Topics

1

General Discussion / KPN fiber bypass vendor router

« on: March 28, 2024, 12:43:22 pm »

Hi all,

I just switch to KPN Fiber and I can see that their router is using PPPoE to connect to KPN.
I created the connection on my opnsense, however I can't make it connect.
Does anyone have this done? I need some guidance to make this work.
KPN support is not helping.

2

General Discussion / dns the same IP but different ports

« on: February 19, 2024, 06:19:16 pm »

Hi all,
I am looking for guidance.
I upgraded truenas core to scale. core jais had the possibility to get IPs from LAN DHCP, but the new OS with k8s can't. So, as on Truenas Scale all apps share the same ingress IP (turnas IP), can I add different DNS entries and filter by port & name ?

Thank you

3

General Discussion / out rule question

« on: March 07, 2023, 10:38:36 pm »

Hi all,
I have a few floating rules on both WAN (direction IN)  and LAN (direction OUT) which are blocking one specific host from lan to reach outside connections.
I don't want to disable the rules on LAN (this is where it happens), instead, I tried excluding that particular host from the match by using invert. something doesn't work and I have no clue what

The blocking rule is Block DROP out 1 - LAN.
how can I exclude only 1 ip from matching this rule?

4

General Discussion / routing question

« on: February 21, 2023, 02:18:30 pm »

Hi all,
I got stuck with the following situation:
I have a few vlans and several networks.
2 networks have a problem:
network 1 -> 172.16.10.0/24 with x clients - no VLAN
network 2 -> 172.16.20.0/29 with only 2 clients - VLAN10
now this 2 networks intersect in my storage (TrueNAS) where I have 1 interface linked to network 1 and the second interface linked to network 2:
jail 1 -> connects to the non-vlan network and gets DHCP (172.16.10.11)
jail 2 -> connects to Vlan10 and gets DHCP (172.16.20.3)

now the problem is: VLAN10 network uses an openVPN gateway (SurfShark) to reach internet.
I need to make the 2 jails talk to each other by preventing 172.16.20.3 to use default gateway as internet gateway.

ping from 172.16.10.11 to 172.16.20.3 works
ping from 172.16.20.3 to 172.16.10.1 (gateway) works but it doesn't with 172.16.20.3.

what am i missing?
can be the switch port? network 2 binds to a tagged switch port. I think is blocked at the firewall level

thank you

5

General Discussion / unbound crash every day

« on: October 31, 2022, 06:09:13 am »

Hi all,
I have a wierd unbond problem. It crashes once a day because of:

Code: [Select]

2022-10-31T05:03:13 Error unbound [75750:0] error: remote control failed ssl crypto error:02FFF020:system library:func(4095):Broken pipe
2022-10-31T05:03:13 Notice unbound [75750:0] notice: failed connection from 127.0.0.1 port 14221
2022-10-31T05:03:13 Error unbound [75750:0] error: remote control failed ssl crypto error:02FFF020:system library:func(4095):Broken pipe
I have DNS over TLS enabled with cloudflare and under Custome Options I manually added

Code: [Select]

tls-cert-bundle:  /var/unbound/unbound_server.pemI have verified all CAs and Certifications. All (self signed + ACME) are valid

any clue what this error means?

6

Zenarmor (Sensei) / add sqlight - datasource in grafana

« on: September 27, 2022, 03:24:00 pm »

Hi all,
I see the new version comes with sqlight as local db for the data in zenarmon. I was wondering, did anyone managed to define it as datasource in Grafana ?

