Messages

1

21.1 Production Series / Re: USB 3 to Ethernet adaptor recommendations

« on: March 20, 2021, 05:37:50 am »

I am currently using a Lenovo 03X6903 USB 3 but it only shows up as 100baseTX <half-duplex> in the Lobby, looking for one that will connect at 1000mbps.

Is it connected to an USB 3.0 port?
Some only establish a 100baseTX link when connected to USB 2.0.

2

General Discussion / Re: Looking to install OPNsense and Ad blocking.

« on: February 21, 2021, 04:24:41 am »

Adguard is only installed on some devices, not all.

OK, your are talking about AdGuard on client devices. I was talking about AdGuard Home on OPNsense.

but why not just do it if it's possible... An ad (or malware) which is not blocked by one is hopefully blocked by the other...

Recources on OPNsense box. Performance.
I would like to avoid to spend firewall resources two times or three times for something that is already done.

3

General Discussion / Re: Announce: new OPNsense community repository

« on: February 21, 2021, 04:18:34 am »

unbounddns > access list, I guess you didn't add your WireGuard network there...

Sorry, my question was misleading you. It is not about Unbound, it is about AdGuard from the repository of this thread.

With my unbound set-up before, Wireguard was working. After change to AdGuard DNS, Wireguard was not working any more. On the AdGuard configuration page, the Wireguard network was listed as listening.

But it is solved now. It was any kind of UDP routing issue. The DNS setting on Wiregurd client was not pointing to the Wireguard interface IP. It was pointing to another network on OPNsense. With Unbound this worked. With AdGuard UDP access was not working. By using a test tool and TCP port it also worked. After I changed the DNS IP on Wireguard client to the Wireguard interface IP it also worked with AdGuard.

4

General Discussion / Re: Announce: new OPNsense community repository

« on: February 20, 2021, 03:37:38 pm »

I am using AdGuard from this repo. Installation and set-up all fine. I can resolve from my "normal" networks. But I do not get DNS resolution from my client connected through Wireguard.

Before with unbound on port 53 it was working. No other change I did than installing AdGuard on port 53 and switched off Unbound.

Any idea where to search?

5

General Discussion / Re: Looking to install OPNsense and Ad blocking.

« on: February 20, 2021, 11:19:37 am »

I have a combination of unbound with proper blacklists, sensei free and adguard on my devices. Works very well!

Is there any advantage using all three of them?
If you use adguard I do not see an advantage of unbound with blocking list.
Does sensei free on top of these give you so much more?

These are serious questions from me. So far, I was using unbound as forwarder and sensei free. I am just testing adguard and asking myself what unbound and sensei could be good for if I would use adguard.

6

General Discussion / Re: Best Practices VLANs?

« on: February 19, 2021, 02:12:17 pm »

Any suggestions on best practices to separate the devices?

I would separate the devices in some categories by access needs and by trust.
And then create groups out of it by finding the right balance between simplicity and the security level you want to achieve.

• does only need connection to internet. No connection to or from other devices. (e. g. IoT, guest devices)
• Connection to or from other devices required
• sensible devices worth to protect (e. g. server)
• trusted devices (e. g. PC, phone)
• untrusted devices (e. g. guest phone and PC,
• required connection speed (routing PC to NAS might be slow)
• ...

I personally do not separate wired and wifi devices. As my wifi AP can handle multiple SSID and VLAN I use only one network (VLAN) for wired and wifi devices of the same category.

7

General Discussion / Re: chronyd

« on: February 15, 2021, 12:42:29 pm »

unrelated to that it would be nice to have, on ntp conf:
- configure peers and not only servers

Chrony meanwhile is existing as a plugin. I will try out when I find time.
But this point above is what I am still missing in the current NTP config: peers.

8

21.1 Production Series / gateway monitoring - RTTd bad

« on: February 14, 2021, 05:32:40 am »

Hello,

I noticed bad RTTd values in my local network,

Some days ago, I changed my network configuration. Two networks that before were directly connected to the OPNsense box now are getting handled by a L3 switch. Between OPNsense and L3 switch I added a "transport network", connected directly from nic to nic with a 50 cm cable. I added a static route between both devices. I am not using VLAN or LAGG on the OPNsense 20.1.1 box for this connection. But the RTTd values from gateway monitoring are worse in comparison to the values of my WAN connections.

Any idea what could be wrong?
Or could it be related to the way the monitoring is measuring?

9

General Discussion / Re: external inter-VLAN L3 switching / routing

« on: February 01, 2021, 01:03:23 pm »

It looks like I was thinking too complex.

After further research I found out, that in my small network I could do it much more simple: no transport net and therefore OPNsense firewall and L3 switch directly connected to the two networks I would like to route in between by L3 switch. Default route to firewall and L3 switch as gateway for for hosts in DMZ and LAN network.

10

20.7 Legacy Series / Re: NGINX error after upgrade to 20.7.8

« on: January 29, 2021, 03:23:57 pm »

@Tubs
have you tried not to select CAs in TLS:Trusted Certificate in Upstream config page?
should work if upstream cert issued CAs is in trusted store on OPN and nginx is happy on cert check

I could not reproduce anymore.

One day after I went back to to nginx 1.19 opnsense automatically updated again to version 1.20. But it is running now. I guess the fix already was implemented.

The issue popped up again when I updated to 21.1.
Yes, when I untick "check trusted certificate" all is working again.

11

21.1 Production Series / Re: NGINX problem with https server

« on: January 25, 2021, 02:15:03 pm »

Since the upgrade to 21.1-rc...my https-reverse-proxy does no longer start.
[...]
Somebody with a good idea?

Yes, have a look here in 20.7. Same for 20.7.8
https://forum.opnsense.org/index.php?topic=20989.0

12

General Discussion / Re: external inter-VLAN L3 switching / routing

« on: January 24, 2021, 11:33:54 am »

Nobody, who can give me a hint if this network topology is correct?

I do not look for detailed configuration help. I only want to know if this way of routing will work and if it is the best way to do so.

13

20.7 Legacy Series / Re: NGINX error after upgrade to 20.7.8

« on: January 24, 2021, 11:22:19 am »

@Tubs
hmm. a little weird. I think that for this it was necessary either to press "check for updates" or execute "# opnsense-revert os-nginx".

It is possible that I have done this. If so, for a different reason. I cannot remember. But in every case I did not confirmed any upgrade process.

14

20.7 Legacy Series / Re: NGINX error after upgrade to 20.7.8

« on: January 23, 2021, 04:58:11 am »

@Tubs
have you tried not to select CAs in TLS:Trusted Certificate in Upstream config page?
should work if upstream cert issued CAs is in trusted store on OPN and nginx is happy on cert check

I could not reproduce anymore.

One day after I went back to to nginx 1.19 opnsense automatically updated again to version 1.20. But it is running now. I guess the fix already was implemented.

15

20.7 Legacy Series / Re: NGINX error after upgrade to 20.7.8

« on: January 20, 2021, 02:14:30 pm »

I have exactly the same issue. OpnSense updated to 20.1.8 and nginx is not starting anymore.

Code: [Select]

2021/01/20 22:03:14 [emerg] 95587#100595: SSL_CTX_load_verify_locations("/usr/local/etc/nginx/key/trust_upstream_228ce5a1-*****.pem") failed (SSL: error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found)
The file mentioned in the log file is not existing. But I have no glue how to figure out where it should belong to. I have a couple of upstream and a couple of server defined. So far nothing suspicious detected. But I have no idea where to search.

opnsense-revert -r 20.7.7 os-nginx

Dies this fix it?

Yes. In my case it helped. Nginx is running again.