Messages

1

General Discussion / Re: DHCP server assigning wrong IP due to Sky Q set top box

« on: December 15, 2019, 10:23:37 am »

Packet traces on specific interfaces trump amalgamated logs. Check what is going on with Interfaces -> Diagnostics -> Packet Capture. Wireshark is your friend.

Bart...

2

19.7 Production Series / Re: How to redirect all traffic for a specific port?

« on: December 15, 2019, 10:18:50 am »

You're a bit unclear about your traffic directions, but I reckon you need to use 1:1 NAT. This ties an internal host to a public IP address in your WAN range.

Bart...

3

19.1 Legacy Series / Re: Firewall rule for dedicated dmz network

« on: December 13, 2019, 04:34:36 pm »

Run a packet trace and see if the DNS packets are allowed to the internet?

Interfaces -> Diagnostics -> Packet Captures

Bart...

4

19.7 Production Series / Re: dyndns getting wrong ip

« on: December 13, 2019, 10:56:01 am »

Does your ISP employ carrier grade NAT perhaps? OPNsense is based on FreeBSD, not Linux.

Can you open a shell on your firewall (either SSH or console) and run this please?

curl -4 https://ifconfig.co

See if that returns the 189 or the 100 address

Bart...

5

General Discussion / Re: Setting up an IOT LAN

« on: December 09, 2019, 03:06:46 pm »

Hi John, the Ubiquiti AP's support four VLAN's. Bit more pricey though. https://www.ui.com/products/#unifi

Bart...

6

General Discussion / Re: some pages not loading

« on: December 08, 2019, 11:25:18 am »

Switch off IPv6 on your client and see if that makes any difference. If it does, check if you get AAAA DNS responses and you are able to traceroute to the server(s) in question.

Bart...

7

Hardware and Performance / Re: Support for Intel Wireless-AC 9560

« on: December 07, 2019, 09:13:59 pm »

Sorry John, 'fraid not: https://www.freebsd.org/releases/11.2R/hardware.html#wlan

FreeBSD is notoriously picky about WiFi and even more so for use as an AP

Bart...

8

General Discussion / Re: connect multiple vpn users in lan to a vpn serveur

« on: December 05, 2019, 07:25:19 pm »

This is because all your clients have the same public IPv4 source address. You can either:

- Set up a site-to-site VPN from site A to OPNsense
- Set up a separate outbound NAT for each of the four clients
- Set up a separate VPN server for each of the clients on OPNsense using different ports or IP addresses
- Use IPv6

Bart...

9

19.7 Production Series / Re: openvpn

« on: November 24, 2019, 07:59:58 pm »

Look for the cloud icon with the down arrow to the right of the user name.

Bart...

10

General Discussion / Re: issue with OpenVPN

« on: November 22, 2019, 11:23:18 am »

sudo apt-get install openvpn
copy the ovpn file to /etc/openvpn/client/opnsense.ovpn
sudo systemctl start openvpn-client@opnsense

if that works, enable it with:
sudo systemctl enable openvpn-client@opnsense

You may have to set credentials in a file to log in automagically. Check the auth-user-pass option in the documentation: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

You can run OpenVPN in the foreground for troubleshooting:

openvpn opnsense.ovpn

Bart...

11

General Discussion / Re: issue with OpenVPN

« on: November 22, 2019, 08:02:22 am »

Now, to achieve VPN's motive, to provide privacy to the users, we need to have our own DNS server I suppose, right?

DNS is a hot topic right now, with browsers set to bypass all local DNS through HTTPS or TLS tunnels (DoH/DoT). You can set OPNsense to consult better servers than those offered by your ISP, but the queries themselves will still go in clear text across your ISP network. You can use a VPN provider to encrypt all traffic but then the VPN provider will see your requests. You can use Tor but services like Netflix do not have a Tor presence (other streaming services are available). Check this out for alternative DNS: https://securitytrails.com/blog/dns-servers-privacy-security

TL:DR you will likely have to trust someone somewhere along the line.

Bart...

12

19.7 Production Series / Re: Whole house VPN?

« on: November 21, 2019, 08:39:40 pm »

I have recently just invested in Nord VPN

Oops! https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/

13

General Discussion / Re: issue with OpenVPN

« on: November 21, 2019, 07:43:01 am »

I was expecting to get the IP I received from the Tunnel Network of OpenVPN.

What is the subnet for your tunnel? If it is private, i.e. part of the RFC 1918 range (https://tools.ietf.org/html/rfc1918) then no router on the internet will pass the packets and Google will never see your traffic.

It is perfectly proper for OPNsense to NAT the OpenVPN traffic to the public IP issued by your ISP.

This is only relevant to IPv4 of course. Did you mean an IPv6 address?

Bart...

14

General Discussion / Re: DHCPv4 Server, is it normal to set in this way?

« on: November 15, 2019, 08:34:59 am »

Your network mask needs to match your DHCP range. For the 10.100.130.1 - 10.100.130.254 range this will be 10.100.130.0/22. The unusable addresses for that subnet are 10.100.130.0 (the network address) and 10.100.133.255 (the broadcast address). There is nothing to stop you using 10.100.130.255 and 10.100.131.0 since they are well in the middle of your range.

The next question of course, is if you really need over a thousand IP addresses 

Bart...

 

15

19.7 Production Series / Re: Trying to tighten up some rules

« on: November 08, 2019, 05:59:09 pm »

I would have thought that 8.8.8.8 is not your WAN interface address. If it is, say hi to the rest of the guys at Alphabet 

The range of destination IP's on the internet is best captured with 'any'. If you want to exercise more control you should look at running a squid proxy on OPNsense.

Bart...