7

Zenarmor (Sensei) / Mongodb crash because of a missing pkg

« on: August 20, 2022, 05:17:47 pm »

Hi all,

I am on OPNsense 22.7.2-amd64

Sensei doesn't work because MongoDB cannot strat:
 pkg check -da
Checking all packages: 100%
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0
py37-pymongo has a missing dependency: python37
py37-pymongo has a missing dependency: py37-setuptools
py37-pymongo is missing a required shared library: libpython3.7m.so.1.0

Anyone can tell a repo from where to get these missing files?

thanks

8

Hardware and Performance / need help with USB Realteck wifi

« on: April 13, 2022, 04:51:42 pm »

Hi all,

I try to initialize an USB wifi (asus ac68) based on realtek chip.
looks like it has been detected:
ovpnc1: link state changed to UP
ugen1.3: <Realtek 802.11ac NIC> at usbus1 (disconnected)
ugen1.3: <Realtek 802.11ac NIC> at usbus1

but I can't see it as interface. how do I initialize it?
any guide is welcome

Thank you

9

General Discussion / DHCP issue on VLAN

« on: March 01, 2022, 04:07:12 pm »

Hi all,

I have a stupid problem.
I have 3 VLANS :
     Lan_Wifi tag 10 - 172.16.20.0/24
     Guest_Wifi tag 20 - 172.16.30.0/24
     Iot_wifi tag 30 - 172.16.40.0/24

Vlan 10 and 30 work perfectly. Every network has its own dhcp server.
Guest_Vlan which maps to a Wifi_Guest SSID, and has a DHCP server associated with it as well. The customers of this network are set not to have access internally, only internet access.
everytime I add a new customer, It gets the ip from the pool, the gw and dns. however is does 0 traffic.
If I add the device in the list of DHCP Static Mappings they start working as expected.
Once the client gets the ip from the dhcp server serving Wifi_Guest network, the client appears in the leases list as Offline


All other dhcp networks have mapping for every entry
Any clue why is this happening? I miss something for sure

thank you

10

Virtual private networks / wireguard point to point guidance

« on: February 09, 2022, 09:37:16 am »

Hello,

Did anyone managed to set a point-to-point Wireguard VPN?
Can you please point me to some docs (the one on opnsense is incomplete i believe)

Thanks

11

Hardware and Performance / Ten64 NXP CPU

« on: August 19, 2021, 11:16:52 am »

Hello,

Did anyone tested this hardware? looks pretty awesome
https://www.traverse.com.au/hardware-1.html

12

Hardware and Performance / compatible USB Wifi

« on: February 17, 2021, 09:14:54 am »

Hi there

Is there any compatible USB WIFI that works with Opnsense?
Has anyone tested any?

thanks
 

13

Tutorials and FAQs / HOWTO - Routing Opnsense traffic over SurfsharkVPN

« on: January 11, 2021, 12:04:57 am »

Hi all,

My first time writing a howto, if there are inconsistencies just let me know and I'll be happy to address them.
Long story short: I was looking for a VPN provider for only 1 of my local ips (one Jail in particular). As so I decided to go with SurfShark VPN, and bellow is the step-by-step config:

Step 1
  Create SurfShark account and login
  Once in, Go to Manual Setup -> Manual -> Credentials. (Keep those safe)
  Switch back to Files and choose one of the servers you want (servers in the respective country you decide you
  will use as exit point)

Step 2
   In Opnsesen: Go to System -> Trust -> Certificates
     Press on + Add button. Then fill the fields out like this:
Descriptive Name: SurfsharkVPN
Method: Import an existing Certificate Authority
Certificate data:

-----BEGIN CERTIFICATE-----
MII3...

/UplsM=
-----END CERTIFICATE-----

This data can be also found in the CA&TLS certificates archive under the "Other configuration files" section on your SurfShark account.

Step 3
   In Opnsense: Under VPN -> OpenVPN -> Clients 
   Add new client:
  Disable this client: leave unchecked.
  Server mode: Peer to Peer (SSL/TLS);
  Protocol: UDP on IPv4 only (you can also use TCP);
  Device mode: tun – Layer 3 Tunnel Mode;
  Interface: WAN; (whatever name your wan interface has)
  Local port: leave blank;
  Server host or address: The server hostname that you want to connect to from the list of servers from
  Step 1
  Server port: 1194 (use 1443 if you use TCP as I do);
  Proxy host or address: leave blank;
  Proxy port: leave blank;
  Proxy Authentication: None;
  Description: Any name you like.
 
