1
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
3
General Discussion / Networking 101 - or not?
« on: October 23, 2024, 05:28:33 pm »
Hy again!
Have here a problem that started after updating Virtualbox to 7.1.4 on a host in one of my networks on an OPNsense (24.7.6, bare metal), topology give in graph below post.
The VBox HOST (10.0.0.29) is an opensuse Tumbleweed (kernel 6.11.3.2-default).
Problem: No GUEST whatsowever (Win7, Win10, Opensuse Leap 15.6...) on the VBox with NAT has functional network in the setup shown in the graph. The GUEST always gets an IP of 10.0.2.15, the HOST has 10.0.2.2.
There is no functional DNS (set to 10.0.2.3 in the GUEST via DHCP) in the GUEST, there is no ping to 10.0.2.1 or 10.0.2.2, although I'm unsure the HOST has 10.0.2.1 or 10.0.2.2 from this here:
https://www.nakivo.com/blog/virtualbox-network-setting-guide/
Hint: There is a 10.0.2.0/27 on the OPNsense. But normally that should not matter, as there is NAT in between, or?
However the VBox HOST has access via firewall rules on the OPNsense to some machines in the native 10.0.2.0/27 network.
What resolves the problem:
- On another HOST in another OPNsense install that has NO 10.0.2.0/x network, the GUESTS on VBox have functional networking.
- Setting Network on the VBOX configuration to "NAT network" (instead of "NAT") hands out IPs in a different IP range and the networking works just fine for VBox GUESTs.
What I don't understand is, why is there a problem at all with networking in the GUESTs. Is it because the HOST (10.0.0.29) knows the VBox network (10.0.2.0/x) AND the native 10.0.2.0/27 on the OPNsense? And therefore doesn't know where to route the traffic to (or always routes it to the OPNsense)?
I have tried to change the IP range for the VBox NAT, but to no avail.
Along the line:
But that results in nonfunctional networking.
Have here a problem that started after updating Virtualbox to 7.1.4 on a host in one of my networks on an OPNsense (24.7.6, bare metal), topology give in graph below post.
The VBox HOST (10.0.0.29) is an opensuse Tumbleweed (kernel 6.11.3.2-default).
Problem: No GUEST whatsowever (Win7, Win10, Opensuse Leap 15.6...) on the VBox with NAT has functional network in the setup shown in the graph. The GUEST always gets an IP of 10.0.2.15, the HOST has 10.0.2.2.
There is no functional DNS (set to 10.0.2.3 in the GUEST via DHCP) in the GUEST, there is no ping to 10.0.2.1 or 10.0.2.2, although I'm unsure the HOST has 10.0.2.1 or 10.0.2.2 from this here:
https://www.nakivo.com/blog/virtualbox-network-setting-guide/
Hint: There is a 10.0.2.0/27 on the OPNsense. But normally that should not matter, as there is NAT in between, or?
However the VBox HOST has access via firewall rules on the OPNsense to some machines in the native 10.0.2.0/27 network.
What resolves the problem:
- On another HOST in another OPNsense install that has NO 10.0.2.0/x network, the GUESTS on VBox have functional networking.
- Setting Network on the VBOX configuration to "NAT network" (instead of "NAT") hands out IPs in a different IP range and the networking works just fine for VBox GUESTs.
What I don't understand is, why is there a problem at all with networking in the GUESTs. Is it because the HOST (10.0.0.29) knows the VBox network (10.0.2.0/x) AND the native 10.0.2.0/27 on the OPNsense? And therefore doesn't know where to route the traffic to (or always routes it to the OPNsense)?
I have tried to change the IP range for the VBox NAT, but to no avail.
Along the line:
Code: [Select]
VBoxManage modifyvm leap153_25042021 \
--natnet1 "10.121.34.0/28"
But that results in nonfunctional networking.
5
24.7 Production Series / OPNsense suddenly unreachable - How to debug
« on: August 21, 2024, 05:16:52 pm »
Hy!
Have here a Dell Optiplex box (doing fine for years) that failed some weeks ago after an update (new SSD installed some weeks before). As a result I reinstalled another fresh SSD and ZFS some weeks ago. Afterwards box was stable.
About 1 week ago I upgraded to 24.7.1 and today all of a sudden one LAN client was unreachable, a reboot resulted in no IP via DHCP. Moreover I could not reach the OPNsense via GUI or serial console. Rebooting (hard reset) brought the OPNsense back, but I want to learn what is failing here.
Where to start looking? Which logs might help?
Have here a Dell Optiplex box (doing fine for years) that failed some weeks ago after an update (new SSD installed some weeks before). As a result I reinstalled another fresh SSD and ZFS some weeks ago. Afterwards box was stable.
About 1 week ago I upgraded to 24.7.1 and today all of a sudden one LAN client was unreachable, a reboot resulted in no IP via DHCP. Moreover I could not reach the OPNsense via GUI or serial console. Rebooting (hard reset) brought the OPNsense back, but I want to learn what is failing here.
