Topics

Hello,
in NetworkTime/General I have defined: prefer, de.pool.ntp.org
In Firewall/Rules/INT is defined: pass, INT, direction:in, ip4, UDP, Source: INTnet, Destination: INTaddr, port:123

test on mac os cli: sntp -S de.pool.ntp.org
result: +0.014647 +/- 0.023983 de.pool.ntp.org 162.159.200.123

test on mac os cli: sntp -S <myInternalOPNsenseIP>
result:   
sntp: Exchange failed: Server not synchronized
sntp_exchange {
        result: 9 (Server not synchronized)
        header: E4 (li:3 vn:4 mode:4)
       stratum: 00 (0)
          poll: 03 (8)
     precision: 00 (1.000000e+00)
         delay: 0000.0000 (0.000000000)
    dispersion: 0000.0000 (0.000000000)
           ref: 52415445 ("RATE")
         t_ref: 00000000.00000000 (0.000000000)
            t1: ED5669AC.E574D594 (3981863340.896313999)
            t2: ED5669AC.E574D594 (3981863340.896313999)
            t3: ED5669AC.E574D594 (3981863340.896313999)
            t4: ED5669AC.E5F7B5AE (3981863340.898310999)
        offset: FFFFFFFFFFFFFFFF.FFBE8FF300000000 (-0.000998500)
         delay: 0000000000000000.0082E01A00000000 (0.001997000)
          mean: 00000000ED5669AC.E574D59400000000 (3981863340.896314144)
         error: 0000000000000000.0000000000000000 (0.000000000)
          addr: 10.8.81.1
}
sntp: Exchange failed: Timeout
sntp_exchange {
        result: 6 (Timeout)
        header: 00 (li:0 vn:0 mode:0)
       stratum: 00 (0)
          poll: 00 (1)
     precision: 00 (1.000000e+00)
         delay: 0000.0000 (0.000000000)
    dispersion: 0000.0000 (0.000000000)
           ref: 00000000 ("    ")
         t_ref: 00000000.00000000 (0.000000000)
            t1: ED5669AC.E60A84BE (3981863340.898597999)
            t2: 00000000.00000000 (0.000000000)
            t3: 00000000.00000000 (0.000000000)
            t4: 00000000.00000000 (0.000000000)
        offset: FFFFFFFF8954CB29.8CFABDA100000000 (-1990931670.449299097)
         delay: FFFFFFFF12A99653.19F57B4200000000 (-3981863340.898598194)
          mean: 0000000000000000.0000000000000000 (0.000000000)
         error: 0000000000000000.0000000000000000 (0.000000000)
          addr: 10.8.81.1
}
sntp: Exchange failed: Timeout
sntp_exchange {
        result: 6 (Timeout)
        header: 00 (li:0 vn:0 mode:0)
       stratum: 00 (0)
          poll: 00 (1)
     precision: 00 (1.000000e+00)
         delay: 0000.0000 (0.000000000)
    dispersion: 0000.0000 (0.000000000)
           ref: 00000000 ("    ")
         t_ref: 00000000.00000000 (0.000000000)
            t1: ED5669AD.E77D1FE6 (3981863341.904252999)
            t2: 00000000.00000000 (0.000000000)
            t3: 00000000.00000000 (0.000000000)
            t4: 00000000.00000000 (0.000000000)
        offset: FFFFFFFF8954CB29.0C41700D00000000 (-1990931670.952126503)
         delay: FFFFFFFF12A99652.1882E01A00000000 (-3981863341.904253006)
          mean: 0000000000000000.0000000000000000 (0.000000000)
         error: 0000000000000000.0000000000000000 (0.000000000)
          addr: 10.8.81.1
}
sntp: Exchange failed: Timeout
sntp_exchange {
        result: 6 (Timeout)
        header: 00 (li:0 vn:0 mode:0)
       stratum: 00 (0)
          poll: 00 (1)
     precision: 00 (1.000000e+00)
         delay: 0000.0000 (0.000000000)
    dispersion: 0000.0000 (0.000000000)
           ref: 00000000 ("    ")
         t_ref: 00000000.00000000 (0.000000000)
            t1: ED5669AE.E8ED1BF7 (3981863342.909867999)
            t2: 00000000.00000000 (0.000000000)
            t3: 00000000.00000000 (0.000000000)
            t4: 00000000.00000000 (0.000000000)
        offset: FFFFFFFF8954CB28.8B89720480000000 (-1990931671.454933882)
         delay: FFFFFFFF12A99651.1712E40900000000 (-3981863342.909867764)
          mean: 0000000000000000.0000000000000000 (0.000000000)
         error: 0000000000000000.0000000000000000 (0.000000000)
          addr: 10.8.81.1
}
+0.015877 +/- 0.032075 10.8.81.1 10.8.81.1

