Topics

1

Zenarmor (Sensei) / add sqlight - datasource in grafana

« on: September 27, 2022, 03:24:00 pm »

Hi all,
I see the new version comes with sqlight as local db for the data in zenarmon. I was wondering, did anyone managed to define it as datasource in Grafana ?

2

Zenarmor (Sensei) / Mongodb crash because of a missing pkg

« on: August 20, 2022, 05:17:47 pm »

Hi all,

I am on OPNsense 22.7.2-amd64

Sensei doesn't work because MongoDB cannot strat:
 pkg check -da
Checking all packages: 100%
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0
py37-pymongo has a missing dependency: python37
py37-pymongo has a missing dependency: py37-setuptools
py37-pymongo is missing a required shared library: libpython3.7m.so.1.0

Anyone can tell a repo from where to get these missing files?

thanks

3

Hardware and Performance / need help with USB Realteck wifi

« on: April 13, 2022, 04:51:42 pm »

Hi all,

I try to initialize an USB wifi (asus ac68) based on realtek chip.
looks like it has been detected:
ovpnc1: link state changed to UP
ugen1.3: <Realtek 802.11ac NIC> at usbus1 (disconnected)
ugen1.3: <Realtek 802.11ac NIC> at usbus1

but I can't see it as interface. how do I initialize it?
any guide is welcome

Thank you

4

General Discussion / DHCP issue on VLAN

« on: March 01, 2022, 04:07:12 pm »

Hi all,

I have a stupid problem.
I have 3 VLANS :
     Lan_Wifi tag 10 - 172.16.20.0/24
     Guest_Wifi tag 20 - 172.16.30.0/24
     Iot_wifi tag 30 - 172.16.40.0/24

Vlan 10 and 30 work perfectly. Every network has its own dhcp server.
Guest_Vlan which maps to a Wifi_Guest SSID, and has a DHCP server associated with it as well. The customers of this network are set not to have access internally, only internet access.
everytime I add a new customer, It gets the ip from the pool, the gw and dns. however is does 0 traffic.
If I add the device in the list of DHCP Static Mappings they start working as expected.
Once the client gets the ip from the dhcp server serving Wifi_Guest network, the client appears in the leases list as Offline


All other dhcp networks have mapping for every entry
Any clue why is this happening? I miss something for sure

thank you

5

Virtual private networks / wireguard point to point guidance

« on: February 09, 2022, 09:37:16 am »

Hello,

Did anyone managed to set a point-to-point Wireguard VPN?
Can you please point me to some docs (the one on opnsense is incomplete i believe)

Thanks

6

Hardware and Performance / Ten64 NXP CPU

« on: August 19, 2021, 11:16:52 am »

Hello,

Did anyone tested this hardware? looks pretty awesome
https://www.traverse.com.au/hardware-1.html

7

Hardware and Performance / compatible USB Wifi

« on: February 17, 2021, 09:14:54 am »

Hi there

Is there any compatible USB WIFI that works with Opnsense?
Has anyone tested any?

thanks
 

8

Tutorials and FAQs / HOWTO - Routing Opnsense traffic over SurfsharkVPN

« on: January 11, 2021, 12:04:57 am »

Hi all,

My first time writing a howto, if there are inconsistencies just let me know and I'll be happy to address them.
Long story short: I was looking for a VPN provider for only 1 of my local ips (one Jail in particular). As so I decided to go with SurfShark VPN, and bellow is the step-by-step config:

Step 1
  Create SurfShark account and login
  Once in, Go to Manual Setup -> Manual -> Credentials. (Keep those safe)
  Switch back to Files and choose one of the servers you want (servers in the respective country you decide you
  will use as exit point)

Step 2
   In Opnsesen: Go to System -> Trust -> Certificates
     Press on + Add button. Then fill the fields out like this:
Descriptive Name: SurfsharkVPN
Method: Import an existing Certificate Authority
Certificate data:

