22.7 Legacy Series / MBUF Exhaust when Using NGINX-ReverseProxy for NextCloud-Publish.
« on: April 17, 2023, 02:40:45 pm »
Hi,

maybe someone can say something about this.

We publish Nextcloud with NGINX. Response-Buffering and Request-Buffering is already disabled.

We can upload and download files and use Webfrontend in Nextcloud flawlessly.

However when we download a larger file from Nextcloud we have massive MBUF-Exhaust and the opnsense freezes at least.

Already put kern.ipc.nmbclusters to 2000000 but they still get exhausted by a simple download. We also see that even setting kern.ipc.nmbclusters to 6 or 12 millions does not help, as opnsense will never use more than about 2.2 millions even there is still plenty of RAM available. And the freeze or stop traffic flow at all.

It looks like NGINX is loading the 2.x Gigabyte file directly to the MBUFs while client has only limited bandwidth and can not get the data fast enough to release the MBUFs again.....

We already tried with shaping in opnsense and also with request-limits in NGINX, but both have no real effect. The Downloads slow down, but the "upstream" saturation still goes 900Mbit and more and kills the opnsense within 2 or 3 minutes....

Anyone has an idea where to start?


15
23.1 Legacy Series / Import Tunables to identical VMs
« on: March 31, 2023, 07:43:07 pm »
Hi,
we have about 20 VMs with same configuration and want to change some Tunables for all of them.
Is it possible to import these Tunables from command line instead of create them manual one by one in webgui?

Thx....

Pages: [1] 2 3
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2