Where to start looking? Which logs might help?
6
24.7 Production Series / Dashboard re-write - Which plugins do survive?
« on: July 16, 2024, 04:59:32 pm »
Hy!
Read the release notes for 24.7.RC1 and found this gem:
Is there an overview, which widgets are available as of now? Who are the maintainers of the remaining widgets and are there any re-writes to be expected? Timelines, maybe, at least preliminary? ;-)
Read the release notes for 24.7.RC1 and found this gem:
Quote
o The dashboard has been replaced. Widgets from the old format are no longer supported and need to be rewritten by the respective authors.
Is there an overview, which widgets are available as of now? Who are the maintainers of the remaining widgets and are there any re-writes to be expected? Timelines, maybe, at least preliminary? ;-)
7
24.1 Legacy Series / Disabled IPS rule comes back to life again and again
« on: May 31, 2024, 12:39:07 pm »
Hy!
On latest community release here. Have IPS configured and running for years, but due to a change in Linux repos on some machines, a rule for TOR endpoints (co-located on repo IP?) is firing for some time now.
At first I disabled the rule individually, but after 1-4 days the disabled rule turned to enabled again. Several times, for weeks now.
Btw this happenz on TWO installs of OPNsense.
I tried "Policy" and chose the rule set tor.rules (from alerts) and "Action" as "Disabled". Applied. Works for some hours, then the alerts/blocks are back.
What is the way to disable this specific rule/rule set? It's spamming my alert email account.
On latest community release here. Have IPS configured and running for years, but due to a change in Linux repos on some machines, a rule for TOR endpoints (co-located on repo IP?) is firing for some time now.
At first I disabled the rule individually, but after 1-4 days the disabled rule turned to enabled again. Several times, for weeks now.
Btw this happenz on TWO installs of OPNsense.
I tried "Policy" and chose the rule set tor.rules (from alerts) and "Action" as "Disabled". Applied. Works for some hours, then the alerts/blocks are back.
What is the way to disable this specific rule/rule set? It's spamming my alert email account.
8
24.1 Legacy Series / Want to move an interface to another OPNsense...
« on: May 18, 2024, 02:44:00 pm »
Hi again!
Want to move settings
- Interface config
- DHCP 4 (ISC)
- Aliases
- FW-rules
(- forgot something important?)
from one OPNsense to another one (both 24.1.7).
Is there a way other than text editor + config.xml of both OPNsenses?
Many thanks in advance
Want to move settings
- Interface config
- DHCP 4 (ISC)
- Aliases
- FW-rules
(- forgot something important?)
from one OPNsense to another one (both 24.1.7).
Is there a way other than text editor + config.xml of both OPNsenses?
Many thanks in advance
9
24.1 Legacy Series / 24.1 - DHCP server moves to KEA - implications?
« on: January 19, 2024, 01:40:26 pm »
Hi!
No 24.1 board yet, so posting in 23.7 forums.
I read in the release notes for 24.1 RC1:
Would be quite helpful to know which problems might araise from this, which use cases might not be covered when moving to 24.1. Is a new installation recommended for 24.1 due to this?
No 24.1 board yet, so posting in 23.7 forums.
I read in the release notes for 24.1 RC1:
Code: [Select]
ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative. The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore.Would be quite helpful to know which problems might araise from this, which use cases might not be covered when moving to 24.1. Is a new installation recommended for 24.1 due to this?
10
23.7 Legacy Series / Upgraded to 23.7.11 - all logs empty
« on: January 04, 2024, 06:26:31 pm »
Hy!
I upgraded 2 systems today to 23.7.11, without rebooting. Now all logs (System, Services) are completely empty in the GUI, see attached.
Any ideas?
I upgraded 2 systems today to 23.7.11, without rebooting. Now all logs (System, Services) are completely empty in the GUI, see attached.
Any ideas?
11
23.7 Legacy Series / No Unbound replies on new interface
« on: October 03, 2023, 07:23:02 pm »
Hi!
Installed a fresh 23.7, all up-to-date and imported my working config for DNS-over-TLS with unbound. All fine.
I configured a new interface, DHCP works, set up firewall rules (including block to HTPPS of opnsense and allowing ipv4 UDP to port 53 of opnsense) and added the new interface to unbound in the GUI and applied. Rebooted. According to resolve.conf on the only host attached to the new interface, the DNS ist set to the interface address of the opnsense.
With package capture on port 53 of the new opnsense interface I see the requests of the host, but there is no reply at all from unbound.
With "inspect" on the FW-rules page of the new interface I see no evaluation of the FW-rule allowing UDP to port 53 of the opnsense?!?! The only rule hit is the first on the page, no matter which rule this is...
Any ideas?