-----BEGIN CERTIFICATE-----
MIIFTTCCAzWgAwIBAgIJAMs9S3fqwv+mMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV
BAYTAlZHMRIwEAYDVQQKDAlTdXJmc2hhcmsxGjAYBgNVBAMMEVN1cmZzaGFyayBS
b290IENBMB4XDTE4MDMxNDA4NTkyM1oXDTI4MDMxMTA4NTkyM1owPTELMAkGA1UE
BhMCVkcxEjAQBgNVBAoMCVN1cmZzaGFyazEaMBgGA1UEAwwRU3VyZnNoYXJrIFJv
b3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDEGMNj0aisM63o
SkmVJyZPaYX7aPsZtzsxo6m6p5Wta3MGASoryRsBuRaH6VVa0fwbI1nw5ubyxkua
Na4v3zHVwuSq6F1p8S811+1YP1av+jqDcMyojH0ujZSHIcb/i5LtaHNXBQ3qN48C
c7sqBnTIIFpmb5HthQ/4pW+a82b1guM5dZHsh7q+LKQDIGmvtMtO1+NEnmj81BAp
FayiaD1ggvwDI4x7o/Y3ksfWSCHnqXGyqzSFLh8QuQrTmWUm84YHGFxoI1/8AKdI
yVoB6BjcaMKtKs/pbctk6vkzmYf0XmGovDKPQF6MwUekchLjB5gSBNnptSQ9kNgn
TLqi0OpSwI6ixX52Ksva6UM8P01ZIhWZ6ua/T/tArgODy5JZMW+pQ1A6L0b7egIe
ghpwKnPRG+5CzgO0J5UE6gv000mqbmC3CbiS8xi2xuNgruAyY2hUOoV9/BuBev8t
tE5ZCsJH3YlG6NtbZ9hPc61GiBSx8NJnX5QHyCnfic/X87eST/amZsZCAOJ5v4EP
SaKrItt+HrEFWZQIq4fJmHJNNbYvWzCE08AL+5/6Z+lxb/Bm3dapx2zdit3x2e+m
iGHekuiE8lQWD0rXD4+T+nDRi3X+kyt8Ex/8qRiUfrisrSHFzVMRungIMGdO9O/z
CINFrb7wahm4PqU2f12Z9TRCOTXciQIDAQABo1AwTjAdBgNVHQ4EFgQUYRpbQwyD
ahLMN3F2ony3+UqOYOgwHwYDVR0jBBgwFoAUYRpbQwyDahLMN3F2ony3+UqOYOgw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAn9zV7F/XVnFNZhHFrt0Z
S1Yqz+qM9CojLmiyblMFh0p7t+Hh+VKVgMwrz0LwDH4UsOosXA28eJPmech6/bjf
ymkoXISy/NUSTFpUChGO9RabGGxJsT4dugOw9MPaIVZffny4qYOc/rXDXDSfF2b+
303lLPI43y9qoe0oyZ1vtk/UKG75FkWfFUogGNbpOkuz+et5Y0aIEiyg0yh6/l5Q
5h8+yom0HZnREHhqieGbkaGKLkyu7zQ4D4tRK/mBhd8nv+09GtPEG+D5LPbabFVx
KjBMP4Vp24WuSUOqcGSsURHevawPVBfgmsxf1UCjelaIwngdh6WfNCRXa5QQPQTK
ubQvkvXONCDdhmdXQccnRX1nJWhPYi0onffvjsWUfztRypsKzX4dvM9k7xnIcGSG
EnCC4RCgt1UiZIj7frcCMssbA6vJ9naM0s7JF7N3VKeHJtqe1OCRHMYnWUZt9vrq
X6IoIHlZCoLlv39wFW9QNxelcAOCVbD+19MZ0ZXt7LitjIqe7yF5WxDQN4xru087
FzQ4Hfj7eH1SNLLyKZkA1eecjmRoi/OoqAt7afSnwtQLtMUc2bQDg6rHt5C0e4dC
LqP/9PGZTSJiwmtRHJ/N5qYWIh9ju83APvLm/AGBTR2pXmj9G3KdVOkpIC7L35dI
623cSEC3Q3UZutsEm/UplsM=
-----END CERTIFICATE-----

This data can be also found in the CA&TLS certificates archive under the "Other configuration files" section on your SurfShark account.

Step 3
   In Opnsense: Under VPN -> OpenVPN -> Clients 
   Add new client:
  Disable this client: leave unchecked.
  Server mode: Peer to Peer (SSL/TLS);
  Protocol: UDP on IPv4 only (you can also use TCP);
  Device mode: tun – Layer 3 Tunnel Mode;
  Interface: WAN; (whatever name your wan interface has)
  Local port: leave blank;
  Server host or address: The server hostname that you want to connect to from the list of servers from
  Step 1
  Server port: 1194 (use 1443 if you use TCP as I do);
  Proxy host or address: leave blank;
  Proxy port: leave blank;
  Proxy Authentication: None;
  Description: Any name you like.
 
