Topics

I installed 24.7 on an Intel NUC. I like to assign interface 'xxx0' to 'outside' and 'xxx1' to 'inside', but the default is the opposite. After I installed, I chose to assign the interfaces and LAN IP address according to my preference, however, I could not ping the inbound gateway router. Not even any ARP entries. After some playing around I decided to go back to the default interface assignment and see if that worked. After going through the menu options again to choose 'igc0' as LAN and 'igc1' as WAN and assign VLAN 2 to the WAN and give the LAN the inside IP address (which will be my GW IP outbound), ifconfig showed me that both LAN and WAN have a VLAN2 subinterface and the same IP address is on both WAN and LAN (parent).

I found this reddit post which appears to be this exact issue in 23.x:
https://www.reddit.com/r/opnsense/comments/17jz2l0/interface_assignment_bug/?rdt=65466

Attached is the output from ifconfig.

Anyone know anything about this behaviour, and a fix for it?

How do I run a thorough low-level hardware memory test to discover any bad memory cells that may exist?

If I do find bad memory cells, do I need to replace the RAM or can I flag the specific cell addresses as bad so OPNsense will not use them?

Sometimes my OPNsense box reboots itself.
I don't know what triggers it.

How do I:
1. configure OPNsense to record all reboot logs to a file I can later review? (e.g. save crash dump/data/errors and boot logs)
2. troubleshoot unplanned reboots?

Thanks.

I have noticed that the HDMI output seems to fail after the screen has gone to sleep or been power cycled.

I suspect this may have something to do with the HDMI protocol negotiations failing to reestablish trust (HDMI uses certificates or SSL I believe).

How can I debug this, or at least force the HDMI interface to renegotiate (bounce it)?

[Question:How do I debug packet process within the OPNsense OS to trace the path of the packet from INGRESS (Rx) through to EGRESS (Tx) or denial/dropping?]

I can run a packet capture in OPNsense, but in between the Rx (INGRESS) of a packet on an interface and the Tx (EGRESS) of a packet (assuming it passes all policies) the OPNsense obviously processes a packet through the various configured policies and filters.

Question:
How do I debug packet process within the OPNsense OS to trace the path of the packet from INGRESS (Rx) through to EGRESS (Tx) or denial/dropping?

Note, this is in addition to checking things like ARP cache, DNS cache and other standard diagnostic checks.
What I want to do does not appear to be available in the GUI so I want to know what commands I can use in the CLI to debug packet flow/processing.

TIA

[...hmmm, so based on that, I am concluding there is most definitely a bug that needs fixing...]

I think I have found a bug with the Alias JSON import function.
Before I raise a bug ticket on github, I wanted to check here first in case there is something I have missed.

This is the test alias.json I am trying to import:

Code Select Expand


{
  "geoip": {
    "url": "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=<KEY-OMITTED>&suffix=zip"
  },
  "aliases": {
    "alias": {
      "19a042c4-e10c-4a3b-bec2-ddecc101f177": {
        "enabled": "1",
        "name": "a_AA-aaaAA-AA_99_9_9_99",
        "type": "host",
        "proto": "",
        "interface": "",
        "counters": "0",
        "updatefreq": "",
        "content": "10.7.9.56",
        "categories": "",
        "description": "Aaaaa AA Aa AA Aaaa"
      },
      "68301a50-f572-4c98-9494-73ac5ab50bfe": {
        "enabled": "1",
        "name": "a_aa_aaaa_aaa_aaa",
        "type": "urltable",
        "proto": "",
        "interface": "",
        "counters": "0",
        "updatefreq": "",
        "content": "au.pool.ntp.org",
        "categories": "",
        "description": "AA AAA Aaaa"
      }
    }
  }
}


It keeps giving me the error (first attachment):

"19a042c4-e10c-4a3b-bec2-ddecc101f177.name

The name must start with a letter or single underscore, be less than 32 characters and only consist of alphanumeric characters or underscores.

Please note that none of the aliases provided are imported due to the errors above"

I suspect that it is checking the UUID against the name constraint and therefore failing (on length and first character), but when I create another test alias through the GUI then download it, this is what I see:

Code Select Expand


{
  "geoip": {
    "url": "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=<KEY-OMITTED>&suffix=zip"
  },
  "aliases": {
    "alias": {
        "4d69e8f5-1ba5-43a6-afd7-91db31c86f12": {
        "enabled": "1",
        "name": "test_host",
        "type": "host",
        "proto": "",
        "interface": "",
        "counters": "0",
        "updatefreq": "",
        "content": "10.1.1.1",
        "categories": "",
        "description": "test_host description"
      }
    }
  }
}


However, other default aliases do NOT use UUIDs, e.g. "bogons", "virusprot", and "__wan_network", so there is at least some inconsistency here.

