Messages

1

General Discussion / Re: OpenSense As As A Virtual Machine Hosted In FreeNAS

« on: May 12, 2020, 01:04:46 pm »

I like it. I did the same about 7 or 8 years ago. Still running.

But soon I did a small step backwards again and I "outsourced" my router/firewall due to the reason mentioned above. (And to free up a little bit RAM as the 32 GB limit of my machine is also the limit of my freedom to run VMs on it.)

2

General Discussion / Re: os-rfc2136 - documentation?

« on: May 11, 2020, 04:10:43 pm »

Also no VPN tagging on OPNsense for me.

Thank you.
I will check when I find some time.
At least good to know that in a similar set-up is is working somewhere else.

3

General Discussion / Re: os-rfc2136 - documentation?

« on: May 11, 2020, 03:49:02 pm »

Do you get a new IP when you reboot the OPNsense box? This is the case for me as the OPN sense box also handles the PPPoE connection over the VDSL modem. And this is the situation I do have the issue with the rfc 2136 plugin. Normal IP updates are not so often. This seems to run fine.

4

General Discussion / Re: os-rfc2136 - documentation?

« on: May 11, 2020, 02:53:55 pm »

Are you dining something special or are you using the plugin out of the box?

In my case it sometimes fails after reboot of OPNsense. After reboot I get a new IP and the plugin reports success. But no update done. For IP updated during running OPNsense I did not observed failures.

5

General Discussion / Re: OpenSense As As A Virtual Machine Hosted In FreeNAS

« on: May 11, 2020, 01:09:11 pm »

Power consumption also for me is something I take care of. But is it really so much for a small box running OPNsense? I guess the hardware costs will be the cost driver and are higher than the lifetime costs for energy consumption.

Next point is that it will not run for free on the big machine. The power also comes from somewhere. But I never could find reliable data showing the comparison of power consumption of single box and in VM.

6

General Discussion / Re: os-rfc2136 - documentation?

« on: May 11, 2020, 12:51:38 pm »

For me, in the current version the plugin is not a reliable solution. Sometimes the plugin is reporting success but update was not done on DNS side. No second trial seems to be done.

I see potential in this plugin and I would be happy to see an improved version in the near future.

(PowerDNS does not support dynamic update by "simple command" over the API. And the API is to complex to get it integrated in OPNsense dyndns plugin. Therefore, I see the rfc 2136 method as best solution in combination with PowerDNS if you do not want to webserver + php only for dns update on the DNS server.)

7

20.1 Legacy Series / Re: os-acme - DNS-01 not working with Letsencrypt production environment

« on: May 10, 2020, 08:25:27 am »

All is fine again.

There was something set-up wrong on network side and I only checked the logs for the failed attempts. But for some reason the trials with staging did not re-verify ("already verified") and issued the cert while in production environment the verification failed.

8

20.1 Legacy Series / Re: os-acme - DNS-01 not working with Letsencrypt production environment

« on: May 09, 2020, 05:47:20 am »

The same issue I got when changing from nsupdate method to PowerDNS API method.
Staging environment is OK but with production environment I get the error above.

I observed the logs of Letsencrypt plugin during renew. It looks like the plugin is ignoring the waiting time defined in the settings. I used standard setting of 120 s.

9

20.1 Legacy Series / os-acme - DNS-01 not working with Letsencrypt production environment

« on: May 09, 2020, 04:27:53 am »

Hello,

On my OPNsense box 20.1 I changed Lesencrypt validation from HTTP-01 to DNS-01 using the nsupdate (RFC 2136) method. Testing with staging environment is OK. I get issued the certificate.

But when I change Letsencrypt to production environment I get the following error:

Code: [Select]

[Sat May 9 11:09:58 JST 2020] The supported validation types are: http-01 , but you specified: dns-01
[Sat May 9 11:09:58 JST 2020] Error, cannot get domain token entry abcdefgh.de
With staging environment, I also can re-issue without waiting time. So, no DNS caching or refresh issue.

Due to the fact that testing with staging environment is working I assume there is something wrong on OPNsense side. Or do I miss something?

10

General Discussion / Re: MAIL SERVER (postfix plugin ?)

« on: May 07, 2020, 05:58:56 pm »

... without having to buy another computer to make a mail server run + all the additional tiresome routing configuration and maintenance that it will imply.

If you want to run it on one PC set-up a visualised system (ESXi, hyper-v, proxmox, ...) and run both as VM: OPNsense and an all-in-one mail server package like mailcow, iRedMail or mail-in-a-box. Once set-up there is nothing to maintain.

11

General Discussion / Re: os-rfc2136 - documentation?

« on: May 07, 2020, 02:35:19 am »

Thanks’ for the answer.


Abandoned and waiting for its death, is my interpretation of this explanation.
The user base might be limited to home users as this is the place where you can find dynamic IPs. But when you are running your own DNS server, dynamic IP update by rfc 2136 it is a great feature. In comparison to DynDNS There is no need for additional code or a full webserver on DNS server side.

A small improvement idea to increase the user base. Add some more words to the title of the plugin. I only found this feature by chance. As home user I was not aware about the meaning of “rfc 2136”. But “dynamic update” everybody can associate with a function.

12

General Discussion / Re: Web server port forwarding problems.

« on: May 06, 2020, 03:47:32 pm »

You solved your problem. But is port forwarding really what you want to do?

Why not take advantage of using OPNsense as reverse proxy by HAproxy or nginx plugin for your webserver instead?

13

General Discussion / Re: OpenSense As As A Virtual Machine Hosted In FreeNAS

« on: May 06, 2020, 03:18:55 pm »

I would not do if I understand your use case correctly.

I switched my home set-up from virtualized OPNsense firewall (ESXi host, passthrough NIC) to small bare metal box. I do not have concerns regarding security or technical aspects of the set-up. It depends on how often you modify your system (SW or HW) or how often you require reboots. In my case no OPNsense running means no device has internet access, no streaming TV, no streaming music, no IP phone. With separate box now I can "play" on my servers without disturbing the services mentioned above.

14

General Discussion / Re: IPsec Site-to-Site - no access from OPNsense service

« on: May 06, 2020, 12:57:12 pm »

Thank you.
This now will help to search or setup in the right direction.

15

General Discussion / os-rfc2136 - documentation?

« on: May 06, 2020, 05:07:54 am »

Hello,

is there a documentation available for plugin os-rfc2136 (dynamic DNS updates)?

I am searching for some more details about the logic how updates are getting triggered.

• Does the plugin check if an DNS update was successful?
• If DNS update was not successful, will the plugin do re-trials?
• How the plugin validates if DNS update is required? By DNS server check or only WAN IP against "last changed value"?
• If there a periodic check for updates by the plugin itself or do I have to scheduled manually by cron?

I noticed a strange behavior when I did some tests to find the answers to my questions above. I changed the IP manually on DNS server to see what doing something and when. Nothing.