  Remember to use your credentials from step1 (the one advised to be kept safe  )
 
  Enable TLS Authentication for packets and use the following TLS Key:

-----BEGIN OpenVPN Static key V1-----
b02cb1d7c6fee5d4f89b8de72b51a8d0
c7b282631d6fc19be1df6ebae9e2779e
6d9f097058a31c97f57f0c35526a44ae
09a01d1284b50b954d9246725a1ead1f
f224a102ed9ab3da0152a15525643b2e
ee226c37041dc55539d475183b889a10
e18bb94f079a4a49888da566b9978346
0ece01daaf93548beea6c827d9674897
e7279ff1a19cb092659e8c1860fbad0d
b4ad0ad5732f1af4655dbd66214e552f
04ed8fd0104e1d4bf99c249ac229ce16
9d9ba22068c6c0ab742424760911d463
6aafb4b85f0c952a9ce4275bc821391a
a65fcd0d2394f006e3fba0fd34c4bc4a
b260f4b45dec3285875589c97d3087c9
134d3a3aa2f904512e85aa2dc2202498
-----END OpenVPN Static key V1-----

TLS Key Usage Mode: TLS Authentication
Peer certificate authority: SurfsharkVPN;
Client certificate: webConfigurator default or as in my case the Let's Encrypt one
Encryption Algorithm: AES-256-GCM
Enable NCP: Check.
NCP Algorithms: AES-256-GCM (256 bit key, 128 bit block)
Auth digest algorithm: SHA512 (512-bit)
Hardware Crypto: No hardware crypto acceleration.
Don't pull routes: check
Compression: No prefference

Add this under Advanced:
   tls-client;
   remote-random;
   tun-mtu 1500;
   tun-mtu-extra 32;
   mssfix 1450;
   persist-key;
   persist-tun;
   reneg-sec 0;
   remote-cert-tls server;

Step 4
   In Opnsense interface go to Interfaces -> Assignment -> Add Interface ovpnc1 (in my case) to the interfaces and give it a name (in my case is simply Surfshark)
   Once the interface is created:  IPv4 Configuration Type : None

Step 4.1
   If you want all your traffic to be routed via Surfshark, then select this new created interface as the outgoing interface for DNS (Unbound & any other resolver)
   In order for the DNS to work, you need to :
   check Forwarding Mode
   uncheck DNSSEC support
   Services-> Unbound DNS-> Advanced: check both Hide Identity & Hide Version
   
Step 5
   Firewall -> NAT-> Outbound:  change from Automatic outbound NAT rule generation
  (no manual rules can be used) to Hybrid outbound NAT rule generation
  (automatically generated rules are applied after manual rules)
   Add one rule :
   Interface      Source                                 Source Port                   Destination       Destination Port   NAT Address      NAT Port   Static Port   Description   
Surfshark   <localhost you want to route >     <ports you want to route>     *                         *   Interface address   *   NO    SurfSharkVPN

#this will apply only to 1 host in your network
If you want to route all your traffic simply change source with the ip address of your lan interface (192.168.1.1/24 as example)

Step 6
Firewall-> Rules-> Surfshark
Protocol   Source       Port   Destination        Port   Gateway                Schedule   Description    
IPv4 *   Lan_Wired net   *   <my specific host>    *   SURFSHARK_VPNV4     *           VPN allow traffic
Firewall-> Rules-> Lan
Protocol        Source                Port  Destination        Port   Gateway                    Schedule   Description
IPv4 *   <my specific host>     *   *                  *   SURFSHARK_VPNV4   *   gateway VPN

Step 7
System-> Settings-> General:
Under DNS Servers add:
DNS Server 1: 162.252.172.57; Gateway: SURFSHARKVPN_VPNV4
DNS Server 2: 149.154.159.92; Gateway: SURFSHARKVPN_VPNV4

Step 8
Check the connection - VPN-> OpenVPN-> Log File & VPN-> OpenVPN-> Connection Status


I hope this will help.
enjoy

9

20.7 Legacy Series / Unable to load backup after upgrading to 20.7

« on: August 04, 2020, 12:29:08 am »