Question: when creating a JSON file for alias import, should we just use the name in place of the UUID, like this:

Code Select Expand


{
  "geoip": {
    "url": "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=<KEY-OMITTED>&suffix=zip"
  },
  "aliases": {
    "alias": {
      "a_AA-aaaAA-AA_99_9_9_99": {
        "enabled": "1",
        "name": "a_AA-aaaAA-AA_99_9_9_99",
        "type": "host",
        "proto": "",
        "interface": "",
        "counters": "0",
        "updatefreq": "",
        "content": "10.7.9.56",
        "categories": "",
        "description": "Aaaaa AA Aa AA Aaaa"
      },
      "a_aa_aaaa_aaa_aaa": {
        "enabled": "1",
        "name": "a_aa_aaaa_aaa_aaa",
        "type": "urltable",
        "proto": "",
        "interface": "",
        "counters": "0",
        "updatefreq": "",
        "content": "au.pool.ntp.org",
        "categories": "",
        "description": "AA AAA Aaaa"
      }
    }
  }
}

?
(although I tested this and still got the same error, which makes no sense because no field in the JSON is breaking the rule it claims it is breaking...(see second attachment)

...hmmm, so based on that, I am concluding there is most definitely a bug that needs fixing...

[Y]

This post is mainly for feedback, but also clarification.

During initial setup after installation or factory reset, OPNsense asks me a question like:
"Do you want to use HTTPS instead of HTTP for the Web GUI?" (or something very similar) and expects a [Y]es or [N]o response from me, to which I (of course) always answer [Y]es.
However, the very next question the setup script asks me is whether I want to reset all Web settings back to the default.
I find this very confusing - is it resetting my election to use HTTPS over HTTP, or not?
It is not clear.

I believe these questions in the setup script should be reversed so there is no ambiguity.

I searched the Forum and also the source code repository for the script file that contains this, but I couldn't find anything, sorry, hence the question here.

The documentation page at https://wiki.opnsense.org/manual/aliases.html on Alias configuration is lacking essential configuration details.

There are no examples of how to configure:

• URL (IP) - section entirely missing from documentation
• URL (Table) - no examples given to show how this should be configured
• BGP ASN - no examples given to show how this should be configured

A very similar question was asked way back in 2018, here:
https://forum.opnsense.org/index.php?topic=9775.msg44631#msg44631
It has had over 4000 views, which should inform the developers, but there is not a single answer offered.

I would update the help text myself, but I don't have the answers myself to do so.

Can someone at least provide a screenshot or simple example of these Alias types showing how they must be configured or what OPNsense expects in the "Content" field?

[why]

Further to this post: https://forum.opnsense.org/index.php?topic=38501.msg188471#msg188471

I want to understand exactly why we cannot have more flexible Alias names that would match firewall object name formats found in many other enterprise firewall and network security systems (like Juniper SRX, Cisco FP/ASA, CheckPoint Firewalls, Fortigate Firewalls).

It makes no sense to me from a firewall rule/policy perspective that I can't use the period (.) or the hyphen ('-') characters in Alias names such that I could properly mimic a Fully Qualified Domain Name in the Alias name. It is common practise amongst professional firewall and network security engineers do use hostnames, IP addresses, FQDNs or a combination of those separated by underscores, periods and/or hyphens as the name of the object that is referred to in the policy.

The only thing I can conclude is, 'yes', Alias names become PF Macro names under the hood.

Someone correct me if I am wrong.

Exactly that:

If I have already configured subnets as Alias objects and created group objects containing those aliases, can I not use them when defining DNS ACL in the BIND configuration?

If not, can this please be added?

I want to spend less time configuring, not more...

Thanks.

Hi,

The Alias name allowed character and format requirements are way too restrictive.
It doesn't even allow you to create an Alias using standard RFC hostname formats.

It is very common in enterprize firewall systems to create network objects - i.e. network Aliases - that incorporate an FQDN, or a hostname, or an IP address, or a combination of those, and which include separator characters such as hyphen ("-"), underscore ("_") and the period (".").

The underscore character ("_") is currently allowed in Alias names.

PLEASE, PLEASE, PLEASE change the Alias name syntax to allow the inclusion of at least these two extra characters - hyphen ("-") and period (".")!

Also, can you please add a context help note to indicate the maximum string length for them fields?

[a LOT]

Hi,

A lot of people - a LOT - use Excel (and similar tools) to manage all sorts of data sets, including but not limited to network data sets, such as lists of hosts, lists of policies (Firewall and NAT), and lists of service objects.

I want to be able to import from CSV files (using appropriate formatting/columns):

• lists of network Alias objects
• lists of service Alias objects
• NAT Rulesets
• Firewall Rulesets
• Static Routes

Are any of these currently possible?

• If so, how?
• If not, then it would be really great to at least be able to import a list of network and service Alias objects to speed up the creation of FW and NAT Rules.

Creating all these objects manually is a very tedious process, but tools like Excel can save a lot of time when you are developing a complete list of objects that follow pre-defined naming conventions, or when you are creating a complete Ruleset for a new firewall deployment.

The ability to do this (CSV object import) would make migrating from another vendor to OPNsense much less painful.

Feature Request please :)