Messages

1

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« on: Today at 04:14:42 pm »

> Thanks, mine is currently un-patched, I show " tls-system-cert: yes".

Can you add "tls-win-cert: yes" in the line below (with the same indent) and apply from GUI?

If that doesn't work "tls-cert-bundle: /usr/local/etc/ssl/cert.pem" and removing "tls-system-cert: yes" will do the trick.


Cheers,
Franco

Adding "tls-win-cert" in the line below didn't fix it.  But replacing "tls-system-cert: yes" with "tls-cert-bundle: /usr/local/etc/ssl/cert.pem" did restore functionality. 

Do I need to leave the "tls-win-cert: yes" in place? 

2

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« on: Today at 04:04:23 pm »

No, /usr/local/opnsense/service/templates/OPNsense/Unbound/core/dot.conf otherwise it will be overwritten on apply.

Thanks, mine is currently un-patched, I show " tls-system-cert: yes". 

3

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« on: Today at 04:02:03 pm »

Apparently it's a feature they coined to be for "Windows" and default to off?

tls-win-cert: yes

instead of tls-cert-bundle... can anyone confirm?


Thanks,
Franco

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

I don't see either of these entries in my unbound.conf file.  Should I check somewhere else?

They would be in /var/unbound/etc/dot.conf

Hmm, ok the link he quoted mentioned the unbound.conf.  My dot.conf file other than a single forwarding zone is empty. 

4

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« on: Today at 03:57:47 pm »

Apparently it's a feature they coined to be for "Windows" and default to off?

tls-win-cert: yes

instead of tls-cert-bundle... can anyone confirm?


Thanks,
Franco

https://nlnetlabs.nl/documentation/unbound/unbound.conf/

I don't see either of these entries in my unbound.conf file.  Should I check somewhere else? 

5

24.7 Production Series / Re: 24.7.10 Unbound DNS: DNS over TLS NOK?

« on: Today at 03:30:10 pm »

Yup, add me to the list as well.  Took me a bit to figure out why DNS was borked after the update.  Disabling DNS over TLS resolves it.

6

24.7 Production Series / Re: Lost internet and couldn't access OPNsense GUI

« on: November 27, 2024, 04:06:30 pm »

Yea I think the old issue with the native netmap driver is back. See my post/s here https://forum.opnsense.org/index.php?topic=44264.0.  In the past switching to the emulated netmap driver in zenarmor/suricata will resolve the flapping.  I'd suggest trying that in the interim, I'm currently testing with the emulated driver to see if it'll act as a workaround again.   

7

24.7 Production Series / Interface flapping issue back after 24.7.9 release

« on: November 27, 2024, 03:46:12 pm »

https://forum.opnsense.org/index.php?topic=34026.msg164617#msg164617 I had this issue for a long time but it was finally resolved with the netmap changes and it's not been a problem.  After the latest release this has happened three times now.  I'm not sure if it's due to the new intel drivers or what.  But the symptoms are exactly the same as before.  I'm going to test the emulated netmap drivers again as that resolved it last time for me. But I think there was a regression somewhere. 

8

General Discussion / Suggestions for LTE/5G modem

« on: October 01, 2024, 08:58:37 pm »

I currently have a LB1120 LTE modem setup as a secondary WAN on my OPNsense box.  Sadly it's VERY slow for whatever reason, I think it's just getting a bit old.  I can only get 20-30 Mbps down on a really good day.  Compared to my cellphone on LTE I can get upwards of 150-170 Mbps down consistently.  Would really like to upgrade to something a bit more robust.  I'm really struggling to locate devices for this.  Lots of hotspots available but I really don't need/want any of the fluff, just need an LTE/5G modem and a ethernet port.

Anyone have any recomendations?  ATT Mobile network currently.   

9

24.7 Production Series / WAN failover seems completly broken

« on: September 28, 2024, 12:51:25 am »

I've had the same configuration for WAN fail-over for years now.  I've always had issues with the connections being a bit sticky after my primary WAN is back online after an outage/fail-over scenario. But otherwise has been flawless.  However, I'm currently failed over to my backup LTE modem due to storm damage taking down the copper lines.  My primary connection shows 100% packet loss and shows offline status under gateway.  However as long as that connection is enabled the firewall continues to route traffic to my primary connection obviously this doesn't work well for having internet connectivity.  I figured this out by watching firewall logs.

I've rebooted all modems and the firewall trying to correct it but OPNsense simply will not route traffic to my secondary fail-over connection until I disable my primary under gateways.  Did something change recently that I missed that might require new configuration or is this simply borked?   

10

24.1 Legacy Series / Re: Multi-WAN not failing gateways back after uplink returns

« on: June 08, 2024, 09:51:37 pm »

FWIW, with the last update, there was a blurb in there about gateway failover.  It didn’t sound completely related, but potentially related.  Since that update, I haven’t had an issue with failback from what I can tell.

Same here. Issue appears to be resolved after the last update.

11

24.1 Legacy Series / Re: Multi-WAN not failing gateways back after uplink returns

« on: May 30, 2024, 02:39:20 pm »

Firewall - Settings - Advanced - Skip rules when gateway is down

have you enabled that? If I remember correctly fail back didn't work well before enabling it.

I admit I don't fully understand what this option does.  But my ruleset defines a gateway group not a specific gateway.  And to be clear failover has worked mostly well for years now, it has only been within the last few updates this started happening. 

Now there was an ongoing issue where some connections are overly sticky and existing connections wouldn't fail back.  However this new issue is different, even new connections choose the lower valued gateway still even after the primary is up.  The only fix is to reboot  the secondary gateway or the firewall itself. 

12

24.1 Legacy Series / Re: Periodic Speedtest

« on: May 29, 2024, 08:25:11 pm »

Wow good job finding that, I'd completely given up on solving it.  Looks like this is your first post too, so very thankful you took the time to make an account to help me out.  Posted a screenshot of the duplicate header.

13

24.1 Legacy Series / Re: Multi-WAN not failing gateways back after uplink returns

« on: May 29, 2024, 02:32:25 pm »

Don't have a fix for you but I'm having the exact same issue, been using multi-wan for years without too much pain, but now it simply doesn't fail back.  Not sure what changed, but it's been within the last few releases.  This is a biggish issue for me as my backup LTE internet is metered.  I didn't notice it hadn't failed back last week until I'd already used about 10Gigs of data.  If you find a fix please post it, I might try creating a bug report shortly.

14

Zenarmor (Sensei) / Re: Tutorial: How to Change a Self-Signed Certificate with a CA-Signed Certificate o

« on: April 17, 2024, 09:52:20 pm »

Hi,

You can import the created certificate but can not create yet. The only option is self-signed certificate for creating.

Import the cert ACME created from Let's Encrypt?  Is this automated or does this need to be manually done every 90 days.  I'm still unclear on this for some reason. 

15

Zenarmor (Sensei) / Re: Tutorial: How to Change a Self-Signed Certificate with a CA-Signed Certificate o

« on: April 16, 2024, 02:54:29 pm »

Not sure that really answers my question.  Currently I use ACME (the way your tutorial instructs) to have a Let's Encrypt cert on my opnsense instance.  What I'm asking is how can I use that same cert and/or process to automatically generate and use an Let's Encrypt cert using ACME on Zenarmor?