Messages

1

24.1 Legacy Series / Re: update 24.1.10 kills ssh

« on: July 11, 2024, 05:07:04 pm »

Choosing menu item 11 (restart all services) after updating seems also to works So happy updating Thanks, Franco.

Siegfried

2

24.1 Legacy Series / Re: update 24.1.10 kills ssh

« on: July 11, 2024, 04:36:42 pm »

PS: "service openssh onerestart" is really not a good way to deal with this

that may be, what would be the better way?

3

24.1 Legacy Series / Re: update 24.1.10 kills ssh

« on: July 11, 2024, 04:19:18 pm »

The key is regenerated:

unknown key type dsa
Generating public/private rsa key pair.
Your identification has been saved in /usr/local/etc/ssh/ssh_host_rsa_key
Your public key has been saved in /usr/local/etc/ssh/ssh_host_rsa_key.pub

4

24.1 Legacy Series / update 24.1.10 kills ssh

« on: July 11, 2024, 04:03:42 pm »

no ssh connection possible after updating via GUI, disabling and re-eabling via GUI ssh solves the problem. I think starting update by ssh  is this time a bad idea.
At the 2nd box same issue: updating using ssh, logoff and ssh is no longer connecting. Open a shell before logoff and "service openssh onerestart" solves this.

5

German - Deutsch / Re: 4 Standorte über IPSec verbinden

« on: April 18, 2023, 03:11:45 pm »

Moin, dein Ansatz ist m.E. korrekt. Wenn dir die Tunnel zwischen den Standorten wegbrechen und nicht neu aufgebaut werden, kontrolliere ob du an den beiden Tunnelendpunkten die gleichen Parameter verwendest. Es kann auch passieren, dass auf einer Seite der Tunnel z.B. durch einen Leitungsaussetzer weg ist und die andere Seite davon nichts mitbekommt. Evtl. hilft dir da DPD/keepalive weiter. Ansonsten funktioniert es recht zuverlässig, daß wenn ein Tunnel aufgrund von Inaktivität abgebaut wird, auch recht zügig wieder (<= 1s) aufgebaut wird, wenn erneut Pakete durch den Tunnel zum anderen Standort sollen.
Hab selbst >10 Standorte per IPSec so verknüppert, nicht alle untereinander, aber zum großen Teil.

6

20.7 Legacy Series / [SOLVED] SNMP agent add string "root@sensey64:/usr/..."

« on: August 03, 2020, 09:55:25 am »

Since upgrade to 20.7, if SysDesc.0 is queried, the SNMP agent adds the string "root@sensey64:/usr/obj/usr/src/amd64.amd64/sys/SMP amd64" to output.

Edit: now using the option "Display Version in OID" for checking installed version.

7

20.1 Legacy Series / cannot create or change alias for CARP IP

« on: March 26, 2020, 09:28:32 pm »

edit: oh I'm a bit confused...there are some old entry for aliases and the field gateway is empty for this entries..

error when I create or want to create a new alias IP or trying change an existing CARP IP:
The following input errors were detected: A valid gateway IP address must be specified. What's wrong?

8

20.1 Legacy Series / Re: Solved: Squid LDAP authentication broken after upgrade 19.7 -> 20.1.1

« on: March 10, 2020, 10:24:07 am »

Problem solved, I updated to 20.1.2 and squid LDAP auth is working normal. Thanks for all who keeps OPNsense up to date! 

9

20.1 Legacy Series / Solved: Squid LDAP authentication broken after upgrade 19.7 -> 20.1.1

« on: February 25, 2020, 10:28:48 am »

Hi, since I upgraded to 20.1.1 last week, squid auth against the AD using LDAP no longer works, but the Kerberos authentication works fine. Log messages says that the users are authenticated for squid service by LDAP:

user ....authenticated successfully for squid  [using OPNSense\Auth\Services\Squid\ + OPNSense\Auth\LDAP]

I tried to test with opnsense-login -s squid -u username and the result is OK. But the Browser still asks with a popup for auth data. It seems like that is similat behaviour like here:

https://forum.opnsense.org/index.php?topic=12813.msg59349#msg59349

Any hints? Thanks in advance!

Edit: I added a additional conf file in ./auth with basic_auth_ldap and the users are authenticated against AD and able to surf. It's my workaround. Also if i'm trying to authenticate at the console with valid credentials using /usr/local/libexex/squid/basic_pam-auth -o also returns "OK" as result.

10

Web Proxy Filtering and Caching / Allowing individual browsers or user-agents?

« on: August 16, 2019, 08:25:49 am »

Hi all,

blocking browser or user-agents using a regex is possible using GUI, but i want also to allow individual user-agents accessing the internet without authentication in the same way. The reason is that some applications are unable to authenticate at the proxy and an URL exception is not an option for this case.

Thanks in advance,
Siegfried

11

19.7 Legacy Series / Solved: Sensei blocks SNMP

« on: August 07, 2019, 03:26:48 pm »

It seems that the Sensei plugin blocks some SNMP queries via the LAN interface. At the monitoring host SNMP checks (i.e. bandwith usage checks for network interfaces) don't get answers from the firewall box. If i press "Enter Bypass mode" at the status page for the sensei plugin in Opnsense, the checks works fine. But the strange thing is, other SNMP check (query for OID sysDescr.0) works all the time...
Running system is 19.7.2.
Any ideas/hints?

Update: I figured out that the checks works fine if SNMP v1 is used. SNMP packet size for the check was the problem. After reducing the max packet size in the service check configuration the checks are working again with SNMPv2.

12

German - Deutsch / Re: IPsec mit VTI, kein automat. Start bei Datenverkehr

« on: July 30, 2019, 03:16:34 pm »

Nachdem ich das Thema zwischendurch habe ruhen lassen, nun ein neuer Versuch mit 19.7.1 auf der einen Büchse. Leider immer noch dasselbe Verhalten. Hab auch schon die gesamte IPSec config geklöscht, die Kiste zurückgesetzt und das config-Backup wieder draufgenagelt und das VPN neu konfiguriert. Hat nix gebracht.

13

German - Deutsch / Re: IPsec mit VTI, kein automat. Start bei Datenverkehr

« on: May 28, 2019, 09:43:16 pm »

Gerade gefunden: wie es scheint gibt's dazu zwei Tickets.
https://github.com/opnsense/core/issues/2332
https://github.com/opnsense/core/issues/3443
Hab ich also morgen früh im Büro was zu lesen ;-)

14

German - Deutsch / Re: IPsec mit VTI, kein automat. Start bei Datenverkehr

« on: May 28, 2019, 01:03:38 pm »

Leider nichts, was mich weiterbringt. Was ich da finde ist z.T. mehrere Jahre alt...:-(

15

German - Deutsch / Re: IPsec mit VTI, kein automat. Start bei Datenverkehr

« on: May 28, 2019, 08:14:19 am »

Moin minugmail,
in der ipsec.conf steht reqid = 1000

conn con1
  aggressive = no
  fragmentation = yes
  keyexchange = ikev2
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = no
 
  dpdaction = none
  left = x.x.x.x
  right = y.y.y.y
 
  leftid = xxx.yyy.de
  ikelifetime = 28800s
  lifetime = 28800s
  ike = aes256-sha512-ecp521!
  leftauth = pubkey
  rightauth = pubkey
  leftcert = /usr/local/etc/ipsec.d/certs/cert-1.crt
  leftsendcert = always
  rightca = "meineCA"
  rightid = xxx.yyy.de
  reqid = 1000
  rightsubnet = 0.0.0.0/0
  leftsubnet = 0.0.0.0/0
  esp = aes256-sha512-ecp521!
  auto = route