Topics

1

18.7 Production Series / Interface lost with 18.7.10

« on: January 11, 2019, 11:41:55 am »

Hy!

Updated this morning to 18.7.10 amd64 with LibreSSL, some minutes ago I lost one interface, which came up again after plugging out/in the RJ45:

Code: [Select]

Jan 11 11:36:40 opnsense: /usr/local/etc/rc.newwanip: On (IP address: 10.45.23.1) (interface: iNET[opt1]) (real interface: igb1).
Jan 11 11:36:40 opnsense: /usr/local/etc/rc.newwanip: IP renewal is starting on 'igb1'
Jan 11 11:36:40 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for iNET(opt1) but ignoring since interface is configured with static IP (10.45.23.1 ::)
Jan 11 11:36:40 kernel: igb1: link state changed to UP
Jan 11 11:36:20 opnsense: /usr/local/etc/rc.linkup: Hotplug event detected for iNET(opt1) but ignoring since interface is configured with static IP (10.45.23.1 ::)
Jan 11 11:36:20 kernel: igb1: link state changed to DOWN

2

German - Deutsch / VDSL mit congstar - Wie?

« on: January 09, 2019, 09:04:29 am »

Hallo!

Im Zuge der Umstellung auf VOIP werde ich von meinem DSL-Anbieter (congstar) mit VDSL zwangsbeglückt.

Bisheriger Aufbau:

Splitter - Draytek Vigor 130 (bridged) - sense (PPPoE)

Für den Tag der Umstellung habe ich folgende Fragen:

1. Splitter MUSS weg, oder? Hat ja keine Funktion mehr...

2. Auch wenn die sense das VLAN 7 macht, MUSS trotzdem die VLAN 7 Firmware auf das Draytek, oder?

3. Ist das hier https://forum.opnsense.org/index.php?topic=7270.0 eigentlich behoben?

4. Hab ich was übersehen? :-)

Vielen Dank vorab!

3

18.7 Production Series / Added new floating rule - in live view wrong rules are given

« on: December 22, 2018, 03:10:37 pm »

Hi everybody!

Have here an up-to-date amd64 install I configured these days. This morning I had a look at the live view of the FW log and found that for some (not all) entries the WRONG FW rule was indicated that resulted in blocking this traffic.

I had to add a rule (Floating this time) and afterwards I had a look into live view of FW logs again. This time even more entries had the wrong FW rule listed.

Here is an example:

Code: [Select]

lan Dec 22 07:20:27 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs
lan Dec 22 07:20:19 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs
lan Dec 22 07:20:15 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs
lan Dec 22 07:20:13 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs
lan Dec 22 07:20:12 10.0.0.33:60061 153.122.0.27:80 tcp USER_RULE: Block SILENT HTTPS any NOT LAN or VPNs

As can been seen, the port does not match to the description of the FW rule which caused the block. And I have more of this in my list. Is there any known bug in parsing the "decription" of the FW rules to the live view?

4

18.7 Production Series / Scheduled BLOCK rule - Will states be killed?

« on: December 21, 2018, 09:50:16 am »

Hello again!

I have scheduled BLOCK rules (not Allow rules!) and would like to know, if the states are killed automagically when the block rule kicks in.

Is there anybody who could enlighten me? :-)

For scheduled ALLOW rules I guess the states will be killed when the permited interval is over, or?

5

18.7 Production Series / Cron job - Reset states- How?

« on: December 20, 2018, 03:19:23 pm »

Hi again!

From time to time I have to reset the states with a simple

Code: [Select]

/sbin/pfctl -F state
via Cron.

However, I don's see any "free text" option for Cron under "System"-"Settings"-"Cron".

Is it possible to create an arbitrary Cron job and switch the <command> in the config.xml to make this work?

6

18.7 Production Series / Block private on WAN- How to stop logging?

« on: November 19, 2018, 09:44:09 am »

Hello again!

Have a broadcast spammer with a private IP on my Wan address (with a public IP...) and would like to stop logging this, as it's flooding my firewall log.

Editing this rule is not possible in GUI, as you get redirected to the interface, where the only option is to turn on/off. Any other options from command line or editing the confing.xml? :-)

Many thanks in advance...

7

18.7 Production Series / IDS and PPPoE - some details?

« on: November 16, 2018, 03:19:25 pm »

Hi again!

This here is closed, apparently:

https://forum.opnsense.org/index.php?topic=3630.30

I would like to shift a PPPoE box to OPNsense, but need there IDS (and absolute reliability, as box is somewhat remote).

Is the problem only when activating IDS on WAN interface? Or is it IDS in general, that might cause trouble? Would it be an option to run IDS only on LAN interfaces? Or has nobody a real idea?