  Remember to use your credentials from step1 (the one advised to be kept safe  )
 
  Enable TLS Authentication for packets and use the following TLS Key:

-----BEGIN OpenVPN Static key V1-----
b02c4f079a4a49888da566b9978346
.......
e7279ff1a19cb092659e8c1860fbad0d

-----END OpenVPN Static key V1-----

TLS Key Usage Mode: TLS Authentication
Peer certificate authority: SurfsharkVPN;
Client certificate: webConfigurator default or as in my case the Let's Encrypt one
Encryption Algorithm: AES-256-GCM
Enable NCP: Check.
NCP Algorithms: AES-256-GCM (256 bit key, 128 bit block)
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No hardware crypto acceleration.
Don't pull routes: check
Compression: No prefference

Add this under Advanced:
   tls-client;
   remote-random;
   tun-mtu 1500;
   tun-mtu-extra 32;
   mssfix 1450;
   persist-key;
   persist-tun;
   reneg-sec 0;
   remote-cert-tls server;

Step 4
   In Opnsense interface go to Interfaces -> Assignment -> Add Interface ovpnc1 (in my case) to the interfaces and give it a name (in my case is simply Surfshark)
   Once the interface is created:  IPv4 Configuration Type : None

Step 4.1
   If you want all your traffic to be routed via Surfshark, then select this new created interface as the outgoing interface for DNS (Unbound & any other resolver)
   In order for the DNS to work, you need to :
   check Forwarding Mode
   uncheck DNSSEC support
   Services-> Unbound DNS-> Advanced: check both Hide Identity & Hide Version
   
Step 5
   Firewall -> NAT-> Outbound:  change from Automatic outbound NAT rule generation
  (no manual rules can be used) to Hybrid outbound NAT rule generation
  (automatically generated rules are applied after manual rules)
   Add one rule :
   Interface      Source                                 Source Port                   Destination       Destination Port   NAT Address      NAT Port   Static Port   Description   
Surfshark   <localhost you want to route >     <ports you want to route>     *                         *   Interface address   *   NO    SurfSharkVPN

#this will apply only to 1 host in your network
If you want to route all your traffic simply change source with the ip address of your lan interface (192.168.1.1/24 as example)

Step 6
Firewall-> Rules-> Surfshark
Protocol   Source       Port   Destination        Port   Gateway                Schedule   Description    
IPv4 *   Lan_Wired net   *   <my specific host>    *   SURFSHARK_VPNV4     *           VPN allow traffic
Firewall-> Rules-> Lan
Protocol        Source                Port  Destination        Port   Gateway                    Schedule   Description
IPv4 *   <my specific host>     *   *                  *   SURFSHARK_VPNV4   *   gateway VPN

Step 7
System-> Settings-> General:
Under DNS Servers add:
DNS Server 1: 162.252.172.57; Gateway: SURFSHARKVPN_VPNV4
DNS Server 2: 149.154.159.92; Gateway: SURFSHARKVPN_VPNV4

Step 8
Check the connection - VPN-> OpenVPN-> Log File & VPN-> OpenVPN-> Connection Status


I hope this will help.
enjoy

14

20.7 Legacy Series / Unable to load backup after upgrading to 20.7

« on: August 04, 2020, 12:29:08 am »

Hello,

I might miss something, however just after a fresh install, because the update was unsuccessful - resulting in a restart loop, I tried to load a configuration backup from yesterday.
Surprise, surprise, it doesn’t load. Can someone guide me on where I can find a more detailed log for bkp restore?
Thank you

15

General Discussion / How to mount nfs share

« on: May 14, 2020, 09:32:29 am »

Hi everyone,

did any of you knows how to mount an nfs share?

i did tried and run into errors:

[tcp] 172.16.10.3:/mnt/Storage/Mihai/monitoring_metrics: RPCPROG_NFS: RPC: Port mapper failure - RPC: Timed out


Thanks