My HA is working, but the Master will not be promoted to Master after a reboot.
My CARP IPs have the folowing VirtualIP CARP settings:
Backup Server: Advbase set to 1 and Advskew set to 100, Disable preempt: off
Master Server: Advbase set to 1 and Advskew set to 0,   Disable preempt: on

Hello,
I have a CARP-IP (10.8.99.1) on my INT ernal Interface and a physical IP (10.8.99.3).
my client gets per KEAdhcp the DNS serverIP as CARP-IP (10.8.99.1).
a nslookup to google.com from client cli gets the error, that the info is expected from 10.8.99.1#53, but 10.8.99.3#3 responded.
The client drops the dns info, because its not from the CARP-IP.
How to configure, that Unbound uses the CARP-IP and not the physical IP from node1 in the HA config.

Hi, I try to run Homeassistant (running on port 8123) behind the nginx plugin.
in homeassistant configuration.yaml in section http: I have the entries use_x_forwarded_for: true and trusted_proxies: <lan address of opnsense>

in nginx logs http access, I get error status codes 304 400 499

according to
https://community.home-assistant.io/t/reverse-proxy-using-nginx/196954

there are headers needed like:
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

but I can not get it to run.

Is there a way to set the headers via the opnsense web gui?

my last automatic cert renewal was executed last December. After upgrading opensense, (couldnt remeber when), cert renewals are failing. I looks like that the lighthtpd process running on port 43580 respond with Forbidden.

1. test on opensense root cli:
# fetch http://localhost:43580
fetch: http://localhost:43580: Forbidden

2. test on desktop firefox, calling
http://<internal IP of my openses>/.well-known/acme-challenge/XXXXidXXXXX....
results in Forbidden


sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
root     lighttpd   94028 4  tcp4   127.0.0.1:43580       *:*

just installed TFTP plugin on OPNsense 22.7.9_3-amd64

listen addr: 127.0.0.1
enable
and save

service is not starting

logmsg:
Notice   root   /usr/local/etc/rc.d/tftpd: WARNING: failed to start tftpd

Hello,
I have setup a mailgw on opnsense latest release according to https://docs.opnsense.org/manual/how-tos/mailgateway.html
sending an email with an attached file which includes the eicar virus pattern is not detected by my opnsense fw.

tail -f /var/log/postfix/latest.log will show me the incoming email.
tail -f /var/log/rspamd/rspamd.log show that rspamd is invoked, spf and dkim checks.

But there is no activation of clamav. no logfile entry of the check.
after enabling in /usr/local/etc/clamav-milter.conf
LogSyslog yes
LogFile /tmp/clamav-milter.log

restart clamv service
also no log entry at all.

It looks like that clamav will be not activated in this milter chain.

Hi,
just replaced my firewall from endian to opnsense. everything worked so far in my esxi environment.
I added a new debian vm. an ip4 dhcp was assigend, but this vm can not access the apt mirror (ip6).
Lookes like internal vm can not acces via ip6.
How can I solve it.

regards.

Hello,

I use postfix and get the following warning:
Warning   postfix/smtpd   warning: permit_tls_clientcerts is requested, but "smtpd_tls_ask_ccert = no"

How can I set via Web UI this parameter in /usr/local/etc/postfix/main.cf ?
I can not set it directly, because webUI will overwrite it.
It would be neat, if Web UI would allow to place extra params in a text field

regards
rudi

Hi,
I have one public IP/domain name. I want to access multiple backend http(s) servers (upstreams).
I have it working with one backend http server (int ip 10.0.0.5).
https://myhost.mydom.com will show content of internal webserver

now I want to have 2 seperate internal webservers (int ip 10.0.0.5 and 10.0.0.6):
access from internet:
https://myhost.mydom.com/server1
https://myhost.mydom.com/server2

how to achive this?
I want to get rid of the server1 and server2 url part, which will reach the internal web servers.

Any ideas, working examples?

regards
rudi