Installed a fresh 23.7, all up-to-date and imported my working config for DNS-over-TLS with unbound. All fine.
I configured a new interface, DHCP works, set up firewall rules (including block to HTPPS of opnsense and allowing ipv4 UDP to port 53 of opnsense) and added the new interface to unbound in the GUI and applied. Rebooted. According to resolve.conf on the only host attached to the new interface, the DNS ist set to the interface address of the opnsense.
With package capture on port 53 of the new opnsense interface I see the requests of the host, but there is no reply at all from unbound.
With "inspect" on the FW-rules page of the new interface I see no evaluation of the FW-rule allowing UDP to port 53 of the opnsense?!?! The only rule hit is the first on the page, no matter which rule this is...
Any ideas?
12
22.7 Legacy Series / ping?
« on: November 30, 2022, 06:22:05 pm »
https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc
...anything to be done/known on this?
...anything to be done/known on this?
13
22.7 Legacy Series / Error: DEVD: Ethernet attached
« on: November 26, 2022, 11:57:26 am »
Hi!
Have here a "Service" interface on a OPNsense (yesterday updated from 22.7.7_1 to 22.7.8 btw) which is only used from time to time (as the name might insinuate). Today I plugged in a client to interface and got a
...which reset all my other interfaces, interrupting traffic, due to flapping interface some seconds later:
Annoying... :-(
Have here a "Service" interface on a OPNsense (yesterday updated from 22.7.7_1 to 22.7.8 btw) which is only used from time to time (as the name might insinuate). Today I plugged in a client to interface and got a
Code: [Select]
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt3(igb1)...which reset all my other interfaces, interrupting traffic, due to flapping interface some seconds later:
Code: [Select]
2022-11-26T11:03:41 Notice flowd_aggregate.py vacuum done
2022-11-26T11:01:00 Notice root reload filter for configured schedules
2022-11-26T11:00:48 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: 10.100.10.99) (interface: Service[opt3]) (real interface: igb1).
2022-11-26T11:00:48 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1'
2022-11-26T11:00:48 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt3(igb1)
2022-11-26T11:00:46 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet detached event for static opt3(igb1)
2022-11-26T11:00:11 Notice opnsense plugins_configure newwanip (execute task : webgui_configure_do(,opt3))
2022-11-26T11:00:11 Notice opnsense plugins_configure newwanip (execute task : vxlan_configure_do())
2022-11-26T11:00:10 Error opnsense /usr/local/etc/rc.newwanip: warning: ignoring missing default tunable request: debug.pfftpproxy
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : unbound_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : openssh_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : opendns_configure_do())
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : ntpd_configure_do())
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : dyndns_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (execute task : dnsmasq_configure_do())
2022-11-26T11:00:10 Notice opnsense plugins_configure newwanip (,opt3)
2022-11-26T11:00:10 Error opnsense /usr/local/etc/rc.newwanip: Resyncing OpenVPN instances for interface Service.
2022-11-26T11:00:10 Notice opnsense plugins_configure vpn (execute task : openvpn_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure vpn (execute task : ipsec_configure_do(,opt3))
2022-11-26T11:00:10 Notice opnsense plugins_configure vpn (,opt3)
2022-11-26T11:00:10 Error opnsense /usr/local/etc/rc.newwanip: IP address renew, killing all previous states
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: Adding static route for monitor 1.1.1.1 via xx.xxxx.xxx.xxx
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: Removing static route for monitor 1.1.1.1 via 83.248.112.1
2022-11-26T11:00:09 Notice opnsense plugins_configure monitor (execute task : dpinger_configure_do(,))
2022-11-26T11:00:09 Notice opnsense plugins_configure monitor (,)
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: skipping IPv4 default route
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: IPv4 default gateway set to wan
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: ROUTING: entering configure using 'opt3'
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: On (IP address: 10.0.1.199) (interface: Service[opt3]) (real interface: igb1).
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.newwanip: IPv4 renewal is starting on 'igb1'
2022-11-26T11:00:09 Error opnsense /usr/local/etc/rc.linkup: DEVD: Ethernet attached event for static opt3(igb1)Annoying... :-(
15
22.7 Legacy Series / OS ddclient - How to use an URL provided by the DynDNS service in "custom"?
« on: October 03, 2022, 12:48:59 pm »
Hy!
As an extenstion to this here:
https://forum.opnsense.org/index.php?topic=26446.299
In "custom" (GUI) there is absolutely no way to add a single update URL-Username-PW-Domain provided by the DynDNS service of my choice?
Can anybody help out on this?
Is it possible to install both old and new plugin at the same time and use both?
As an extenstion to this here:
https://forum.opnsense.org/index.php?topic=26446.299
In "custom" (GUI) there is absolutely no way to add a single update URL-Username-PW-Domain provided by the DynDNS service of my choice?
Can anybody help out on this?
Is it possible to install both old and new plugin at the same time and use both?