8

18.7 Production Series / Default in GUI shows only 7 entries - How to change?

« on: November 15, 2018, 02:05:48 pm »

Hi!

The default in the GUI is often to show only the first 7 entries of a GUI item, e.g. aliases, log entries etc.

Is there a way to change this default to "all" or let's say, 100 entries? Didn't find anything in the GUI, e.g. tunables or related...

Thanks in advance!

9

18.7 Production Series / How to import Aliases?

« on: November 15, 2018, 12:34:56 pm »

Hello again!

I'm a little lost on this, have a large list of Aliases and wanted to import to an opnsense (from the dark side of the sense-universe, I must confess).

I see no option to import aliases in the respective drop-down, thought they might be imported with the firewall rules (seems to make sense), but is apparently not the case.

An easy way to get the aliases to be imported?

PS: Found this here:

https://forum.opnsense.org/index.php?topic=10199.0

Maybe someone?

10

18.7 Production Series / Locked out of GUI - Reseet to factory from console (shell)

« on: November 14, 2018, 08:18:49 pm »

Hi!

While configuring a vga install (updated to the latest), I imported interfaces form a different config (with more interfaces than physically available in my current install), after fixing this I have a DHCP server on the LAN, but nothing going back and forth (no ping to the box, no GUI of the box, nothing). Disabeling pf from console (shell) doesn't help.

Is there a command from console (shell) to reset the opnsense to factory?

Many thanx in advance...

11

18.1 Legacy Series / openVPN tunnel connects to WAN port from OPT1 - although port on WAN blocked

« on: May 26, 2018, 04:50:47 pm »

Hi again!

I know, this is most likely a feature, not a bug, but would book this under "unexpected behaviour", so just as a "heads up" to everybody :-)

Have an OPNsense (up to date i386 nano wit LibreSSL flavour). As I use it for traveling, it has preconfigured openVPN tunnels, employing DYNDNS for the target servers running on other
OPNsenses and one remaining pfsense (x64, latest updates installed).

All doing fine. Can reach the subnet I want to reach at a specific pfsense when traveling, but was really surprised that I could reach the openVPN server as well as clients in the LAN subnet

- when the OPNsense is BEHIND the pfsense, but in a different subnet (OPT1), than the subnet attached to tunnel (LAN)
- with a WAN firewall rule BLOCKING access to the specific port the openVPN server is listening.

Really a surprise to me at first sight, but then I remembered that you can reach the GUI from LAN when entering the WAN-IP in the browser (if not specifically blocked).

So the access to the specific WAN port is NOT blocked for access via this OPT1 network.

Will hopefully soon switch this remaining pfsense to OPNsense, but likely have to expect the same behaviour, as the openVPN traffic is hitting the WAN adress not via the WAN interface, which has the block rule, or? :-)

12

17.7 Legacy Series / Alias resolving fails once - dies forever

« on: December 30, 2017, 10:13:22 am »

Hi again!

Have an ugly problem with a pf*ense, as described already some months ago by somebody else here:

https://redmine.pfsense.org/issues/8001

Is there a good chance that this is not present in current opnsense? Want to switch this box  soon, but would like to know first.. :-)

Many thanks in advance

13

General Discussion / Wanna sleep bad for some weeks or so?

« on: September 02, 2017, 01:49:17 pm »

The full range of nightmares you can imagine on your perimeter, or?

https://www.bleepingcomputer.com/news/security/three-hardcoded-backdoor-accounts-discovered-in-arris-modems/

Guarantee this is not the only maker with such stuff built-in...

14

17.7 Legacy Series / Unbound - DNS via TLS?

« on: July 21, 2017, 11:35:26 am »

Hi everybody!

Recently I read somethink about unbound, starting to support DNS via TLS, to stop providers and everyone else on the net to know which pages are used by whom on the internet.

Are there any plans to make this feature available in the near future in the opnsense GUI? Is this even possible in the next time?

Would like to know about that crucial privacy feature!

Many thanks in advance

15

17.1 Legacy Series / Install minipci wifi card...

« on: May 13, 2017, 03:23:13 pm »

Hi!

Have here an

OPENVOX IPC110 board

and an older

Intel WM3945ABG wifi card (Dell P/N 0PC193)

and want to run the wifi card on this board. :-)

Found this here:

https://forums.freebsd.org/threads/6443/

..but I'm not sure if I need to do the edits to BSD system files to make the card work. And have no idea how (console as root? Is there any decent editor installed, like nano? Don't want to fight with vi... :- ( )

Any suggestion on how to make this work?

Many thanks in advance!