Messages

1

20.1 Legacy Series / Re: Unbound crashing whenever a link fails

« on: December 28, 2020, 11:20:23 pm »

Now the service doesn't crash anymore but it may not be the best solution if you don't want to have the unbound listening on for example the WAN interface.

Set a Block rule for UDP 53 in your firewall for any interfaces you don't unbound listening to.

2

20.7 Legacy Series / Re: [Solved] Bridge isn't passing traffic between physical ports

« on: August 11, 2020, 02:01:35 am »

Derp, ok. I'm dumb.

Today I noticed in FreeBSD's handbook that bridges are affected by the packet filter. Specifically, pf treats packets flowing through the bridge as entering the physical port, not the bridge port. So for each interface, I added a Firewall Rule to OPNsense for "for this interface with source LAN NET and destination LAN NET, pass". And it worked!

So then I looked back at the guide and Step 6 is setup tunables so pf filters based on the bridge rather than the member ports.

So if anyone else has this problem... either add explicit firewall rules, or follow all the steps in the guide >_<

3

20.7 Legacy Series / [Solved] Bridge isn't passing traffic between physical ports

« on: August 10, 2020, 05:47:41 am »

I followed the guide for Bridged LAN and it appeared to work, but it turns out it's only half working.

I have igb0 set as WAN, bridge0 set as LAN. Bridge0 contains igb1, igb2, and igb3 (though only igb2 and 3 are plugged in).

All connected links can talk to the router; DHCP works, hosts have internet access, etc. But hosts on igb2 can't talk to hosts on igb3.

Any suggestions on how to proceed?

4

20.1 Legacy Series / Can't upgrade to 20.7 after restore with beadm

« on: August 09, 2020, 05:01:42 am »

I used beadm to take a snapshot, then I upgraded to 20.7. I'm pretty sure it was successful, but I guess I didn't pay too much attention.

Then I messed around with some bridge settings and locked myself out from the network. I used the local VGA console and used beadm to restore to prior to the upgrade. Things were working, so I deleted the broken 20.7 boot environment; figured I could just upgrade again.

Well now when I go to System -> Firmware -> Upgrade it claims no upgrades available. It doesn't show the 20.7 unlock button.

If I do Audit -> Health it shows a ton of checksum mismatches. I don't think that was the case before I attempted the upgrade, etc.


Is it possible that the something from 20.7 survived switching beadm to switch boot environments back to 20.1?

see: https://controlc.com/9c26862d

Code: [Select]

$ uname -a
FreeBSD router.local 11.2-RELEASE-p18-HBSD FreeBSD 11.2-RELEASE-p18-HBSD  f08b5f14327(stable/20.1)  amd64
No issues turned up in zpool scrub.

5

20.1 Legacy Series / Configuring WebUI for A+ rating on SSL Labs

« on: February 02, 2020, 03:54:42 am »

I don't normally have my WebUI accessible via the internet, but I allowed it through the firewall temporarily so I could test in on SSLLabs. It was surprisingly easy to get an A+ rating.

I'm using the ACME plugin to get a cert via Lets Encrypt. Everything else setup via System -> Settings -> Administration.

Disable TLS 1.0 and TLS 1.1

SSL Labs caps your rating at a B if you allow TLS 1.0 or 1.1. It looks like the only way to do this is by limiting the available ciphers. So limit to the following ciphers I've changed my ciphers from Default to the following:

Code: [Select]

# TLS 1.3
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

# TLS 1.2
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
This will prevent some archaic browsers from accessing the WebUI. Some examples:

• IE 11 works, but not IE 11 on some un-updated versions of Windows Phone OS
• Safari 9 on all platforms work, but Safari 8 and older will not work
• Android 4.4.2+ should work, but anything older will not

HSTS
Check the box for HTTP Strict Transport Security or you'll be limited to an A rating.

That's it!
Congrats! Your router now has a higher SSL rating than Amazon.com =D

6

19.1 Legacy Series / Re: 19.1.4 ISO - ZFS install option missing?

« on: February 01, 2020, 05:48:37 pm »

Jose, that looks great. I agree with you that the BSD Install method looks best. It's more consistent for users (that's the method adopted by other projects based on FreeBSD such as FreeNAS and pfSense) and I expect it should be easier to maintain (as we can get changes from FreeBSD as they adjust their installer script).

I would be happy enough to contribute the ZFS installer to the OPNsense devs so they can update/modify/adapt as needed. 

There are currently not enough developers to implement all the desired features in OPNsense, but the source code is on github and all are welcome to contribute pull requests. It's spread across multiple repositories, but here's the repo for the installer. Would you be willing to create a pull request for this?

7

19.7 Legacy Series / Re: How to create alias for current IPv6 prefix

« on: January 29, 2020, 04:51:48 am »

Having the same problem. I know with pfSense there's no solution. Really hoping opnsense has a work around as it seems like a more flexible platform. This is basically a requirement to use IPv6 on a home network if you want to host any services behind the firewall.