Hello,

I might miss something, however just after a fresh install, because the update was unsuccessful - resulting in a restart loop, I tried to load a configuration backup from yesterday.
Surprise, surprise, it doesn’t load. Can someone guide me on where I can find a more detailed log for bkp restore?
Thank you

10

General Discussion / How to mount nfs share

« on: May 14, 2020, 09:32:29 am »

Hi everyone,

did any of you knows how to mount an nfs share?

i did tried and run into errors:

[tcp] 172.16.10.3:/mnt/Storage/Mihai/monitoring_metrics: RPCPROG_NFS: RPC: Port mapper failure - RPC: Timed out


Thanks

11

General Discussion / acme on Cloudflare domains

« on: November 13, 2019, 05:24:41 pm »

Hi all,

does anyone has a step-by-step guide to create certificates on domains hosted on Cloudflare?

every time i try to create a certificate i got the :
/var/log/acme.sh.log
[Wed Nov 13 10:46:25 EET 2019]   _on_issue_err
[Wed Nov 13 10:46:25 EET 2019]   Error add txt for domain:_acme-challenge.skynet.balaci.xyz
[Wed Nov 13 10:46:25 EET 2019]   Invalid domain.

the domain cam be resolved pretty easy. However, I miss something on the acme certificate definition or validation.

any input is appreciated.
thank you

12

General Discussion / [Resolved] DynDNS with He.net

« on: November 10, 2019, 09:06:44 pm »

Hi all,

Does anyone manage to update a record on HE.net?
From the UI i tried, however i always get :
opnsense: /services_dyndns_edit.php: Dynamic DNS: (Error) Authentication failed
Nov 10 22:04:55    opnsense: /services_dyndns_edit.php: Dynamic DNS (skynet.balaci.xyz): Current Service: he-net
Nov 10 22:04:55    opnsense: /services_dyndns_edit.php: Dynamic DNS (skynet.balaci.xyz): _checkStatus() starting.
Nov 10 22:04:54    opnsense: /services_dyndns_edit.php: Dynamic DNS (skynet.balaci.xyz via HE.net): _update() starting.
Nov 10 22:04:54    opnsense: /services_dyndns_edit.php: Dynamic DNS (skynet.balaci.xyz): running dyndns_failover_interface for opt1. found pppoe0
Nov 10 22:04:54    opnsense: /services_dyndns_edit.php: Dynamic DNS (skynet.balaci.xyz): 212.54.118.220 extracted

Any clue?

13

General Discussion / [SOLVED]opnsense as pptp client to an asus PPTP server

« on: October 02, 2019, 01:15:32 am »

Hi all,

I know it was discussed previously and there is a small topic in the archive. Unfortunately, I couldn't understand the resolution. My context is this:
I need to connect to an Asus router which unfortunately has only PPTP VPN enabled and I have an user/pass i can use.
On my WAN i have a PPPoE connection.
I created a Point-to-Point device assigning wan physical interface (tried with an unused interface too), added the username and password. I have assigned the newly created virtual interface to an interface and hoped it will connect.
unfortunately, nothing happens.
Point to point logs:
Oct 2 02:13:57   ppp: [opt2_link0] Link: reconnection attempt 3
Oct 2 02:13:56   ppp: [opt2_link0] Link: reconnection attempt 3 in 1 seconds
Oct 2 02:13:56   ppp: [opt2_link0] LCP: Down event
Oct 2 02:13:56   ppp: [opt2_link0] Link: DOWN event
Oct 2 02:13:56   ppp: [opt2_link0] PPTP call failed
Oct 2 02:12:41   

Is there another way I can make this work?

14

General Discussion / [SOLVED]IPsec routing

« on: September 29, 2019, 11:36:33 pm »

Hi all,

stupid question: if I have IPsec tunnel between 2 Opnsese devices(A in Romani and B in Amsterdam) how can I force devices in router B LAN to check for port 9981 via IPsec on router A LAN ?

Thanks

15

Romanian - Română / pppoe slow

« on: January 03, 2019, 02:21:50 pm »

salut,

avem inital impresia ca toata lumea care foloseste pppoe pe bsd are vestita problema cu managementul de cozi si ca atare nu atinge 8-900 mbs. Se pare ca nu si cred ca problema e doar la mine.
Ma ajuta cineva cu cateva valori de speedtest?
rds-ul meu intra intr-un intel pro 1000 pe pci ex 4x

Merci